Reputation: 111
Effective Content Security Policy definition for YouTube.com
I defined content security policies for one of the application which uses JavaScript files from https://www.youtube.com/iframe_api as follows;
<meta http-equiv="Content-Security-Policy"
content="script-src 'self' https://www.youtube.com;
child-src https://www.youtube.com;">
Now on chrome dev tools, I get the error below:
Refused to load the script 'https://s.ytimg.com/yts/jsbin/www-widgetapi-vflaaT2_k/www-widgetapi.js' because it violates the following Content Security Policy directive: "script-src 'self' https://www.youtube.com".
Should I add https://s.ytimg.com to the content security policy settings?
If yes, does it constitute a security risk as one cannot guarantee whether it may change over time?
How can I effectively define content security policies for YouTube?
Upvotes: 9
Views: 6779
Answers (1)
Reputation: 45870
Yes that's exactly what you need to do. Ytimg is YouTube's CDN for static files.
Upvotes: 6
Related Questions
- Content Security Policy: "img-src 'self' data:"
- Refused to apply inline style because it violates the following Content Security Policy directive
- Content Security Policy "data" not working for base64 Images in Chrome 28
- Refused to load the script : Content-Security-Policy
- Jenkins Content Security Policy
- Refused to load the script because it violates the following Content Security Policy directive
- how to add Content Security Policy (CSP)
- How does Content Security Policy (CSP) work?
- Injecting iframe into page with restrictive Content Security Policy
- problem in Content Security Policy for external scripts