Reputation: 5261
Is it unsafe to add localhost to Content Security Policy?
I have the following meta tag set in my index.html which simplifies local development but will also be deployed in the production code:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' localhost:* ws://localhost:*;">
Are there any known ways that adding localhost like this could allow any type of cross-site scripting exploits?
According to Google's CSP evaluator it seems okay (well, the localhost portion at least).
Upvotes: 30
Views: 33618
Answers (1)
Reputation: 5496
This isn't optimal, but it will not meaningfully reduce the security of your users.
The reason for this is that browser and computer form the trusted computing base for any web page. If you're browsing from an untrusted machine, there's no security rules in the world a web page can implement to guarantee the safety of your data and privacy of the exchange.
Upvotes: 11
Related Questions
- Should Content-Security-Policy header be applied to all resources?
- Content security policy including a script
- How to use Content-Security-Policy with localhost files
- Is localhost safe to check as a security condition
- Content-Security-Policy in HTML Meta Tags ~ Is This Safe?
- Am I using X-Content-Security-Policy correctly?
- Content Security Policy ( style-src ) when load from localhost:xxxx
- Is this method of applying content security policy ok?
- Is it safe to use Content-Security-Policy Header?
- How can you avoid cross-origin policy error when trying to access localhost?