Reputation: 8735
Content-Security-Policy: default-src *
I started exploring Content Security Policy on a website which uses inline scripts and other crimes. I configured CSP per header field like this:
content-security-policy: default-src *; frame-ancestors 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net *.stripe.com; report-uri https://sentry.io/api/x/csp-report/?sentry_key=y
My problem now is that the browser complains with the following message:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src *"
I read the documentation for default-src <source> which states that <source> can be one of the following sources:
<host-source><scheme-source>'self''unsafe-inline'- etc.
It seems to me that the asterisk can only be used for host sources. But what else can I do since only one <source> seems to be allowed? default-src * 'unsafe-inline' would not be compliant, right?
My goal basically is to use a minimal CSP configuration which works (and can be embedded via iframe). I am aware that it's best practice to go on with specific rules.
Upvotes: 3
Views: 10662
Answers (1)
Reputation: 88286
It seems to me that the asterisk can only be used for host sources.
Yes
But what else can I do since only one
<source>seems to be allowed?
Multiple <source>s are allowed.
default-src * 'unsafe-inline'would not be compliant, right?
It’s compliant.
You can use https://cspvalidator.org/ to check. Or https://csp-evaluator.withgoogle.com/.
But you really want to avoid specifying 'unsafe-inline' in any CSP policy. Using 'unsafe-inline' pretty much defeats the entire purpose of CSP.
What you want to do instead for any inline scripts causing CSP errors is: take the scripts out of your document and move them into separate files. That’s sort of the whole point.
But if you really must specify 'unsafe-inline', then as far as the dealing with the specific error cited in the question, you should only specify 'unsafe-inline' for script-src — because the error message says, “Refused to execute inline script.”
If you instead specify 'unsafe-inline' for default-src, then that causes the browser to fail to do CSP checks for any inline resources in your document — stylesheets, etc., too, not just scripts.
So if the only problem is an inline script and for some reason you can’t fix that by moving the script out to a separate file, or specifying a hash or nonce for it, then you should at least only specify 'unsafe-inline' for script-src.
Upvotes: 5
Related Questions
- content security policy frame-ancestors
- Setting iframe src via JS isnt working specifically for sharepoint
- Content security policy "frame-src" not working
- How do I allow a iframe with a content security policy (CSP)
- Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback
- Uncaught SecurityError: Blocked a frame with origin ... from accessing a frame with origin
- iFrame Sandbox with Content Security Policy
- Content-Security-Policy .htaccess frame-ancestor
- Content Security Policy inside iframe affects whole page on Firefox
- Refused to display in a frame