Reputation: 1303
Is this method of applying content security policy ok?
I am trying to add CSP to my web application, I have added the following meta tag in my index page:
<meta http-equiv="Content-Security-Policy" content="img-src 'self' data:;default-src *;style-src 'self' http://* 'unsafe-inline';script-src 'self' http://* 'unsafe-inline' 'unsafe-eval';" />
and Also the following my my web.config file on IIS:
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' http://*.domain.com;
img-src 'self' http://*.domain.com data:" />
</customHeaders>
Is it necessary to add both meta tag and additional headers? or One of them is sufficient?
Does the meta tag policy override the custom header?
Does this script-src 'self' http://* 'unsafe-inline' 'unsafe-eval' mean that I can write inline JavaScript and use eval function inside my code? Does this rule override the policy set by headers? (because as far as I know in headers I have prohibited usage of inline JavaScript and eval function)
And my last question is if I use these settings, Should I use ng-csp or its other variant ng-csp="no-unsafe-eval" in my html?
Upvotes: 2
Views: 1225
Answers (1)
Reputation: 88066
Is it necessary to add both meta tag and additional headers? or One of them is sufficient?
One is sufficient. If you can make your server send the policy in a response header, that’s better. You don’t need to also specify anything in a meta element too, and there’s no advantage to it.
Does the meta tag policy override the custom header?
The meta policy will only override the header policy if the meta policy is stricter. See this answer:
What is happening when I have two CSP (Content Security Policies) policies - header & meta?
… which cites a part of the CSP that says, “adding additional policies to the list of policies to enforce can only further restrict the capabilities of the protected resource”.
Does this
script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'mean that I can write inline JavaScript and useevalfunction inside my code?
It would do that if your header also specified those values for script-src. But your header policy does not. So the browser uses the strictest policy, regardless of where it’s specified.
Does this rule override the policy set by headers? (because as far as I know in headers I have prohibited usage of inline JavaScript and
evalfunction)
No, as the What is happening when I have two CSP (Content Security Policies) policies - header & meta? answer explains, you can’t override a strict policy by specifying a less-strict policy elsewhere.
So you’re best off specifying all your policy values in just one place, in a header (instead of meta).
Upvotes: 2
Related Questions
- Content Security Policy blocks Angular Styles
- Angular: avoid inline javascript
- Make Angular working with restrictive Content Security Policy (CSP)
- Content Security Policy (CSP) not implemented in Angular
- Getting error while setting the content-security-policy using Angular4
- Angular against XSS
- Angular 5 & ASP.Net Core with (CSP) Content Security Policy
- Implement Content Security Policy For Angular Application On Internet Explorer
- Is it safe to use Content-Security-Policy Header?
- CSP 2.0 (unsafe-inline) and Angular