alfa
Reputation: 35
How does the browser respond if the Content Security Policy is different across multiple HTTP responses from the same Origin
If a browser requests a resource from a URI, and the CSP header from the first response indicates only to load resources from 'self', ie:
Content-Security-Policy: default-src 'self'
But subsequent requests for resources to the same origin return a more lenient CSP in their header, ie:
Content-Security-Policy: default-src 'self' *.trusted.com
Does the browser apply the most permissive policy indicated?
Upvotes: 0
Views: 102
Answers (1)
alfa
Reputation: 35
"The browser does not persist CSP policies across responses, and doesn’t between responses maintain any state information about policies from previous responses." - as above
Upvotes: 0
Related Questions
- How does Content Security Policy (CSP) work?
- Is HTTP Content-Security-Policy set per page or per GET?
- Content Security Policy and REST API call - how does it work?
- How Same-origin policy works?
- Content-Security-Policy: Difference between Google Chrome, Firefox, and Microsoft Edge
- Does server-side http request has the same cross-domain policy?
- Same origin policy and the DOM
- JavaScript Same Origin Policy - How does it apply to different subdomains?
- Same domain Policy exceptions?
- Same origin policy with same domain, but https