Ju lien
Reputation: 1
Browser doesn't apply the CSP received from HTTP headers?
here is my aim : implement a Content Security Policy backend side and apply it frontend side through the browser. here is the issue : none of the rules set up are effective frontend side.
What I tried : I created a CSP that blocks any resource (on purpose for a test).
I can see that the CSP is sent by backend and received in browser (from HTTP headers in Firefox's Network tab).
content-security-policy : default-src 'none'; script-src 'none'; style-src 'none'; img-src 'none'; font-src 'none'; connect-src 'none'; frame-src 'none'; object-src 'none'; media-src 'none'; worker-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'
But none of these rules are effective : js scripts are executed, images from any domains are visible etc.
Finally, when I set up the CSP in the index.html frontend side : the CSP is working. But it's not the best practice.
How can I make the CSP be applied when sent through HTTP headers ?
My config :
- Rails 7.1.3.4
- Node v20.18.2
- Tested on Firefox last version
- Tested on Chrome last version
Upvotes: 0
Views: 54
Answers (0)
Related Questions
- Content Security Policy "data" not working for base64 Images in Chrome 28
- Ext JS: vulnerabilities with CSP headers
- Injecting iframe into page with restrictive Content Security Policy
- Shopify embedded app "frame-ancestors 'none'" error
- Where to specify the Content Security Policy (CSP): on a backend or on a frontend?
- Working on CSP headers, seeing console browser as Refused to execute inline script because it violates the following Content Security Policy directive
- Content Security Policy (CSP) Header: Onto each file or only the actual HTML pages?
- Configuration of the Content-Security-Policy (CSP) reporting with `report-to` in the HTML `meta`-tag
- CSP policy error - Unable to show iframe from subdomain of primary source