: Content Delivery Policy setup I want to secure my website using a Content Security Policy. I'm came up with the following policy: X-Content-Security-Policy: default-src https://www.example.com https://static.example.com;
I want to secure my website using a Content Security Policy. I'm came up with the following policy:
X-Content-Security-Policy: default-src www.example.com static.example.com; script-src ajax.googleapis.com
I have two questions regrding the Content Security Policy I want to set.
I use Google's CDN only to get the jQuery library. Is it possible to make a policy that only allows certain scripts to load from a domain instead of the generic script-src?
Is my policy correct? E.g. having two domains for the default-src and a separate one for script-src. Will I still be able to server script-src files through my own domains?
More posts by @RJPawlick198
1 Comments
Sorted by latest first Latest Oldest Best
For Q1: No. In the W3C spec it says that script-src specifies hosts as follows:
( [ scheme "://" ] host [ port ] )
so nothing after the host or port can be used.
For Q2: From my reading of the spec, yes, it's correct.
If not specified explicitly in the policy, the directives listed above
will use the default sources.
So you have two domains as defaults for everything, and then you further refine script-src with a particular domain. However if you want to serve script-src files from your own domain then you'll need to add your domain after ajax.googleapis.com.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.