Differences

This shows you the differences between two versions of the page.

--- ubuntu:csp_content_security_policy [2020/04/15 08:33] – peter
+++ ubuntu:csp_content_security_policy [2023/06/04 11:30] (current) – peter
@@ Line 7: / Line 7: @@
 **NOTE**: It is known that having both **Content-Security-Policy** and **X-Content-Security-Policy** or **X-Webkit-CSP** causes unexpected behaviours on certain versions of browsers.  Please avoid using deprecated **X-*** headers.
 </WRAP>
+----
 ===== Directive Reference =====
@@ Line 29: / Line 31: @@
 |plugin-types|application/pdf|Defines valid MIME types for plugins invoked via <color red><object></color> and <color red><embed></color>.  To load an <color red><applet></color> you must specify <color red>application/x-java-applet</color>.|
 |base-uri| |Restricts the URLs that can be used to specify the document base URL.|
+----
 ===== Source List Reference =====
@@ Line 48: / Line 52: @@
 |'unsafe-eval'|script-src 'unsafe-eval'|Allows unsafe dynamic code evaluation such as JavaScript <color red>eval()</color>.|
+----
 ===== How it Works =====
@@ Line 59: / Line 64: @@
   * **none** indicates that nothing should be loaded for a given directive e.g. object-src 'none' indicates that no plugins—such as Flash or Java—should be loaded.
+----
 ===== Content-Security-Policy Examples =====
@@ Line 72: / Line 78: @@
 </code>
+----
 ==== Only Allow Scripts from the same origin ====
@@ Line 79: / Line 86: @@
 </code>
+----
 ==== Allow Same Origin, Google Analytics, and Google AJAX CDN ====
@@ Line 86: / Line 94: @@
 </code>
+----
 ==== Starter Policy ====
@@ Line 95: / Line 104: @@
 </code>
+----
 ==== Mixed Content Policy ====
@@ Line 122: / Line 132: @@
 </code>
+----
 ===== Prevent Clickjacking =====
@@ Line 161: / Line 172: @@
 </WRAP>
+----
 ===== Re-factoring inline code =====
@@ Line 233: / Line 245: @@
 </code>
+----
 ===== Content-Security-Policy Error Messages =====
@@ Line 248: / Line 261: @@
 </code>
+----
 ===== Server Side Configuration =====
@@ Line 260: / Line 275: @@
 Header set Content-Security-Policy "default-src 'self';"
 </code>
+----
 ==== Nginx Content-Security-Policy Header ====
@@ Line 271: / Line 288: @@
 You can also append **always** to the end to ensure that nginx sends the header reguardless of response code.
+----
 ==== IIS Content-Security-Policy Header ====
@@ Line 286: / Line 304: @@
 </code>
+----
 ===== Other Examples of CSP =====
@@ Line 301: / Line 320: @@
 Note how Facebook makes use of wildcards for both subdomains, as well as port numbers in connect-src.
+----
 ==== Twitter ====
@@ Line 322: / Line 343: @@
 Notice how the directives all contain https:, thus enforcing SSL.
+----
 ===== Capturing CSP Violations with report-uri =====
@@ Line 350: / Line 372: @@
 </code>
+----
 ===== Content-Security-Policy-Report-Only =====
@@ Line 355: / Line 378: @@
 If you're thinking of implementing CSP, you can take your CSP for a dry run by using the **Content-Security-Policy-Report-Only** HTTP header instead of **Content-Security-Policy**.  This works just the same way as the CSP header, but it only reports on violations without actually enforcing the policy by blocking restricted resources.  You can even use both headers at the same time, enforcing one policy while monitoring the effect any changes might have in the other.
+----
 ===== Test =====
@@ Line 362: / Line 386: @@
 https://report-uri.io/home/tools
+----
 ===== References =====