Is it necessary to apply the Content-Security-Policy Header to all resources on your domain (images/CSS/JavaScript) or just web pages?
For example, I noticed that https://content-security-policy.com/images/csp-book-cover-sm.png has a CSP header.
Should Content-Security-Policy header be applied to all resources?
Asked Answered
It is only necessary to apply it to web pages that are rendered in a browser, as CSP controls the allowed sources for content, framing etc of such pages. Typically you will only need to set it on non-redirect responses with content type as "text/html". As CSP can be set in a meta tag, another way to look at it is that it only makes sense on responses that could include a meta tag.
As it is often simpler or only possible to just add a response header to all responses, CSPs are often applied to all content types and codes even though they are not strictly needed. Additionally it is recommended to add a CSP with a strict frame-ancestors to REST APIs to prevent drag-and-drop style clickjacking attacks, see https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#security-headers.
Do you have a docs link for the fact that CSP is only needed for content and framing? I assume that mean it's not needed for JS, JSON, images, etc.? –
Illaffected
Unfortunately I couldn't find one right now, but it is a CONTENT security policy, so the name implies quite a bit. There is real need to apply it to the types of content you mention, but it might be done anyway because it is added to all responses or because scanners give bad grades because they don't understand better. –
Stigmatism
This discussion in the Web Application Security Working Group GitHub repository somewhat contradicts your answer. –
Trochlear
Yes, a Content Security Policy should be applied to all resources. At least a minimal CSP should still be applied to resources for which you think they do not need your full CSP. (If unsure, better apply your full CSP.)
By example, the CSP of a Web page does not apply to Web Workers. That is the one emitted on their script that is applied. If none, they will not have a CSP. See this MDN article about Web Workers.
To specify a content security policy for the worker, set a Content-Security-Policy response header for the request which delivered the worker script itself.
That is just one example extracted from this discussion in the Web Application Security Working Group GitHub repository.
Extracts of some comments there:
If you think that
Content-Security-Policyis irrelevant for a particular document, and/or the server hasn't been configured to have a different CSP for a given response, then I would recommend sendingContent-Security-Policy: base-uri 'none'; default-src 'none'. If you are using HTTP/2 then, after the first such response, this will be compressed to almost nothing for future responses.If there is no Content-Type then browsers will do sniffing (sometimes). Thus you should generally assume the worst when there is no Content-Type header field. Thus
Content-Security-Policy: base-uri 'none'; default-src 'none'is important when there is no Content-Type too, unless/until somebody writes down the specific rules for when omitting the CSP header field is safe.
(from briansmith)
Per @briansmith's recommendation of
base-uri 'none'; default-src 'none'for whenContent-Typeis missing, I'd expand that policy to at least:base-uri 'none'; default-src 'none'; form-action 'none'; frame-ancestors 'none'As
default-srconly cover fetch directives.
(from Malvoz)
© 2022 - 2024 — McMap. All rights reserved.