Allow All Content Security Policy?

Asked 14/3, 2016 at 3:1 Answered 4/5, 2023 at 13:50

javascript http-headers xss content-security-policy

Is it possible to configure the Content-Security-Policy to not block anything at all? I'm running a computer security class, and our web hacking project is running into issues on newer versions of Chrome because without any CSP headers, it's automatically blocking certain XSS attacks.

Freedafreedman answered 14/3, 2016 at 3:1 Comment(0)

For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough:

default-src * data: mediastream: blob: filesystem: about: ws: wss: 'unsafe-eval' 'wasm-unsafe-eval' 'unsafe-inline'; 
script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; 
script-src-elem * data: blob: 'unsafe-inline' 'unsafe-eval';
connect-src * data: blob: 'unsafe-inline'; 
img-src * data: blob: 'unsafe-inline'; 
media-src * data: blob: 'unsafe-inline'; 
frame-src * data: blob: ; 
style-src * data: blob: 'unsafe-inline';
font-src * data: blob: 'unsafe-inline';
frame-ancestors * data: blob:;

Togoland answered 27/6, 2018 at 15:57 Comment(11)

For a policy that allows inline, but not from any host, the wildcards ( * ) could be changed to "self". – Arteriole 15/1, 2020 at 0:1

Chrome now says it doesn't know and will ignore 'unsafe-dynamic' – Dewie 15/4, 2021 at 14:16

@AnatoliiBivol interesting, I guess you can remove it to avoid warnings, if chrome is the only thing you care about – Togoland 15/4, 2021 at 18:33

I also needed to add frame-ancestors developer.mozilla.org/en-US/docs/Web/HTTP/Headers/… – Semaphore 18/4, 2021 at 12:19

As if a directive is not found a fallback will be applied to the 'default-src' directive, why don't you consider something like that: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' – Aurilia 22/12, 2021 at 15:32

@AhmedEl-Atab at the time of writing, chrome required defining each entry explicitly. – Togoland 28/12, 2021 at 17:56

New version on 2022: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline'; frame-ancestors * data: blob:; – Fie 2/5, 2022 at 20:11

Is the above a bad policy for a public website? – Marocain 26/1 at 19:59

@Marocain depends on your purpose – Togoland 26/1 at 22:32

@Togoland I would like to check the box for "having a CSP", while neither breaking the website, nor taking a step backwards in security. – Marocain 26/1 at 23:40

@Marocain I assume this CSP is for websites that have information that should be accessible by anyone even in other websites, you have to decide for yourself if this suits your purpose. or maybe you're testing localhost and can't bother with csp at the moment – Togoland 30/1 at 9:35

It's not secure at all, but as staring point the real allow all policy is:

default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';

See: https://content-security-policy.com/ and this CSP migration guide.

Expostulatory answered 1/12, 2017 at 17:29 Comment(3)

Blob and data missed, example: default-src * data: blob: 'unsafe-inline' 'unsafe-eval'; – Fourthclass 15/7, 2019 at 9:6

You missed font-src: * 'unsafe-inline'; – Semaphore 18/4, 2021 at 12:6

Coooool. save my time – Quincey 11/6, 2021 at 3:32

The best way would be not applying any policy.

But to answer your question, an "allow all policy" would probably be:

default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;

Note: untested

Pot answered 14/3, 2016 at 20:35 Comment(1)

Unfortunately without any policy in place, Chrome proactively adds some XSS protections of its own, so having nothing is actually worse. But thanks! – Freedafreedman 14/3, 2016 at 20:36

Here's the htaccess code to allow everything in CSP

Header add Content-Security-Policy "default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';"

Limbourg answered 28/5, 2020 at 4:39 Comment(0)

DISCLAIMER/WARNING: Please consider writing a proper CSP. The following configuration allows any connection and does not provide any security benefit. The Content-Security-Policy-Report-Only header helps you to archive the goal of a proper CSP in two steps/non-blocking.

Since the default behavior is for every fetch directive to fall back to default-src (according to MDN), we only need to define a default-src and sources for all document and navigation directives (base-uri, form-action, form-ancestor). The simplest CSP header that allows anything should be this:

default-src * data: mediastream: blob: filesystem: about: ws: wss: 'unsafe-eval' 'wasm-unsafe-eval' 'unsafe-inline';
base-uri * data: mediastream: blob: filesystem:;
form-action * data: mediastream: blob: filesystem:;
form-ancestor * data: mediastream: blob: filesystem:;

The explanation why * does not match "everything" is, that the asterix only allows all host-sources, but e.g. schema-sources, inline or eval are not host-sources. Therefore these types of sources must be explicitly specified.

EDIT: added directives that do not fallback to default-src (thanks for the comment)

Molli answered 4/5, 2023 at 13:50 Comment(1)

Note that "default-src" does not actually apply to "Everything": content-security-policy.com/default-src It doesn't apply to: base-uri, form-action, frame-ancestors, report-uri, sandbox – Skyros 15/4 at 20:23

Recommended topics

Hot tags