HTTP - Content security policy (CSP)
Table of Contents
About
CSP 1) is a security response header that define the behaviors that are trusted in your HTML page.
CSP can be used to detect and mitigate against the effects of certain attacks, such as:
- and other code injection attacks
CSP is particularly powerful as it includes directives such as script-src that specifies what are valid, allowed sources for JavaScript.
Implementation
Google Publisher tag
Ref: If you have a Content Security Policy (CSP) on your site, the restrictions of the CSP also apply to AMPHTML ads in friendly iframes. In that case, call googletag.pubads().setForceSafeFrame(true) before making any ad requests, to allow the ad to render in a cross-domain iframe without the CSP's restrictions
Syntax
Content-Security-Policy: <policy-directive>; <policy-directive>
- With a few exceptions, policies mostly involve specifying server origins and script endpoints.
- Your policy should include a default-src policy directive, which is a fallback for other resource types when they don't have policies of their own
Example
Third party script
- Given this CSP header
Content-Security-Policy: script-src https://example.com/
- The following third-party script will not be loaded or executed
<script src="https://not-example.com/js/library.js"></script>
Block HTTP call on HTTPS page
<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content" />
Reporting
Content-Security-Policy-Report-Only: default-src 'self' *.ezoic.net; img-src www.googletagmanager.com ; report-uri https://api.gerardnico.com/csp
Example of Json send. The definition can be found in the specification.
{
"csp-report": {
"document-uri": "http://example.com/signup.html",
"referrer": "",
"blocked-uri": "http://example.com/css/style.css",
"violated-directive": "style-src cdn.example.com",
"original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports",
"disposition": "report"
}
}
