Does specifying a connect-src directive in your content security policy relax the browser's same origin policy and allow you to make cross origin XHR requests? Or is this directive only used to limit already legal XHR (i.e. same origin calls or calls enabled by CORS)?
Asked
Active
Viewed 3,190 times
11
Noah Freitas
- 17,240
- 10
- 50
- 67
-
https://developer.mozilla.org/en-US/docs/Security/CSP/CSP_policy_directives – Reflective Oct 16 '12 at 23:02
-
@Reflective Thanks for the link; Mozilla does have some of the better documentation. The documentation implies that it does allow you to make cross origin XHR; however, I have not been able to get this to work in practice, and I suspect that the directive does not actually relax the same origin policy on its own. – Noah Freitas Oct 16 '12 at 23:35
1 Answers
15
The connect-src directive does not relax the same-origin policy; it simply specifies a list of source to which you can connect, assuming that the browser will already allow you to connect to them (via CORS, for instance).
In general, Content Security Policy is an annotation that you as an author can use to limit the capabilities of your pages. It does not grant new privileges, but only removes them.
Mike West
- 5,097
- 25
- 26
-
Thanks. That wasn't the answer I was hoping for, but thank you for stating it so clearly. – Noah Freitas Nov 08 '12 at 16:13