Allow All Content Security Policy?

Question

Is it possible to configure the Content-Security-Policy to not block anything at all? I'm running a computer security class, and our web hacking project is running into issues on newer versions of Chrome because without any CSP headers, it's automatically blocking certain XSS attacks.

Rainb · Answer 1 · 2023-08-29T07:52:50.097

85

For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough:

default-src * data: mediastream: blob: filesystem: about: ws: wss: 'unsafe-eval' 'wasm-unsafe-eval' 'unsafe-inline'; 
script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; 
connect-src * data: blob: 'unsafe-inline'; 
img-src * data: blob: 'unsafe-inline'; 
frame-src * data: blob: ; 
style-src * data: blob: 'unsafe-inline';
font-src * data: blob: 'unsafe-inline';
frame-ancestors * data: blob: 'unsafe-inline';

edited Aug 29 '23 at 07:52

answered Jun 27 '18 at 15:57

Rainb

1,965
11
32

1

For a policy that allows inline, but not from any host, the wildcards ( * ) could be changed to "self". – Rob Breidecker Jan 15 '20 at 00:01
3

Chrome now says it doesn't know and will ignore `'unsafe-dynamic'` – Anatol Bivol Apr 15 '21 at 14:16
@AnatoliiBivol interesting, I guess you can remove it to avoid warnings, if chrome is the only thing you care about – Rainb Apr 15 '21 at 18:33
1

I also needed to add frame-ancestors https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors – Jonathan Parker Apr 18 '21 at 12:19
As if a directive is not found a fallback will be applied to the 'default-src' directive, why don't you consider something like that: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' – Ahmed El-Atab Dec 22 '21 at 15:32
1

@AhmedEl-Atab at the time of writing, chrome required defining each entry explicitly. – Rainb Dec 28 '21 at 17:56
New version on 2022: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline'; frame-ancestors * data: blob:; – Kevin .NET May 02 '22 at 20:11

score 42 · Answer 2 · edited Aug 29 '19 at 18:55

42

It's not secure at all, but as staring point the real allow all policy is:

default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';

See: https://content-security-policy.com/ and this CSP migration guide.

edited Aug 29 '19 at 18:55

Eli Grey

35,104
14
75
93

answered Dec 01 '17 at 17:29

zerologiko

1,993
1
18
21

Blob and data missed, example: default-src * data: blob: 'unsafe-inline' 'unsafe-eval'; – basil Jul 15 '19 at 09:06
2

You missed font-src: * 'unsafe-inline'; – Jonathan Parker Apr 18 '21 at 12:06
Coooool. save my time – Dat Ho Jun 11 '21 at 03:32

score 18 · Answer 3 · answered Mar 14 '16 at 20:35

18

The best way would be not applying any policy.

But to answer your question, an "allow all policy" would probably be:

default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;

Note: untested

answered Mar 14 '16 at 20:35

oreoshake

4,712
1
31
38

Unfortunately without any policy in place, Chrome proactively adds some XSS protections of its own, so having nothing is actually worse. But thanks! – joshlf Mar 14 '16 at 20:36

score 8 · Answer 4 · answered May 28 '20 at 04:39

Here's the htaccess code to allow everything in CSP

Header add Content-Security-Policy "default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';"

score 1 · Answer 5 · answered May 04 '23 at 13:50

DISCLAIMER/WARNING: Please consider writing a proper CSP. The following configuration allows any connection and does not provide any security benefit. The Content-Security-Policy-Report-Only header helps you to archive the goal of a proper CSP in two steps/non-blocking.

Since the default behavior is for every policy to fall back to default-src (according to MDN), the simplest CSP header that allows anything should be this:

default-src * data: mediastream: blob: filesystem: about: ws: wss: 'unsafe-eval' 'wasm-unsafe-eval' 'unsafe-inline';

The explanation why * does not match "everything" is, that the asterix only allows all host-sources, but e.g. schema-sources, inline or eval are not host-sources. Therefore these types of sources must be explicitly specified.

Allow All Content Security Policy?

5 Answers5

Linked

Related