2

My question is similar to, but not the same as:

Content Security Policy (CSP) Header: Onto each file or only the actual HTML pages?

but I don't think there's a clear answer there.

When a web page is loaded, is the Content Security Policy (CSP) for that page (and any resources loaded by that page) defined by the first CSP header encountered, or can it be amended by subsequent resources loaded by that page?

Example

Suppose the webpage at location https://www.example.com/main.html returns a CSP header

Content-Security-Policy: script-src https://safe.javascript.com

then within its HTML requests a Javascript file from safe.javascript.com:

<script src='https://safe.javascript.com/magnifier.js</script>

The browser permits this source based on the CSP header, and during page load issues the HTTP/GET request to safe.javascript.com for magnifier.js. However let's suppose that the HTTP response headers for the Javascript file itself includes a CSP header:

Content-Security-Policy: script-src https://unsafe.javascript.com

What is the CSP for the main.html web page now set to, regarding script source?

  • Is it still https://safe.javascript.com (because the CSP applies to main.html throughout its life, and is set completely by the initial GET response)?
  • Is it now amended to include https://unsafe.javascript.com?
  • Is it replaced by https://unsafe.javascript.com?
  • Does the CSP header for magnifier.js determine what content magnifier.js can load and has no bearing on main.html? (i.e. each HTTP/GET has its own CSP scope)
  • Is the CSP header completely ignored (because CSP is set at page level, not file level)?

I think the latter is the secure option, but I can't find the answer in https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP apart from

Configuring Content Security Policy involves adding the Content-Security-Policy HTTP header to a web page and giving it values to control what resources the user agent is allowed to load for that page.

Does 'for that page' mean that it is set once per page, and only by the headers for that specific page?

I see websites setting CSP headers for all resources (e.g. images, CSS) rather than just for their HTML content. But unless the content is HTML, is there any purpose for that?

Mike
  • 33
  • 6

1 Answers1

3

A CSP is defined by the page and most sub-resources don’t need to specify a CSP as it will not be used and it’s a waste of bytes to send it.

The original CSP can specify strict-dynamic to let allowed scripts add new scripts. But that still doesn’t replace the top level CSP. See here for more info: https://content-security-policy.com/strict-dynamic/

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92