Does specifying a file in a CSP directive prevent other files from that domain being loaded?

Question

If I have the following script-src directive:

script-src: https://example.com/scripts/file.js;

Is it possible for any of the following scripts to be loaded?

https://example.com/file.js
https://example.com/assets/file.js
https://example.com/scripts/different-file.js

Does this apply to all browsers and CSP v2 / CSP v3?

score 1 · Accepted Answer · answered Jan 24 '23 at 14:04

1

According to the specifications for CSP v2 and CSP v3, this can be used in both v2 and v3. I would expect browsers to support it as major browsers have supported v2 for years. None of the example scripts should be loaded with the given CSP.

answered Jan 24 '23 at 14:04

Halvor Sakshaug

2,583
1
6
9

Does specifying a file in a CSP directive prevent other files from that domain being loaded?

1 Answers1