content-security-policy.com
content-security-policy.com copied to clipboard
foundeo
Source code for the content-security-policy.com website
It might be helpful to link to further reading, such as: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy - https://w3c.github.io/webappsec-csp/
In my testing, it seems that if no port is specified, browsers assume `80` (or maybe `443` if the scheme is `https`, but I didn't try that.) I don't have...
It's not easy to find good documentation on allowing web sockets. https://outlandish.com/blog/configure-content-security-policy-with-websockets-and-express/ claims you need the domain, but `connect-src 'self' ws: wss:` seems to be working for me.
## Problem Chrome required `unsafe-eval` for loading of WebAssembly code. See https://github.com/WebAssembly/content-security-policy/issues/7 and all the linked issues. ## Solution They have now thankfully added a new `wasm-eval` in https://github.com/w3c/webappsec-csp/pull/293. As...
The [CSP level 3](https://www.w3.org/TR/CSP3/) directives seem to be missing: - script-src-elem - script-src-attr - style-src-elem - style-src-attr
There aren't any great resources available for documenting exactly how the CSP reporting API works. Some advice on how to set this directive, what to expect (from the JSON payload),...
https://www.w3.org/TR/CSP2/#directive-base-uri I would also suggest adding `base-uri 'none';` to the examples because it _does not_ fallback to `default-src`.
In order to be able to link to specific parts of the document, it would be nice to have anchors on each paragraph header. This eases referring to parts on...
Hi everyone, because I was sick of reverse-engineering CSP rules every time I integrate a new service into my web projects, I started a list of CSP rules for common...
It would be great to have instructions or link about Spring configuration. Here is an instruction: https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/headers.html#headers-csp and mention that with Spring Boot it's possible to use `security.headers.*` properties.
