5 years ago
Stuart Larsen #article
Did you know it's possible to use multiple content-security-policies on the same resource? This article will cover some of the in's and out's of using multiple policies.
If you're new to Content-Security-Policy I'd highly recommend checking out this article first: An Introduction to Content Security Policy.
tl;dr; all policies are enforced equally, any of the polices can block the overall resource/request
Content-Security policy can be applied in two different ways: http header and <meta> tags.
The header is the most common and recommended. Applying CSP is as simple as setting 'Content-Security-Policy' or 'Content-Security-Policy-Report-Only' on the HTTP response.
The <meta> can be used as an http-equivalence to set the header. For example
It's highly recommended to use the HTTP header over the meta tag. This is because:
There's two way to have multiple policies.
Content-Security-Policy: default-src 'self', default-src 'https:'
When a web server delivers multiple policies, they are both enforced. This means that the either policy can block a resource from being loaded.
In this comma-separated example, a resource in question will only pass through if it's both from 'self' and over 'https:'. Had the two policies been merged into a single policy (default-src 'self' 'https:'), it would have been allowed if it was from either 'self' OR 'https:'.
There might be more uses, but the two I've seen are for 'upgrade-insecure-requests' and testing out a new policy.
upgrade-insecure-request doesn't report when it upgrades a resource, so the spec https://w3c.github.io/webappsec-upgrade-insecure-requests/#reporting-upgrades recommends setting multiple policies to both upgrade, and report.
Content-Security-Policy-Report-Only
You have a policy already applied in enforce mode, and you want to test a new policy in report-only mode to see how it works.
I set up a couple of demo's that can be found at https://github.com/csper-io/csper-demos to check out a couple of questions I had.
Some facts (tested with Chrome):
All very sensible.
If you have any questions or comments, please reach out! I'd love to chat stuart@csper.io.
Stay up to date with the latest Content Security Policy news, product updates, discounts, and more!