- From: Ángel <angel@16bits.net>
- Date: Sun, 29 Dec 2019 01:24:04 +0100
- To: public-webappsec@w3.org
On 2019-12-16 at 13:58 +0000, Craig Francis wrote: > nosniff might not be set, or the content-type might be wrong (the API > might respond with "text/html")... personally I just like having all > the restrictions in place, just in case. > > All of my web pages return a custom CSP header for each page (only > allowing what that page needs), but I'm experimenting with the > equivalent of the Apache `Header setifempty` rule to set a default CSP > of "default-src 'none'; etc" for any response that hasn't specified > it's own. > > Unfortunately `setifempty` doesn't work with fcgi, so I'm currently > using the following on my development server: > > Header set "Content-Security-Policy" "default-src 'none'; > base-uri 'none'; form-action 'none'; frame-ancestors 'none'; > block-all-mixed-content" "expr=-z > %{resp:Content-Security-Policy}" > > Assuming it goes well, it will be used on the Live servers in the new > year. > > Craig I have seen weird errors when setting such none CSP. Such as images (even just the favicon) or pdf failing to load when accessed directly in the browser. So expect to see CSP failures that you didn't foresee. Cheers
Received on Sunday, 29 December 2019 00:24:12 UTC