- From: Craig Francis <craig.francis@gmail.com>
- Date: Sun, 29 Dec 2019 00:32:23 +0000
- To: Ángel <angel@16bits.net>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CALytEkNr9BJdV=6J5j4maK-JgTesEMfFTZHOrcbc2FbU5FK7tg@mail.gmail.com>
On Sun, 29 Dec 2019 at 00:25, Ángel <angel@16bits.net> wrote:
> I have seen weird errors when setting such none CSP. Such as images (even
> just the favicon) or pdf failing to load when accessed directly in the
> browser.
Yep, but this is for an API, so the browser shouldn't be loading this as a
page... it's just there incase something goes wrong, where a HTML response
(potentially malicious) was provided.
:-)
On Sun, 29 Dec 2019 at 00:25, Ángel <angel@16bits.net> wrote:
> On 2019-12-16 at 13:58 +0000, Craig Francis wrote:
> > nosniff might not be set, or the content-type might be wrong (the API
> > might respond with "text/html")... personally I just like having all
> > the restrictions in place, just in case.
> >
> > All of my web pages return a custom CSP header for each page (only
> > allowing what that page needs), but I'm experimenting with the
> > equivalent of the Apache `Header setifempty` rule to set a default CSP
> > of "default-src 'none'; etc" for any response that hasn't specified
> > it's own.
> >
> > Unfortunately `setifempty` doesn't work with fcgi, so I'm currently
> > using the following on my development server:
> >
> > Header set "Content-Security-Policy" "default-src 'none';
> > base-uri 'none'; form-action 'none'; frame-ancestors 'none';
> > block-all-mixed-content" "expr=-z
> > %{resp:Content-Security-Policy}"
> >
> > Assuming it goes well, it will be used on the Live servers in the new
> > year.
> >
> > Craig
>
> I have seen weird errors when setting such none CSP. Such as images
> (even just the favicon) or pdf failing to load when accessed directly in
> the browser.
>
> So expect to see CSP failures that you didn't foresee.
>
> Cheers
>
>
>
>
Received on Sunday, 29 December 2019 00:32:36 UTC