Re: [CSP2] Large CSP headers

On Sun, 29 Dec 2019 at 00:25, Ángel <angel@16bits.net> wrote:

> I have seen weird errors when setting such none CSP. Such as images (even
> just the favicon) or pdf failing to load when accessed directly in the
> browser.



Yep, but this is for an API, so the browser shouldn't be loading this as a
page... it's just there incase something goes wrong, where a HTML response
(potentially malicious) was provided.

:-)



On Sun, 29 Dec 2019 at 00:25, Ángel <angel@16bits.net> wrote:

> On 2019-12-16 at 13:58 +0000, Craig Francis wrote:
> > nosniff might not be set, or the content-type might be wrong (the API
> > might respond with "text/html")... personally I just like having all
> > the restrictions in place, just in case.
> >
> > All of my web pages return a custom CSP header for each page (only
> > allowing what that page needs), but I'm experimenting with the
> > equivalent of the Apache `Header setifempty` rule to set a default CSP
> > of "default-src 'none'; etc" for any response that hasn't specified
> > it's own.
> >
> > Unfortunately `setifempty` doesn't work with fcgi, so I'm currently
> > using the following on my development server:
> >
> >         Header set "Content-Security-Policy" "default-src 'none';
> >         base-uri 'none'; form-action 'none'; frame-ancestors 'none';
> >         block-all-mixed-content" "expr=-z
> >         %{resp:Content-Security-Policy}"
> >
> > Assuming it goes well, it will be used on the Live servers in the new
> > year.
> >
> > Craig
>
> I have seen weird errors when setting such none CSP. Such as images
> (even just the favicon) or pdf failing to load when accessed directly in
> the browser.
>
> So expect to see CSP failures that you didn't foresee.
>
> Cheers
>
>
>
>

Received on Sunday, 29 December 2019 00:32:36 UTC