CSP against the HTTP response serving it

Hi All,

I received the following question on the OWASP Security Headers Project,
but I'm not sure if this works as intended. Do you guys know if the Content
Security Policy (CSP) should block in this case?

*It seems, unless I missed a subtlety, that a CSP cannot be used to act on
the capabilities of a loaded JavaScript script when the CSP is applied on
the script itself, via the HTTP response that sends it.*

Best regards,
Ricardo Iramar

Received on Saturday, 24 February 2024 14:43:33 UTC