- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Sun, 25 Feb 2024 08:25:02 -0800
- To: Ricardo Iramar dos Santos <riramar@gmail.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Sunday, 25 February 2024 16:25:34 UTC
The answer from noamr is correct: CSP is a document-oriented policy and is ignored for resources loaded into that document. Separate policy headers can be applied to sub-documents (iframes) and workers (since they are a separate execution context) but that's it. A policy defines allowed and restricted behaviors, and may be applied to a > Document <https://dom.spec.whatwg.org/#document>, WorkerGlobalScope > <https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope>, > or WorkletGlobalScope > <https://html.spec.whatwg.org/multipage/worklets.html#workletglobalscope>. https://w3c.github.io/webappsec-csp/#framework-policy -Dan Veditz On Sat, Feb 24, 2024 at 6:45 AM Ricardo Iramar dos Santos <riramar@gmail.com> wrote: > Hi All, > > I received the following question on the OWASP Security Headers Project, > but I'm not sure if this works as intended. Do you guys know if the Content > Security Policy (CSP) should block in this case? > > https://github.com/oshp/oshp-tracking/discussions/25 > *It seems, unless I missed a subtlety, that a CSP cannot be used to act on > the capabilities of a loaded JavaScript script when the CSP is applied on > the script itself, via the HTTP response that sends it.* > > Best regards, > Ricardo Iramar >
Received on Sunday, 25 February 2024 16:25:34 UTC