The best answers to the question “How does Content Security Policy (CSP) work?” in the category Dev.
I’m getting a bunch of errors in the developer console:
Refused to evaluate a string
Refused to execute inline script because it violates the following Content Security Policy directive
Refused to load the script
Refused to load the stylesheet
What’s this all about? How does Content Security Policy (CSP) work? How do I use the
Content-Security-Policy HTTP header?
Specifically, how to…
- …allow multiple sources?
- …use different directives?
- …use multiple directives?
- …handle ports?
- …handle different protocols?
- …use inline styles, scripts, and tags
- What exactly does
Apache 2 mod_headers
You could also enable Apache 2 mod_headers. On Fedora it’s already enabled by default. If you use Ubuntu/Debian, enable it like this:
# First enable headers module for Apache 2, # and then restart the Apache2 service a2enmod headers apache2 -k graceful
On Ubuntu/Debian you can configure headers in the file
# # Setting this header will prevent MSIE from interpreting files as something # else than declared by the content type in the HTTP headers. # Requires mod_headers to be enabled. # #Header set X-Content-Type-Options: "nosniff" # # Setting this header will prevent other sites from embedding pages from this # site as frames. This defends against clickjacking attacks. # Requires mod_headers to be enabled. # Header always set X-Frame-Options: "sameorigin" Header always set X-Content-Type-Options nosniff Header always set X-XSS-Protection "1; mode=block" Header always set X-Permitted-Cross-Domain-Policies "master-only" Header always set Cache-Control "no-cache, no-store, must-revalidate" Header always set Pragma "no-cache" Header always set Expires "-1" Header always set Content-Security-Policy: "default-src 'none';" Header always set Content-Security-Policy: "script-src 'self' www.google-analytics.com adserver.example.com www.example.com;" Header always set Content-Security-Policy: "style-src 'self' www.example.com;"
Note: This is the bottom part of the file. Only the last three entries are CSP settings.
The first parameter is the directive, the second is the sources to be white-listed. I’ve added Google analytics and an adserver, which you might have. Furthermore, I found that if you have aliases, e.g, www.example.com and example.com configured in Apache 2 you should add them to the white-list as well.
While you’re at it you could take a look at the other header settings and install mod_security
Content-Security-Policy meta-tag allows you to reduce the risk of XSS attacks by allowing you to define where resources can be loaded from, preventing browsers from loading data from any other locations. This makes it harder for an attacker to inject malicious code into your site.
I banged my head against a brick wall trying to figure out why I was getting CSP errors one after another, and there didn’t seem to be any concise, clear instructions on just how does it work. So here’s my attempt at explaining some points of CSP briefly, mostly concentrating on the things I found hard to solve.
For brevity I won’t write the full tag in each sample. Instead I’ll only show the
content property, so a sample that says
content="default-src 'self'" means this:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
1. How can I allow multiple sources?
You can simply list your sources after a directive as a space-separated list:
content="default-src 'self' https://example.com/js/"
Note that there are no quotes around parameters other than the special ones, like
'self'. Also, there’s no colon (
:) after the directive. Just the directive, then a space-separated list of parameters.
Everything below the specified parameters is implicitly allowed. That means that in the example above these would be valid sources:
These, however, would not be valid:
http://example.com/js/file.js ^^^^ wrong protocol https://example.com/file.js ^^ above the specified path
2. How can I use different directives? What do they each do?
The most common directives are:
style-srcdefines valid sources for css files
img-srcdefines valid sources for images
connect-srcdefines valid targets for to XMLHttpRequest (AJAX), WebSockets or EventSource. If a connection attempt is made to a host that’s not allowed here, the browser will emulate a
There are others, but these are the ones you’re most likely to need.
3. How can I use multiple directives?
You define all your directives inside one meta-tag by terminating them with a semicolon (
content="default-src 'self' https://example.com/js/; style-src 'self'"
4. How can I handle ports?
Everything but the default ports needs to be allowed explicitly by adding the port number or an asterisk after the allowed domain:
content="default-src 'self' https://ajax.googleapis.com http://example.com:123/free/stuff/"
The above would result in:
https://ajax.googleapis.com:123 ^^^^ Not ok, wrong port https://ajax.googleapis.com - OK http://example.com/free/stuff/file.js ^^ Not ok, only the port 123 is allowed http://example.com:123/free/stuff/file.js - OK
As I mentioned, you can also use an asterisk to explicitly allow all ports:
5. How can I handle different protocols?
By default, only standard protocols are allowed. For example to allow WebSockets
ws:// you will have to allow it explicitly:
content="default-src 'self'; connect-src ws:; style-src 'self'" ^^^ web Sockets are now allowed on all domains and ports.
6. How can I allow the file protocol
If you’ll try to define it as such it won’t work. Instead, you’ll allow it with the
7. How can I use inline scripts and style definitions?
Unless explicitly allowed, you can’t use inline style definitions, code inside
<script> tags or in tag properties like
onclick. You allow them like so:
content="script-src 'unsafe-inline'; style-src 'unsafe-inline'"
You’ll also have to explicitly allow inline, base64 encoded images:
8. How can I allow
I’m sure many people would say that you don’t, since ‘eval is evil’ and the most likely cause for the impending end of the world. Those people would be wrong. Sure, you can definitely punch major holes into your site’s security with eval, but it has perfectly valid use cases. You just have to be smart about using it. You allow it like so:
9. What exactly does
You might take
'self' to mean localhost, local filesystem, or anything on the same host. It doesn’t mean any of those. It means sources that have the same scheme (protocol), same host, and same port as the file the content policy is defined in. Serving your site over HTTP? No https for you then, unless you define it explicitly.
'self' in most examples as it usually makes sense to include it, but it’s by no means mandatory. Leave it out if you don’t need it.
But hang on a minute! Can’t I just use
content="default-src *" and be done with it?
No. In addition to the obvious security vulnerabilities, this also won’t work as you’d expect. Even though some docs claim it allows anything, that’s not true. It doesn’t allow inlining or evals, so to really, really make your site extra vulnerable, you would use this:
content="default-src * 'unsafe-inline' 'unsafe-eval'"
… but I trust you won’t.