Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Content Security Policy (CSP) Header: Onto each file or only the actual HTML pages?

Tags:

I'm currently adding the Content Security Policy (CSP) header to our application. I'm wondering onto which files the header must be attached to. After some research, I did not find a clear answer to it.

Twitter, e.g. only added it to the actual HTML document. Facebook, however, added it to almost every resource and the HTML document (HTML, JS, CSS, etc.).

So, is it necessary to add the Content Security Policy header to each served resource file or only to the HTML document? How does it work with Ajax (JSON content) requests? How does it work with SPAs (only the index.html file or all resources)? I don't want to slow down the page by adding long CSP headers to each file if it is not necessary from a security point of view.

EDIT:

To clarify: Do browser treat images or other non-document resources differently when they come with a CSP header attached?

like image 365
ssc-hrep3 Avatar asked Jan 15 '19 17:01

ssc-hrep3


1 Answers

The correct answer to my question was given as an answer to another, similar question. It refers to the CSP specification which clearly states, that the policy only affects resources which create a new "execution context". This means, it is not necessary to add the CSP to REST API responses which are not meant to be opened by a browser. Please refer to the correct answer or directly to the specification of W3 which also includes a table of how different resources are handled (e.g. scripts, images, etc.).

like image 166
ssc-hrep3 Avatar answered Sep 29 '22 04:09

ssc-hrep3