Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Defining a dynamic Content Security Policy in a Single Page Application

I want to define a content security policy that allows loading images from any origin by default but restricts this to allow only a specific set of origins in some sections of the website.

In a traditional website that makes a new HTTP request for every navigation, this could be easily done by sending a different Content-Security-Policy HTTP header for the pages that require the stricter policy. But in a single page application, this is of course not possible because navigating to a more restrictive section of the app does not cause a new HTTP request (also I would like to define policies on more dynamic conditions than a URL navigation).

I know that—besides in an HTTP header—CSP policies can also be defined in a meta tag and when multiple CSP policies are defined a request must pass all of them to be permitted. So my first approach to solving the problem was setting a default CSP in a Content-Security-Policy header for the entire page and then dynamically set more restrictive policies by adding a <meta http-equiv="Content-Security-Policy" content="…"> tag to the document's head when required.

And this works just fine for dynamically adding more restrictive policies. The big problem is that removing that meta tag or modifying it does not remove or modify the associated content security policy (tested in Chrome in Firefox). This behavior is defined in the W3C Content Security Policy spec:

Note: Modifications to the content attribute of a meta element after the element has been parsed will be ignored.

So is there any way to dynamically add (and more importantly also remove) a content security policy that does not rely on a HTTP navigation? I would like to avoid setting a restrictive image policy by default and then excepting individual images through hashes or nonces as this would be quite elaborate to implement.

like image 825
Mathis Avatar asked Apr 12 '21 03:04

Mathis


People also ask

How is a CSP policy defined?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

Where do you place Content-Security-Policy?

Here's a recommended header to start with: Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; Your CSP should appear along with your other headers when viewing your page in the browser's developer tools.

How do I add Content-Security-Policy header in HTML?

To add this custom meta tag, you can go to www.yourStore.com/Admin/Setting/GeneralCommon and find Custom <head> tag and add this as shown in the image below. Content Security Policy protects against Cross Site Scripting (XSS) and other forms of attacks such as ClickJacking.


1 Answers

In SPA you can each time to create a new fullscreen iframe and fill it by script. <iframe>, as nested browsing context, can have own CSP meta tag regardless of the parent page.
The parent page will contains only script to manage iframe's content, may be it's possible to use Worker() for this purpose.

like image 135
granty Avatar answered Nov 15 '22 09:11

granty