Menu
Does specifying a connect-src directive in your content security policy relax the browser's same origin policy and allow you to make cross origin XHR requests? Or is this directive only used to limit already legal XHR (i.e. same origin calls or calls enabled by CORS)?
888
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
Cross Origin Resource Sharing(CORS) and Content Security Policy(CSP) are HTTP response headers which when implemented help to improve the security of a web application. Both security headers allow application owners to whitelist the origin of resources in their web application.
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers ( onclick ) and XSLT stylesheets which can trigger script execution.
The default-src Content Security Policy (CSP) directive allows you to specify the default or fallback resources that can be loaded (or fetched) on the page (such as script-src , or style-src , etc.)
The connect-src directive does not relax the same-origin policy; it simply specifies a list of source to which you can connect, assuming that the browser will already allow you to connect to them (via CORS, for instance).
In general, Content Security Policy is an annotation that you as an author can use to limit the capabilities of your pages. It does not grant new privileges, but only removes them.
167
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
