Menu
I defined content security policies for one of the application which uses JavaScript files from https://www.youtube.com/iframe_api as follows;
<meta http-equiv="Content-Security-Policy"
content="script-src 'self' https://www.youtube.com;
child-src https://www.youtube.com;">
Now on chrome dev tools, I get the error below:
Refused to load the script 'https://s.ytimg.com/yts/jsbin/www-widgetapi-vflaaT2_k/www-widgetapi.js' because it violates the following Content Security Policy directive: "script-src 'self' https://www.youtube.com".
Should I add https://s.ytimg.com to the content security policy settings?
If yes, does it constitute a security risk as one cannot guarantee whether it may change over time?
How can I effectively define content security policies for YouTube?
629
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
Why use the Content Security Policy? The primary benefit of CSP is preventing the exploitation of cross-site scripting vulnerabilities. When an application uses a strict policy, an attacker who finds an XSS bug will no longer be able to force the browser to execute malicious scripts on the page.
Yes that's exactly what you need to do. Ytimg is YouTube's CDN for static files.
149
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
