Menu
There are few URLs like http://aa.bb.dd.com http://aa.bb1.dd.com
I added the CSP whitelist url with the pattern like the below,
http://*.bb*.*.com
But I am getting an error
The source list for Content Security Policy directive 'script-src' contains an invalid source: 'https://*.bb*.*.com'. It will be ignored
How to add the pattern so that bb* (aa.bb1.dd.com, aa.bb2.dd.com etc..,) to be allowed?
870
To add this custom meta tag, you can go to www.yourStore.com/Admin/Setting/GeneralCommon and find Custom <head> tag and add this as shown in the image below. Content Security Policy protects against Cross Site Scripting (XSS) and other forms of attacks such as ClickJacking.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
You can’t.
The spec lists hosts as the following:
; Hosts: "example.com" / "*.example.com" / "https://*.example.com:12/path/to/file.js"
host-source = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]
scheme-part = scheme
; scheme is defined in section 3.1 of RFC 3986.
host-part = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
host-char = ALPHA / DIGIT / "-"
port-part = ":" ( 1*DIGIT / "*" )
path-part = path-abempty
; path-abempty is defined in section 3.3 of RFC 3986.
That is the host can be either a *, or begin with *. They cannot have a * in the middle or end of it.
So you could have *.dd.com (but not *.*.dd.com).
To be honest using wildcards as you want would open security issues and defeat the point of using CSP as I could load resources from any domain just by using a subdomain with bb in it (e.g. http://www.bb.baddomain.com).
153
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
