Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to CSP header URLs with specific patterns

There are few URLs like http://aa.bb.dd.com http://aa.bb1.dd.com

I added the CSP whitelist url with the pattern like the below,

http://*.bb*.*.com

But I am getting an error

The source list for Content Security Policy directive 'script-src' contains an invalid source: 'https://*.bb*.*.com'. It will be ignored

How to add the pattern so that bb* (aa.bb1.dd.com, aa.bb2.dd.com etc..,) to be allowed?

like image 870
VJohn Avatar asked Mar 13 '18 21:03

VJohn


People also ask

How do I set the Content-Security-Policy header in HTML?

To add this custom meta tag, you can go to www.yourStore.com/Admin/Setting/GeneralCommon and find Custom <head> tag and add this as shown in the image below. Content Security Policy protects against Cross Site Scripting (XSS) and other forms of attacks such as ClickJacking.

What is CSP directives?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.


1 Answers

You can’t.

The spec lists hosts as the following:

; Hosts: "example.com" / "*.example.com" / "https://*.example.com:12/path/to/file.js"
host-source = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]
scheme-part = scheme
              ; scheme is defined in section 3.1 of RFC 3986.
host-part   = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
host-char   = ALPHA / DIGIT / "-"
port-part   = ":" ( 1*DIGIT / "*" )
path-part   = path-abempty
              ; path-abempty is defined in section 3.3 of RFC 3986.

That is the host can be either a *, or begin with *. They cannot have a * in the middle or end of it.

So you could have *.dd.com (but not *.*.dd.com).

To be honest using wildcards as you want would open security issues and defeat the point of using CSP as I could load resources from any domain just by using a subdomain with bb in it (e.g. http://www.bb.baddomain.com).

like image 153
Barry Pollard Avatar answered Oct 07 '22 09:10

Barry Pollard