Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to relax Content Security Policy with meta tag

I'm trying to override the Content Security Policy using a specific meta tag for some pages.

I've been trying for a couple of hours, but I've not succeed yet.

Is there a way to override CSP from the page itself (using JavaScript or meta tags) without having to modify the server configuration?

Thank you.

like image 362
guidev Avatar asked Dec 07 '15 10:12

guidev


People also ask

How do I disable Content-Security-Policy in HTML?

Click the extension icon to disable Content-Security-Policy header for the tab. Click the extension icon again to re-enable Content-Security-Policy header. Use this only as a last resort. Disabling Content-Security-Policy means disabling features designed to protect you from cross-site scripting.

What is Content-Security-Policy meta tag?

The Content-Security-Policy meta-tag allows you to reduce the risk of XSS attacks by allowing you to define where resources can be loaded from, preventing browsers from loading data from any other locations. This makes it harder for an attacker to inject malicious code into your site.

How do I disable CSP in Chrome?

Click the extension icon to re-enable CSP headers. Click the extension icon again to disable CSP headers. Use this only as a last resort. Disabling CSP means disabling features designed to protect you from cross-site scripting.

How do I set the Content-Security-Policy header in HTML?

To add this custom meta tag, you can go to www.yourStore.com/Admin/Setting/GeneralCommon and find Custom <head> tag and add this as shown in the image below. Content Security Policy protects against Cross Site Scripting (XSS) and other forms of attacks such as ClickJacking.


2 Answers

No.

For security reasons the meta tag can only make the policy more strict, not to relax the policy defined in the headers.

If the meta tag could relax the policy, CSP would have no teeth. Any malicious party could just add a meta tag to disable the policy and avoid all of the restrictions that should be in place.

like image 188
anthonyryan1 Avatar answered Oct 16 '22 17:10

anthonyryan1


You can tighten CSP, but not loosen it. You might reconfigure your site to tighten/loosen CSP within the code that generates the page. For example, in PHP you can create a header, but later overwrite the header -- so long as you do so before anything is actually output to the browser.

This is what I do on a site I manage -- every page has a default CSP header that is fairly strict, but on a particular page I might loosen it up to allow something specific to that one page. But you have to do that in generating the page itself; you can't with Meta tags or JavaScript after the initial CSP header is sent.

like image 6
Stephen R Avatar answered Oct 16 '22 17:10

Stephen R