Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

In Content Security Policy is there a way to match self + any port?

Tags:

http-headers

content-security-policy

In development I have a livereload server that runs on the standard port 35729, however this isn't loaded because my because my policy has script-src 'self'. Is there way to allow 'self' on all ports?

'localhost:*' also isn't a great solution because on occasions I test the site on our local network so it could be an ip address rather than 'localhost'.

Of course I can just remove this header from development if I need to but I am trying to keep it as close to live as possible.

like image 593
joshhunt Avatar asked Sep 01 '16 03:09

joshhunt

People also ask

What is Self in Content-Security-Policy?

You might take 'self' to mean localhost, local filesystem, or anything on the same host. It doesn't mean any of those. It means sources that have the same scheme (protocol), same host, and same port as the file the content policy is defined in.

How do I allow localhost in Content-Security-Policy?

To fix the issue you have to add `https://localhost:5000` host-source to the script-src directive. Alternatively you can use syntax 'https://localhost:*' to allow any ports. Note: `http://*` source covers both `http://*` and `https://*` because CSP3 browsers do upgrade insecure http: to a secure https:.

What is Content-Security-Policy frame ancestors self?

The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame> , <iframe> , <object> , <embed> , or <applet> . Setting this directive to 'none' is similar to X-Frame-Options : deny (which is also supported in older browsers).

2 Answers

No. 'self' always restricts you to the site you're in - use it if you're serving your scripts from the same application that your page is in. It's not really intended to allow resources from other processes on the same server.

You can make your sources a config or installation setting. Add localhost:* in your development config and change it to the specific resourceserver:35729 in your LAN testing environment.

like image 110
Keith Avatar answered Oct 10 '22 17:10

Keith

Just to clarify - you can use wildcards for the port, but you have to specify the domain. You cannot use 'self':*

Example:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' localhost:* example.com:*" />

Mozilla docs:

The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src#Sources

like image 21
Jesper Hermansen Avatar answered Oct 10 '22 19:10

Jesper Hermansen
Sign in to Comment

Related questions

Laravel $request->expectsJson()
How to get response headers when using Alamofire in Swift?
Swift: HTTP request with parameters in header
How to set and retrieve cookie in HTTP header in Python?
Adding headers in ASP.NET MVC 3
Send Post request along with HttpHeaders on Android
How to add HTTP header to URL
Can you modify http request headers in a Safari extension?
How do I know which access-control-allow-headers to allow for CORS?
Persistent HTTP Connection with RestSharp
How to parse an HTTP Request in Java?
Android webview shouldOverrideUrlLoading is not called
How to detect when XHR returns a cached resource?
How can I read headers sent from my API with angular?
Have Apache Accept LF vs CRLF in Request Headers
Why response 304 doesn't have Content-Type header?
Send Host header when accessing IP address in Firefox
"Resource interpreted as script but transferred with MIME type text/html."

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!