Is it possible to set Content-Security-Policy headers in Amazon S3?

Question

I'm trying to set a Content-Security-Policy header for an html file I'm serving via s3/cloudfront. I'm using the web-based AWS console. Whenever I try to add the header:

it doesn't seem to respect it. What can I do to make sure this header is served?

Answer 1

I'm having the same problem (using S3/CloudFront) and it appears there is currently no way to set this up easily.

S3 has a whitelist of the headers permitted, and Content-Security-Policy is not on it. Whilst it is true you can use the prefixed x-amz-meta-Content-Security-Policy, this is unhelpful as there is no browser support for it.

There are two options I can see.

1) you can serve the html content from a webserver on an EC2 instance and set that up as another CloudFront origin. Not really a great solution.

2) include the CSP as a meta tag within your html document:

    <!doctype html>
    <html>
      <head>
        <meta http-equiv="Content-Security-Policy" content="default-src http://*.foobar.com 'self'">
...

This option is not as widely supported by browsers, but it appears to work with both Webkit and Firefox, so the current Chrome, Firefox, Safari (and IOS 7 Safari) seem to support it.

I chose 2 as it was the simpler/cheaper/faster solution and I hope AWS will add the CSP header in the future.