Menu
I have the following meta tag set in my index.html which simplifies local development but will also be deployed in the production code:
<meta http-equiv="Content-Security-Policy" content="default-src 'self' localhost:* ws://localhost:*;">
Are there any known ways that adding localhost like this could allow any type of cross-site scripting exploits?
According to Google's CSP evaluator it seems okay (well, the localhost portion at least).
797
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
The primary benefit of CSP is preventing the exploitation of cross-site scripting vulnerabilities. When an application uses a strict policy, an attacker who finds an XSS bug will no longer be able to force the browser to execute malicious scripts on the page.
Did you know it's possible to use multiple content-security-policies on the same resource? This article will cover some of the in's and out's of using multiple policies.
This isn't optimal, but it will not meaningfully reduce the security of your users.
The reason for this is that browser and computer form the trusted computing base for any web page. If you're browsing from an untrusted machine, there's no security rules in the world a web page can implement to guarantee the safety of your data and privacy of the exchange.
63
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
