Question is regarding having CSP served twice: What's the behavior if there is one policy served through the <code>Content-Security-Policy</code> HTTP response header and also another policy specified with the <code><meta /></code> element? Will those two be merged somehow? Or else which one has priority? (I cannot find clear info on this in the spec). Specific use case might be serving <code>Report-to</code> through the HTTP response header and putting all other restrictions in the <code><meta /></code> element — because some of those are generated by webpack - and if I shouldn't be worried about <code><meta /></code> shallowed by the HTTP response-header policy.

If you have CSP directives specified both in a <code>Content-Security-Policy</code> HTTP header and in a <code>meta</code> element, the browser uses the most-restrictive CSP directives, wherever specified. See the details on multiple polices at https://w3c.github.io/webappsec-csp/#multiple-policies and details on using the <code>meta</code> element at https://w3c.github.io/webappsec-csp/#meta-element: <blockquote> A policy specified via a <code>meta</code> element will be enforced along with any other policies active for the protected resource, regardless of where they’re specified. The general impact of enforcing multiple policies is described in §8.1 The effect of multiple policies. <h3>8.1. The effect of multiple policies</h3> The impact is that adding additional policies to the list of policies to enforce can only further restrict the capabilities of the protected resource. </blockquote>

What is happening when I have two CSP (Content Security Policies) policies

Question is regarding having CSP served twice:

What's the behavior if there is one policy served through the Content-Security-Policy HTTP response header and also another policy specified with the <meta /> element?

Will those two be merged somehow? Or else which one has priority? (I cannot find clear info on this in the spec).

Specific use case might be serving Report-to through the HTTP response header and putting all other restrictions in the <meta /> element — because some of those are generated by webpack - and if I shouldn't be worried about <meta /> shallowed by the HTTP response-header policy.

Can you have multiple Content-Security-Policy headers?

A server MUST NOT send more than one HTTP header field named Content-Security-Policy with a given resource representation. A server MAY send different Content-Security-Policy header field values with different representations of the same resource or with different resources.

What is the function of Content-Security-Policy CSP header?

The Content-Security-Policy header allows you to restrict how resources such as JavaScript, CSS, or pretty much anything that the browser loads. Although it is primarily used as a HTTP response header, you can also apply it via a meta tag. The term Content Security Policy is often abbreviated as CSP .

If you have CSP directives specified both in a Content-Security-Policy HTTP header and in a meta element, the browser uses the most-restrictive CSP directives, wherever specified.

See the details on multiple polices at https://w3c.github.io/webappsec-csp/#multiple-policies and details on using the meta element at https://w3c.github.io/webappsec-csp/#meta-element:

A policy specified via a meta element will be enforced along with any other policies active for the protected resource, regardless of where they’re specified. The general impact of enforcing multiple policies is described in §8.1 The effect of multiple policies.

8.1. The effect of multiple policies

The impact is that adding additional policies to the list of policies to enforce can only further restrict the capabilities of the protected resource.

What is happening when I have two CSP (Content Security Policies) policies - header & meta?

Tags:

Jurosh

People also ask

1 Answers

8.1. The effect of multiple policies

sideshowbarker

Recent Activity

Donate For Us