default-src can break directives from other headers #9
Comments
|
For our projects our setup contains a Varnish reverse proxy that concatenates the CSP headers again. So we use this extension to split the headers to bypass the hard size limit of Apache, but the browser receives a single large header. If more than one CSP header is evaluated by the browser, then additional headers can only further restrict the policy. If your Possible solutions are:
I don't see an easy way of handling this automatically without the risk of allowing unwanted connections. We should definitely include a warning about this behavior in the documentation. |
|
Maybe one option would be to regenerate default-src by combining all others, but it could easily lead to header overflow again. |
|
@mfickers i.e. replacing:
by something like
(I maybe missed some directives in the list, but you got the idea) |
|
That should work and would not add too much additional overhead in most cases. Good solution 👍 |
Hello,
with split headers it seems impossible to load something that is not declared in default-src too, right ?
Here is an example (intentionally split with short headers, but assume it's legitimately split):
Content-Security-Policy: "default-src 'self';"Content-Security-Policy: "img-src 'self' www.anotherwebsite.com;"With this, I want to be able to load images from www.anotherwebsite.com, but not scripts for example.
However, as default-src is defined, when first header is evaluated, it matches and it's more restrictive than second header, so image from anotherwebsite.com will not load.
How should we manage this kind of cases ?
Force undeclared directives with default-src value and remove default-src directive ?
The text was updated successfully, but these errors were encountered: