[OWASP-Bangalore] CSP- Implementation Issue - Query

cyber research 001.appsec.007 at gmail.com
Mon Jan 21 11:56:50 UTC 2019


Hi All,

Following is CSP policy. for example derived from gmail response headers..

Question is ?
Below implementation allowed white listed domains only in "script-src"
directive but a 'unsafe-inline' and 'unsafe-eval' directives also used next
'self'.

*Is this 'unsafe-inline' / 'unsafe-eval' will be used by all white-listed
domains including 'self' ? or It's only for 'self' domain only ?*

content-security-policy:
script-src https://clients4.google.com/insights/consumersurveys/
 https://www.google.com/js/bg/
 'self' 'unsafe-inline' 'unsafe-eval'
 https://mail.google.com/_/scs/mail-static/
 https://hangouts.google.com/

Thanks & Regards,
Sai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20190121/759efd0c/attachment.html>


More information about the OWASP-Bangalore mailing list