[OWASP-Bangalore] CSP- Implementation Issue - Query
001.appsec.007 at gmail.com
Mon Jan 21 11:56:50 UTC 2019
Following is CSP policy. for example derived from gmail response headers..
Question is ?
Below implementation allowed white listed domains only in "script-src"
directive but a 'unsafe-inline' and 'unsafe-eval' directives also used next
*Is this 'unsafe-inline' / 'unsafe-eval' will be used by all white-listed
domains including 'self' ? or It's only for 'self' domain only ?*
'self' 'unsafe-inline' 'unsafe-eval'
Thanks & Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Bangalore