[OWASP-Bangalore] Fwd: CSP- Implementation Issue - Query

Nemo me at captnemo.in
Mon Jan 21 20:23:52 UTC 2019

On 1/21/19 5:26 PM, cyber research wrote:

> Below implementation allowed white listed domains only in "script-src"
> directive but a 'unsafe-inline' and 'unsafe-eval' directives also used
> next 'self'.
A CSP Policy only applies on the origin that is current. Or in other
words: the domain that you see on the address bar.

The following CSP:

script-src https://a.com 'self' 'unsafe-inline' 'unsafe-eval'

in english means:

allow script tags on the current webpage (where this header is being
served) to use the following 4 sources.

So a script tag of <script src="https://a.com/a.js"> will load, but
<script src="https://b.com/b.js"> will immediately get rejected.

The self, unsafe-inline, and unsafe-eval also _only apply on the current
page. If for some reason you have a <iframe src="x.com">, this policy
won't apply there.

For eg, for embedded resources, the spec[0] says:

>The policy of the embedding resource controls what may be embedded. The
embedded resource, however, is controlled by the policy delivered with
the resource, or the policy of the embedding resource if the embedded
resource is a globally unique identifier (or a srcdoc frame).

As with all things CSP, it is easiest to answer questions by testing out
things, just setup 2 webservers on different ports and test out by
sending different headers/content and observe the behaviour.

Hope this helps,

[0]: https://www.w3.org/TR/CSP2/#which-policy-applies

More information about the OWASP-Bangalore mailing list