For example, a banks might set "only allows assets from this server". So if a page links to an external javascript URL, a browser will ignore it.
You can also set a 'report violations' URL. So the browser will send a warning message to the website, Its a POST request to a URL you set in the header.
The full syntax is available here, but here are a few examples
The policy can be set in a webpage,
<!-- this a a HTML example - everything comes from this website, - except images can come from any secure website --> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; image-src https:*">
or erver config.
# virtual hosts, .htaccess # # This example sets # - by default, everything must be loaded from this domain # - except images from anywhere # - except javascript from self or the 2 listed domain names Content-Security-Policy: default-src 'self'; img-src *; script-src 'self' cdn.jquery.com maps.google.com # this example sets the reporting url Content-Security-Policy: default-src 'self'; report-uri https://www.example.com/violation-reports.cgi
No comments:
Post a Comment