On what types of web content is a Content-Security-Policy useful?



  • The W3C spec for Content-Security-Policy or Mozilla CSP docs would be the definitive source for this answer, but it does not seem covered, so I'm asking here for answers based on people's experience. If my understanding is correct, then I'll probably contact the W3C spec authors.


    My understanding is that browsers have implemented their CSP engines as an extension of the page DOM; ie a CSP is associated with a page, not with a request / response.

    Under my understanding, a CSP delivered in the following ways is useful:

    • As an HTTP response header (or
      <meta>
      

      tag) on top-level HTML content.

    • As an HTTP response header (or
      <meta>
      

      tag) on nested / framed content (I assume this would fall under section 3.4: Enforcing multiple policies, and would further restrict the first CSP)

    • As a
      <meta>
      

      tag in addition to an HTTP response header in either of the above (I assume this would fall under section 3.4: Enforcing multiple policies, and would further restrict the first CSP).

    Under my understanding, a CSP delivered in the following ways is useless; ie completely ignored by the browser and a waste of bandwidth:

    • As an HTTP response header on content that is not HTML (ie on a response that is Content-Type: text/javascript, application/json, text/css, text/plain, application/gzip, image/jpeg, etc).

    So I guess I have two questions here:

    1. Does it do anything to put a CSP header responses that are not web pages (ie on REST APIs, files, javascript, etc)?
    2. Is this mentioned anywhere in the W3C spec (and I can't read), or would it be worth asking the authors to add a section "3.x: Applicable content types") ?


  • Self-answer: turns out I can't read. Thanks to @SteffenUllrich in comments.

    Section 3.5. Policy applicability is exactly what I was looking for.

    Summary so this is not a link-only answer (from the CSP Level 2 December 2016 version):

    • Top-level Contexts: ex.: HTML, SVG are mentioned explicitly. Use the policy delivered with the resource.
    • Embedded Contexts: ex.: iframe, object, embed, embedded SVGs, javascript workers that are independent from the page. Use the policy delivered with the resource, fall back to the policy of the creating context if the resource was delivered via a data: blob or something other mechanism that does not give the opportunity to provide a CSP.
    • Subresources: ex.: everything else. Policy of the including context.


Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2