Can a Content Security Policy (CSP) enable *new* unsafe behavior?



  • Does the design and implementation of the content security policy standard allow for the introduction of new unsafe behavior that wasn't there prior to having any CSP at all?

    For example if my starting point is having no CSP headers or policy at all and I then introduce a CSP which contains:

    • unsafe-eval
    • unsafe-inline

    Is it now less secure (e.g. has it enabled something that was not allowed prior to having any CSP)?



  • The goal of Content-Security-Policy is to add an additional security layer and not relax existing security settings. From Content Security Policy Level 3 - Introduction:

    ... use to lock down their applications in various ways, mitigating the risk of content injection vulnerabilities such as cross-site scripting, and reducing the privilege with which their applications execute.

    So CSP cannot be used to relax the Same Origin Policy. That would be CORS instead.

    As for your example of unsafe-inline and unsafe-eval: With no CSP these are enabled by default. So a CSP which has these directives does not relax the existing default security settings.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2