Is there a benefit to adding Content-Security-Policy headers to Javascript resources?
Question
An automated scanning tool is flagging the fact that our Javascript bundle is not being returned with a Content-Security-Policy header even though the document itself has the header.
My understanding is that the Content-Security-Policy header controls the loading of resources within a document. Does it provide any benefit when added to the resources themselves?
1 answers
solution1
1 2020-05-12 22:56:48
The short answer is generally no.
The long answer is you need to set your content-types properly. There is a scenario if you don't set correctly content-type it lead issues unless js files are not static, rendered in the background. If an attacker could find the manipulate first bytes of dynamic JS files, they could run those file context as an HTML. So if you don't use dynamic JS files or those files don't allow to manipulate first bytes. You don't need to set CSP policies.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.