What CSP is safer - style-src 'none' or style-src 'unsafe-inline'
Question
I am struggling to fully understand style-src 'none' . Based on the naming, it sounds like it would be restrictive or does it mean that there are no rules and you can do whatever you want?
Same question for script-src 'none' in the unlikely situation where it acts differently.
Side-note - what is the best CSP if you are using the library styled-components (everything is injected as inline with this library)?
EDIT:
I have read before the description of none from mdn.
'none'
Refers to the empty set; that is, no URLs match. The single quotes are required.
What does this mean? Does this mean that it does not block styles/scripts or the opposite?
1 answers
solution1
2 ACCPTED 2020-06-23 15:52:39
A policy source of 'none' is the MOST restrictive; it means NO hosts are valid.
From the link I cited above:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Let's consider a page located at http://example.com/signup.html . It uses the following policy, disallowing everything but stylesheets from cdn.example.com.
Content-Security-Policy: default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.