stackoom
  简体   繁体   中英

Is there anyway to configure content security policy to allow any third party scripts but disallow inline/eval

 原文  2022-02-13 14:52:46       content-security-policy/ script-src

Question

Is there anyway to configure content security policy to allow any third party scripts but disallow inline/eval?

I have some third party marketing/analytics scripts that has to be added and removed regularly. I would like to secure the page vs inline and eval style xss through user input. What would my CSP look like for this usecase? Thanks.

1 answers

solution1
 0 ACCPTED  2022-02-14 13:09:13

As you probably know you are not going to set 'unsafe-inline' or 'unsafe-eval' in the script-src directive. To allow everything else you can accept any host with * or accept everything on certain schemes such as https: data: and blob:, see https://www.w3.org/TR/CSP3/#framework-directive-source-list

For the other CSP directives you'll have to decide based on your use case and requirements of the third party code.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is it possible to use Content-Security-Policy to allow inline scripts from one host, but only external scripts from other hosts? Content Security Policy allow inline style without unsafe-inline Allow SVGs in Content Security Policy without 'unsafe-eval' Angular - Content Security Policy(CSP) support for inline style, eval etc How to remove unsafe inline and unsafe eval from content security policy? Content security policy directive blocks dynamically loaded inline scripts How to allow unsafe-eval and Remote Script - CSP Content Security Policy Content security policy allow all Content Security Policy granularity: Does 'unsafe-eval' apply globally to all scripts? Allow All Content Security Policy?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM