stackoom
  简体   繁体   中英

Does specifying a file in a CSP directive prevent other files from that domain being loaded?

 原文  2023-01-24 10:08:16       content-security-policy/ script-src

Question

If I have the following script-src directive:

script-src: https://example.com/scripts/file.js;

Is it possible for any of the following scripts to be loaded?

  1. https://example.com/file.js
  2. https://example.com/assets/file.js
  3. https://example.com/scripts/different-file.js

Does this apply to all browsers and CSP v2 / CSP v3?

1 answers

solution1
 1 ACCPTED  2023-01-24 14:04:30

According to the specifications for CSP v2 and CSP v3 , this can be used in both v2 and v3. I would expect browsers to support it as major browsers have supported v2 for years. None of the example scripts should be loaded with the given CSP.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question jQuery 3.1.1 violation of CSP directive Do CSP headers from a site loaded in an iFrame matter or just mine? CSP for dynamically loaded CSS Do frontend and backend sub domain needs to be same to have the effect of CSP headers from https response? Performance impact of ng-csp directive Chrome Ignoring CSP Directive in the Header on a Redirect Safari csp google analytics not loaded due to img Can CSP restrict the connections of dynamically loaded script? What is the correct way to load a script with the 'strict-dynamic' CSP directive? CSP form-action directive override not working in Chrome
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM