I understand that I might set a CSP header for the main page of my site, say https://example.com, to restrict from where I can load scripts and other resources. But, if there is no CSP on the main page, how will the browser treat a policy on a subsequent request?
This is two examples in one:
- I browse to
https://example.comand get back some HTML (no CSP header) - The HTML includes a script from
https://example.com/script.js[*] - This script requests some data from the API by issuing a GET to
https://api.example.com[*] - The same script then opens a websocket to the same domain,
https://api.example.com - The same script then makes another request, POSTing externally to
https://api.analytics.com
[*] In steps 2 and 3, what would happen if the script.js or the JSON response came back with a restrictve CSP, like Content-Security-Policy: default-src 'none'? Would any downstream requests be changed? Does the browser do anything to prevent any of the script's requests? Or are the allowed because the original page load did not include any CSP?
Thanks!
from What does it mean to set a Content Security Policy on response to a non-HTML request?
No comments:
Post a Comment