Friday, 26 August 2022

How does Content Security Policy (CSP) work?

I'm getting a bunch of errors in the developer console:

Refused to evaluate a string

Refused to execute inline script because it violates the following Content Security Policy directive

Refused to load the script

Refused to load the stylesheet

What's this all about? How does Content Security Policy (CSP) work? How do I use the Content-Security-Policy HTTP header?

Specifically, how to...

  1. ...allow multiple sources?
  2. ...use different directives?
  3. ...use multiple directives?
  4. ...handle ports?
  5. ...handle different protocols?
  6. ...allow file:// protocol?
  7. ...use inline styles, scripts, and tags <style> and <script>?
  8. ...allow eval()?

And finally:

  1. What exactly does 'self' mean?


from How does Content Security Policy (CSP) work?

No comments:

Post a Comment