What is happening when I have two CSP (Content Security Policies) policies – header & meta?

by

If you have CSP directives specified both in a Content-Security-Policy HTTP header and in a meta element, the browser uses the most-restrictive CSP directives, wherever specified.

See the details on multiple polices at https://w3c.github.io/webappsec-csp/#multiple-policies and details on using the meta element at https://w3c.github.io/webappsec-csp/#meta-element:

A policy specified via a meta element will be enforced along
with any other policies active for the protected resource, regardless
of where they’re specified. The general impact of enforcing multiple
policies is described in §8.1 The effect of multiple policies.

8.1. The effect of multiple policies

The impact is that adding additional policies to the list of policies
to enforce can only further restrict the capabilities of the protected resource.

More Related Contents:

  1. Disable browser ‘Save Password’ functionality
  2. Why is script-src-elem not using values from script-src as a fallback?
  3. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  4. Are HTTP cookies port specific?
  5. Salt Generation and open source software
  6. Is “double hashing” a password less secure than just hashing it once?
  7. How should I ethically approach user password storage for later plaintext retrieval?
  8. Authentication versus Authorization
  9. Where to store JWT in browser? How to protect against CSRF?
  10. Remove Server Response Header IIS7
  11. Is it safe to enable CORS to * for a public and readonly webservice?
  12. Payment Processors – What do I need to know if I want to accept credit cards on my website? [closed]
  13. Is there any possible ways to bypass cloudflare security checks?
  14. Send mail via Gmail with PowerShell V2’s Send-MailMessage
  15. Is it secure to submit from a HTTP form to HTTPS?
  16. Is JSONP safe to use?
  17. How to prevent arbitrary client apps from using anonymous web API?
  18. Is HTTP header Referer sent when going to a http page from a https page?
  19. Using Symfony2’s AccessDeniedHandlerInterface
  20. Is it safe to enable ”Access-Control-Allow-Origin: *“ (wildcard) for a public and readonly webservice?
  21. Allow All Content Security Policy?
  22. Why not use HTTPS for everything?
  23. Where is the PEM file format specified?
  24. Difference between CSRF and X-CSRF-Token
  25. MD5 security is fine? [closed]
  26. Securing an API: SSL & HTTP Basic Authentication vs Signature
  27. What’s wrong with XOR encryption?
  28. What is the clash rate for md5? [closed]
  29. How to protect against direct access to images? [closed]
  30. is it bad to pass jwt token as part of url?

Leave a Comment