admin管理员组

文章数量:1135604

Is it possible to configure the Content-Security-Policy to not block anything at all? I'm running a computer security class, and our web hacking project is running into issues on newer versions of Chrome because without any CSP headers, it's automatically blocking certain XSS attacks.

Is it possible to configure the Content-Security-Policy to not block anything at all? I'm running a computer security class, and our web hacking project is running into issues on newer versions of Chrome because without any CSP headers, it's automatically blocking certain XSS attacks.

  • javascript
  • http-headers
  • xss
  • content-security-policy
Share Improve this question edited May 26, 2023 at 20:14 General Grievance 4,98737 gold badges37 silver badges54 bronze badges asked Mar 14, 2016 at 3:01 joshlfjoshlf 23.5k14 gold badges79 silver badges102 bronze badges
Add a comment  | 

6 Answers 6

Reset to default 97

For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough:

default-src * data: mediastream: blob: filesystem: about: ws: wss: 'unsafe-eval' 'wasm-unsafe-eval' 'unsafe-inline'; 
script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; 
script-src-elem * data: blob: 'unsafe-inline' 'unsafe-eval';
connect-src * data: blob: 'unsafe-inline'; 
img-src * data: blob: 'unsafe-inline'; 
media-src * data: blob: 'unsafe-inline'; 
frame-src * data: blob: ; 
style-src * data: blob: 'unsafe-inline';
font-src * data: blob: 'unsafe-inline';
frame-ancestors * data: blob:;

It's not secure at all, but as staring point the real allow all policy is:

default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';

See: https://content-security-policy.com/ and this CSP migration guide.

The best way would be not applying any policy.

But to answer your question, an "allow all policy" would probably be:

default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;

Note: untested

Here's the htaccess code to allow everything in CSP

Header add Content-Security-Policy "default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';"

DISCLAIMER/WARNING: Please consider writing a proper CSP. The following configuration allows any connection and does not provide any security benefit. The Content-Security-Policy-Report-Only header helps you to archive the goal of a proper CSP in two steps/non-blocking.

Since the default behavior is for every fetch directive to fall back to default-src (according to MDN), we only need to define a default-src and sources for all document and navigation directives (base-uri, form-action, form-ancestor). The simplest CSP header that allows anything should be this:

default-src * data: mediastream: blob: filesystem: about: ws: wss: 'unsafe-eval' 'wasm-unsafe-eval' 'unsafe-inline';
base-uri * data: mediastream: blob: filesystem:;
form-action * data: mediastream: blob: filesystem:;
form-ancestor * data: mediastream: blob: filesystem:;

The explanation why * does not match "everything" is, that the asterix only allows all host-sources, but e.g. schema-sources, inline or eval are not host-sources. Therefore these types of sources must be explicitly specified.

EDIT: added directives that do not fallback to default-src (thanks for the comment)

In case anyone else needs an Object of @rainb's answer:

"csp": {
    "default-src": "* data: mediastream: blob: filesystem: about: ws: wss: 'unsafe-eval' 'wasm-unsafe-eval' 'unsafe-inline';",
    "script-src": "* data: blob: 'unsafe-inline' 'unsafe-eval';",
    "script-src-elem": "* data: blob: 'unsafe-inline' 'unsafe-eval';",
    "connect-src": "* data: blob: 'unsafe-inline';",
    "img-src": "* data: blob: 'unsafe-inline';",
    "media-src": "* data: blob: 'unsafe-inline';",
    "frame-src": "* data: blob: ;",
    "style-src": "* data: blob: 'unsafe-inline';",
    "font-src": "* data: blob: 'unsafe-inline';",
    "frame-ancestors": " * data: blob:;"
}

本文标签: javascriptAllow All Content Security PolicyStack Overflow

版权声明:本文标题:javascript - Allow All Content Security Policy? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736935674a1956938.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。