I
I
ifap2020-09-16 02:12:36
Information Security
ifap, 2020-09-16 02:12:36

Content-Security-Policy: host-source VS 'self': what's the difference?

Smoked docks, thought a lot, but never came up with: in what scenario might it be necessary to indicate the download source as 'self' instead of a specific site (s)? We do not know in advance from which site the content can be loaded? And what then is the point of using CSP?

And, so as not to get up twice, why neither host-source nor 'self' as a source include a "subset" of 'unsafe-inline', i.e. content embedded in the page being loaded? The page itself can be loaded, the script/style called from it on the same domain is possible, the ML elements of the page with style properties (did not check with scripts) are possible again, but the same script/style, if it is embedded in a separate piece, is not , where is the logic?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
G
granty, 2020-09-18
@ifap

We do not know in advance from which site the content can be loaded?
We know, but not always. A site can have many subdomains, including dynamic ones.
host-source VS 'self'
Instead of 'self', the browser substitutes the protocol, host(domain) and port number from the origin source (current URL) of the page.
If your site is available as: http:// domain.com , https:// domain.com , http:// www.domain.com , https:// www.domain.com , http:// www.domain .com:8081 - 'self' will cover all of this:
go to http:// www.domain.com:8080/page.html - 'self' will be equal to http:// www.domain.com:8080 , etc.
Otherwise instead of 'self' you would have to list all variations of hostnames (including subdomains) with schemes/protocols and port numbers.
why neither host-source nor 'self' as a source include a "subset" of 'unsafe-inline', i.e. content embedded in the page being loaded?
Because such an embedded script may appear on the page without the knowledge of the webmaster. It can be inserted by a malicious browser plug-in, another script (for example, a weather widget), it can be inserted by an Internet provider. Such an inline script may appear on a page as a result of an XSS vulnerability.
The Content Security Policy protects against this.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question