Answer the question
In order to leave comments, you need to log in
Content-Security-Policy: host-source VS 'self': what's the difference?
Smoked docks, thought a lot, but never came up with: in what scenario might it be necessary to indicate the download source as 'self' instead of a specific site (s)? We do not know in advance from which site the content can be loaded? And what then is the point of using CSP?
And, so as not to get up twice, why neither host-source nor 'self' as a source include a "subset" of 'unsafe-inline', i.e. content embedded in the page being loaded? The page itself can be loaded, the script/style called from it on the same domain is possible, the ML elements of the page with style properties (did not check with scripts) are possible again, but the same script/style, if it is embedded in a separate piece, is not , where is the logic?
Answer the question
In order to leave comments, you need to log in
We do not know in advance from which site the content can be loaded?We know, but not always. A site can have many subdomains, including dynamic ones.
why neither host-source nor 'self' as a source include a "subset" of 'unsafe-inline', i.e. content embedded in the page being loaded?Because such an embedded script may appear on the page without the knowledge of the webmaster. It can be inserted by a malicious browser plug-in, another script (for example, a weather widget), it can be inserted by an Internet provider. Such an inline script may appear on a page as a result of an XSS vulnerability.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question