CSP header with a
Content-Security-Policy HTTP response header to a HTML page using a
Let's suppose we want to add a CSP policy to our site using the following HTML:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
Your policy will go inside the
content attribute of the
meta tag. The header name
Content-Security-Policy should go inside the
http-equiv attribute of the
meta tag must go inside a
head tag. The CSP policy only applies to content found after the
meta tag is processed, so you should keep it towards the top of your document, or at least before any dynamically generated content.
Yes, in current versions of Chrome you will get an error such as the following:
The Content Security Policy
'default-src 'self''was delivered via a
<meta>element outside the document's
<head>, which is disallowed. The policy has been ignored.
report-uri work in a CSP meta tag?
This is not supported, further the
Content-Security-Policy-Report-Only header cannot be used in a
meta tag either.
sandbox work in a CSP meta policy?
According to the CSP spec,
sandbox are also not supported inside a
meta or a HTTP Response Header?
meta support is handy when you can't set a HTTP response header, but in most cases using a HTTP response header is a stronger approach.
No, some directives may not work in a meta tag, for example the
frame-ancestors directive cannot be used inside a meta tag.
If you're not sure what
default-src 'self'; means, then check out the Content Security Policy reference for details.
Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.