Content Security Policy

[opalepatrick]

Hi there, wondering what others are thinking about CSP. I came a cropper after implementing it on a pw site of mine (as per 

)

but I do think that it makes a lot of sense and was disappointed to be demoted from an A+ to a D at https://observatory.mozilla.org after ripping it out to make my site admin work again. Any thoughts?

[cstevensjr]

Could you please explain what you actually did (please give some details) and maybe someone can help you?  Thanks.

[opalepatrick]

Well I was just hoping to spark a conversation, cstevensjr, about CSP as the resolution was in the other thread. But basically I had added a CSP to my site that essentially made the admin area unusable because of the pw requirements. I removed the policies from my .htaccess to resolve.

[AndZyk]

Hello @opalepatrick,

I don't have any experience with CSP, but there was already a little discussion about this topic in this thread:

From what I understand is, that you could use CSP in your front end with PHP if you like. But for the back end it is not possible, as you already have experienced. 

Regards, Andreas

[opalepatrick]

HI @AndZyk, yes I read that and was a bit surprised that there had not been a discussion since, especially as there seems to be a bit of movement from people like Mozilla to pay more attention to it.

I just wondered if there is anything being considered in development that may address it. Or, maybe, that it is not worth bothering about?

[cstevensjr]

 

Here are some links that should give you some insight to where CSP is at:

https://www.w3.org/TR/CSP2/

http://caniuse.com/#feat=contentsecuritypolicy2

https://content-security-policy.com/

https://www.keycdn.com/blog/http-security-headers/

Microsoft - https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/security/content-security-policy

Google - https://developers.google.com/web/fundamentals/security/csp/

Mozilla -  https://hacks.mozilla.org/2016/02/implementing-content-security-policy/

                  https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Opera -   https://dev.opera.com/extensions/architecture-overview/

 

It is also known (reported) that Safari may not be so CSP compliant.   I don't believe that Apple has an official Content Security policy.

Best Regards,

Charles

[opalepatrick]

Thanks @cstevensjr - I think those links will be useful to people. I wonder if it is possible to apply CSP in .htaccess for the site part only (not using meta tags)?