How to utilize content security policy level 3 efficiently on your website

Search Close

Account Information

Reset password

An email has been sent to you with instructions on how to reset your password.

Back to TechRepublic

Welcome to TechRepublic!

By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.

You will also receive a complimentary subscription to TechRepublic's News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.

All fields are required. Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).

Question

Creator

Topic
August 8, 2020 at 12:18 am #2142289

How to utilize content security policy level 3 efficiently on your website

by naj7riyami · about 2 years ago

Tags: Security, Security

How to utilize content security policy level 3 efficiently on your website Without any error on google console
Creator

Topic

Answer This

All Answers

Author

Replies
- August 12, 2020 at 6:20 am #2418448
 
 How to utilize content security policy level 3 efficiently on your website
 
 by deborasumopayroll · about 1 year, 12 months ago
 
 In reply to How to utilize content security policy level 3 efficiently on your website
 
 With this policy defined, the browser simply throws an error instead of loading script from any other source. When a clever attacker manages to inject code into your site, they’ll run headlong into an error message rather than the success they were expecting.
 
 Policy applies to a wide variety of resources
 While script resources are the most obvious security risks, CSP provides a rich set of policy directives that enable fairly granular control over the resources that a page is allowed to load. You’ve already seen script-src, so the concept should be clear.
 
 Let’s quickly walk through the rest of the resource directives. The list below represents the state of the directives as of level 2. A level 3 spec has been published, but is largely unimplemented in the major browsers.
 
 base-uri restricts the URLs that can appear in a page’s element.
 child-src lists the URLs for workers and embedded frame contents. For example: child-src https://youtube.com would enable embedding videos from YouTube but not from other origins.
 connect-src limits the origins that you can connect to (via XHR, WebSockets, and EventSource).
 font-src specifies the origins that can serve web fonts. Google’s web fonts could be enabled via font-src https://themes.googleusercontent.com.
 form-action lists valid endpoints for submission from
 
 tags.
 frame-ancestors specifies the sources that can embed the current page. This directive applies to , , <embed />, and <applet> tags. This directive can’t be used in <meta /> tags and applies only to non-HTML resources. frame-src was deprecated in level 2, but is restored in level 3. If not present it still falls back to child-src as before. img-src defines the origins from which images can be loaded. media-src restricts the origins allowed to deliver video and audio. object-src allows control over Flash and other plugins. plugin-types limits the kinds of plugins a page may invoke. report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can’t be used in <meta /> tags. style-src is script-src’s counterpart for stylesheets. upgrade-insecure-requests instructs user agents to rewrite URL schemes, changing HTTP to HTTPS. This directive is for websites with large numbers of old URL’s that need to be rewritten. worker-src is a CSP Level 3 directive that restricts the URLs that may be loaded as a worker, shared worker, or service worker. As of July 2017, this directive has li</applet>
Author

Replies

Viewing 0 reply threads

Start or Search

Start New Discussion

Recruiting a Scrum Master with the right combination of technical expertise and experience will require a comprehensive screening process. This hiring kit provides a customizable framework your business can use to find, recruit and ultimately hire the right person for the job. This hiring kit from TechRepublic Premium includes a job description, sample interview questions ...

Knowing the terminology associated with Web 3.0 is going to be vital to every IT administrator, developer, network engineer, manager and decision maker in business. This quick glossary will introduce and explain concepts and terms vital to understanding Web 3.0 and the technology that drives and supports it.

While the perfect color palette or the most sublime button shading or myriad of other design features play an important role in any product’s success, user interface design is not enough. Customer engagement and retention requires a strategic plan that attempts to measure, quantify and ultimately create a complete satisfying user experience on both an ...

Web Development

Question