2

I am trying to add CSP to my web application, I have added the following meta tag in my index page:

<meta http-equiv="Content-Security-Policy" content="img-src 'self' data:;default-src *;style-src 'self' http://* 'unsafe-inline';script-src 'self' http://* 'unsafe-inline' 'unsafe-eval';" />

and Also the following my my web.config file on IIS:

<customHeaders>
     <add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' http://*.domain.com;
                                                img-src 'self' http://*.domain.com data:"  />

      </customHeaders>

Is it necessary to add both meta tag and additional headers? or One of them is sufficient?

Does the meta tag policy override the custom header?

Does this script-src 'self' http://* 'unsafe-inline' 'unsafe-eval' mean that I can write inline JavaScript and use eval function inside my code? Does this rule override the policy set by headers? (because as far as I know in headers I have prohibited usage of inline JavaScript and eval function)

And my last question is if I use these settings, Should I use ng-csp or its other variant ng-csp="no-unsafe-eval" in my html?

Rathma
  • 1,196
  • 2
  • 33
  • 65

1 Answers1

2

Is it necessary to add both meta tag and additional headers? or One of them is sufficient?

One is sufficient. If you can make your server send the policy in a response header, that’s better. You don’t need to also specify anything in a meta element too, and there’s no advantage to it.

Does the meta tag policy override the custom header?

The meta policy will only override the header policy if the meta policy is stricter. See this answer:

What is happening when I have two CSP (Content Security Policies) policies - header & meta?

… which cites a part of the CSP that says, “adding additional policies to the list of policies to enforce can only further restrict the capabilities of the protected resource”.

Does this script-src 'self' http://* 'unsafe-inline' 'unsafe-eval' mean that I can write inline JavaScript and use eval function inside my code?

It would do that if your header also specified those values for script-src. But your header policy does not. So the browser uses the strictest policy, regardless of where it’s specified.

Does this rule override the policy set by headers? (because as far as I know in headers I have prohibited usage of inline JavaScript and eval function)

No, as the What is happening when I have two CSP (Content Security Policies) policies - header & meta? answer explains, you can’t override a strict policy by specifying a less-strict policy elsewhere.

So you’re best off specifying all your policy values in just one place, in a header (instead of meta).

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197