1

For testing purposes I want to disable CSP so that I can test some XSS on my own website. I have set the meta tag to:

default-src *;

To my understanding this will disable the CSP. However when I go and set this live and check on a CSP Evaluator it returns this

default-src 'self';
base-uri 'self';
block-all-mixed-content;
font-src 'self' https: data:;
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests

Why is this happening and what can I do to disable it?

Chloroform
  • 53
  • 2
  • 5
  • 2
    Check the response headers — using the Network pane in browser devtools, or Postman or something, or curl from the command line. What’s likely happening is: the document’s being served with a Content-Security-Policy response header. And if any CSP directive in that header are stricter than any corresponding directive you specify in the meta element, then browsers will ignore the directive in the meta element. See the answer at https://stackoverflow.com/a/51153816/441757. The only way you could change (“disable”) it is to change the value of the Content-Security-Policy header on the server side – sideshowbarker Aug 20 '20 at 00:58
  • Okay that makes it a little clearer, my server side is only a index.js file so I'm not sure how I would change it there. Thank you for your response. – Chloroform Aug 20 '20 at 13:26
  • @sideshowbarker, thanks for the hint. This is exactly what happened to my use case. Some one accidentally hard coded the `content-security-policy` header at our CDN. – LeOn - Han Li Jan 03 '23 at 17:19

0 Answers0