-
|
👨🎓 Learning of the day for me: It seems, unless I missed a subtlety, that a CSP cannot be used to act on the capabilities of a loaded JavaScript script when the CSP is applied on the script itself, via the HTTP response that sends it. 📺 My test on
📡 @riramar and the community: Do you have any insights about such behavior? |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 1 reply
-
|
🤔 CSP seems applied for the other CSP directive, like, the
🤔 Other directives:
|
Beta Was this translation helpful? Give feedback.
-
|
💡 So the key point I noticed was to apply a CSP on the page loading "unsafe" / "untrusted" resources:
|
Beta Was this translation helpful? Give feedback.
-
|
Seems strange to me, but I'm not sure if this works as intended. |
Beta Was this translation helpful? Give feedback.
-
|
📚 Thanks a lot for the feedback and for the question. I added the direct ref below: https://lists.w3.org/Archives/Public/public-webappsec/2024Feb/0006.html |
Beta Was this translation helpful? Give feedback.
-
|
Yes, |
Beta Was this translation helpful? Give feedback.
-
|
Thank you very much for your help on this matter 👍 |
Beta Was this translation helpful? Give feedback.
Yes,
Content-Security-Policyis a header that applies to a document, not to a sub-resource like a script. This is how it designed...