canmove, Confirmed users
1,537
edits
Security/CSP/Deploying: Difference between revisions
Jump to navigation
Jump to search
m
→Writing an effective policy
| Line 108: | Line 108: | ||
allow 'none' | allow 'none' | ||
Expansion can be done on a per-use basis (a directive at a time) | Expansion can be done on a per-use basis (a directive at a time), and then refined to a simpler policy with knowledge of which sources are ultimately trusted, and allowing all types of content from those sources. | ||
==Use-based Expansion== | |||
For each directive, identify the sources for the respective type of content, and enumerate them. For example, consider a situation where scripts are served from the same source and images from a separate subdomain. | For each directive, identify the sources for the respective type of content, and enumerate them. For example, consider a situation where scripts are served from the same source and images from a separate subdomain. | ||
| Line 126: | Line 126: | ||
In fact, many policies will start with <tt>allow 'self'</tt>, to both simplify the policy and to open up the base document's source as a valid source for all types of content. Many sites serve all content from the same source, so this <tt>allow 'self'</tt> policy will work well. | In fact, many policies will start with <tt>allow 'self'</tt>, to both simplify the policy and to open up the base document's source as a valid source for all types of content. Many sites serve all content from the same source, so this <tt>allow 'self'</tt> policy will work well. | ||
==Example: Media and Object == | ==Example: Media and Object == | ||