User:Apking/Web Security Guidelines: Difference between revisions

User:Apking/Web Security Guidelines (view source)

2 bytes removed , 19 January 2016

Anti-spam team, Confirmed users

99

edits

@@ Line 163: / Line 163: @@
 * For existing websites with large codebases that would require too much work to disable inline scripts, <tt>default-src: https: 'unsafe-inline'</tt> is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.
 * Sites that want to go further are recommended to start with a reasonably locked down policy such as <tt>default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'</tt> and then add in remote sources as revealed during testing.
-* In lieu of the (preferred) HTTP header, pages can instead include a <tt>&lt;meta http-equiv="Content-Security-Policy" content="&hellip;"&gt;</tt> tag. If they do, it should be the first <tt>&lt;meta&gt;</tt> tag that appears inside <tt>&lt;head&gt;</tt>.
+* In lieu of the preferred HTTP header, pages can instead include a <tt>&lt;meta http-equiv="Content-Security-Policy" content="&hellip;"&gt;</tt> tag. If they do, it should be the first <tt>&lt;meta&gt;</tt> tag that appears inside <tt>&lt;head&gt;</tt>.
 * Care needs to be taken with <tt>blob:</tt> and <tt>data:</tt> URIs, as these are not covered by 'self' and need to be included in the CSP declaration
 * Sites should ideally use the <tt>report-uri</tt> directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.