I have Java-based based web application running on Tomcat 6. My application is running on localhost and port 9001.
To make my application more secure and to reduce the risk of XSS attacks, I added the header Content-Security-Policy
with value default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self'. With this I want to allow the web application to load the JavaScript files from same domain.
For other resources it continues to load in the same fashion as it was without this header.
But I am getting the below error.
Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://localhost:9001").
The Content Security Policy header is a white list of trusted sources.
The default-src
list is the list used by all other *-src
lists. If it is not present, the default is default-src: *
which means "all content is allowed from anywhere", which does not provide any protection against XSS.
Therefore, you should start with
default-src none
, so that all content is disallowed, or
default-src 'self'
, so that only content from your domain is allowed.
After that, other *-src
can be replaced as needed. For example, the following trusts self for everything except images, and images are only allowed from example.com (but not from 'self'):
default-src 'self'; img-src example.com;
In your question, you specify default-src * 'unsafe-inline' 'unsafe-eval';
which might be causing the issue since *
already implies 'unsafe-inline'
and 'unsafe-eval'
. It's like saying "allow everything and allow inline and allow eval".
Also note that CSP is supported via the X-Content-Security-Header
in IE >= 8.
Sources:
- http://content-security-policy.com/
- http://www.w3.org/TR/CSP/
- http://caniuse.com/#feat=contentsecuritypolicy
Try:
default-src * 'unsafe-inline' 'unsafe-eval';script-src 'self' 'unsafe-inline' 'unsafe-eval'