Open w3b3 opened 5 years ago
w3b3
commented
5 years ago The Content-Security-Policy header field is the preferred mechanism for delivering a policy.
The server MAY supply policy via one or more HTML meta elements with http-equiv attributes that are an ASCII case-insensitive match for the string "Content-Security-Policy". For example:
w3b3
commented
5 years ago The Content-Security-Policy-Report-Only header field lets servers experiment with policies by monitoring (rather than enforcing) a policy.
If their site violates this policy the user agent will send violation reports to the URL specified in the policy’s report-uri directive, but allow the violating resources to load regardless.
The Content-Security-Policy-Report-Only header is not supported inside a meta element.
w3b3
commented
5 years ago Check specifically directive whose name is "block-all-mixed-content" Check specifically directive whose name is "upgrade-insecure-requests"
w3b3
commented
5 years ago 8.2. Relation to HSTS https://www.w3.org/TR/upgrade-insecure-requests/#hsts The mechanism specified here deals only with the security policy for a specific protected resource. It does not deprecate, replace, or in any way reduce the value of the Strict-Transport-Security HTTP response header [RFC6797]. Authors can and should continue to use that header to ensure that their users are not subject to SSL stripping downgrade attacks, as the upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to HTTPS for the top-level navigation.
Likewise, the Strict-Transport-Security header does not imply the behavior that upgrade-insecure-requests activates. It only ensures that resources requested from an origin will never hit the network insecurely.
https://www.w3.org/TR/CSP2/
https://content-security-policy.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy