In any case, using the * wildcard in the script-src directive nullifies the whole effectiveness of Content Security Policy. The asterisk * usually has to be used in the img-src directive for forums, as they often allow Insert images from any sources.
It is not allowed to use the wildcard * in the path or file name. It is not allowed to use the wildcard * (asterisk) instead of. Note that * as any port number is separated from the host by the symbol. For example frame-src : * will allow loading of frames on any port, and not just on standard ports 80 for the scheme http: or 443 for the protocol https. For example script-src *. will allow loading scripts from any subdomains of (subdomains of any level), but will not allow loading scripts from the very domain .Ĥ. Using the wildcard * instead of the entire host-part with the specified port number can lead to ignoring the port number.ģ. Please note that slashes // are used only to separate the scheme from the host, when specifying one scheme as the source, their use is not allowed. Rule connect-src https: is completely equivalent to the previous one. The notation * is completely equivalent to the notation http: (the same the most applies to the schemes https:, ws:, wss:, ftp: and ftps:), but * is not used in conjunction with schemes blob:, data:, filesystem:, javascript: and mediastream:, because they do not have a host-part.įor example, connect-src * will allow connections to any hosts with any port numbers, but only via the https:-protocol. 
the host-part of the source, essentially allowing scheme itself.
Therefore, the special character * completely covers the 'self' and the file:// scheme.Īt the same time, * does not allow the network schemes blob:, data:, filesystem:, javascript: and mediastream: - if necessary, those should be specified separately.įor example font-src * will allow loading fonts from any sources (incliding ftp: / ftps:) except blob:, data:, filesystem: ( javascript: and mediastream: is not used for load fonts).Ģ. the entire source, allow to load resources from any network host-sources, with any protocols and port numbers.
The special character * (ASTERISK) in the rules of the Content Security Policy directives can be used as a wildcard to indicate:ġ. Usage of * in CSP1 usage of * in CSP2 usage of * in CSP3
0 kommentar(er)
