Wednesday, 14 June 2017

Content Security Policy (CSP): port in domain directive

For some reason most of documentation on Content Security Policy doesn't say anything about ports in directives. I found that CSP treats domains with different ports as absolutely different domains. If you have directive like frame-ancestors 'self' *.your-client.com - it will not work if your client embedding your application from test.your-client.com:1507, your directive should be frame-ancestors 'self' *.your-client.com *.your-client.com:1507 then.

It is also possible to use "star notation" for port: frame-ancestors 'self' *.your-client.com:*

See also:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://content-security-policy.com/

No comments:

Post a comment