apachesecurityxsscontent-security-policy

Content Security Policy: allowing all external images?


I'd like to allow scripts only from my local server with certain exceptions like jQuery etc., but be flexible to load external images. I'm aware that there is a directive like

Content-Security-Policy: script-src 'self' https://apis.google.com; img-src 'self' https://www.flickr.com;

to allow images from both, my own webserver and Flickr, but is it possible to allow images from all sources - or would this violate the whole concept of CSP and thus be impossible? I'm maintaining a blog often requiring to embed external images, so it basically comes up to a decision on whether it makes sense and is manageable to add CSP to my website or not.


Solution

  • Including images from all sources is a mostly safe practice in terms of security, but you may not like the content of the images that can be used.

    To allow all images, use:

    img-src * data:;
    

    It's probably reasonable to limit this to https: sources so your users don't get a mixed content (broken lock) error:

    img-src https: data:;
    

    In either case, be sure to send X-Content-Type-Options: nosniff" to prevent content type sniffing that happens in Chrome/IE. I'm not sure if firefox will treat an image tag that points to a javascript file will treat that as Javascript due to sniffing, but your script-src should prevent that from being terrible. I'm not sure if apis.google.com hosts user scripts or if it's limited to typical open source libraries.