I'd like to allow scripts only from my local server with certain exceptions like jQuery etc., but be flexible to load external images. I'm aware that there is a directive like
Content-Security-Policy: script-src 'self' https://apis.google.com; img-src 'self' https://www.flickr.com;
to allow images from both, my own webserver and Flickr, but is it possible to allow images from all sources - or would this violate the whole concept of CSP and thus be impossible? I'm maintaining a blog often requiring to embed external images, so it basically comes up to a decision on whether it makes sense and is manageable to add CSP to my website or not.
Including images from all sources is a mostly safe practice in terms of security, but you may not like the content of the images that can be used.
To allow all images, use:
img-src * data:;
It's probably reasonable to limit this to https: sources so your users don't get a mixed content (broken lock) error:
img-src https: data:;
In either case, be sure to send X-Content-Type-Options: nosniff" to prevent content type sniffing that happens in Chrome/IE. I'm not sure if firefox will treat an image tag that points to a javascript file will treat that as Javascript due to sniffing, but your script-src should prevent that from being terrible. I'm not sure if apis.google.com hosts user scripts or if it's limited to typical open source libraries.