content-security-policyblacklist

Content Security Policy as a blacklist


Can I use the Content Security Policy Header to blacklist the loading of scripts from certain domains?


Solution

  • No you can’t. When you create a CSP policy, it’s basically a “deny all” policy. You then add back “allow from” exceptions to that. But you can’t do it the other way around; this is, you can’t, in a CSP policy, express “allow all” as a default and then add back specific “deny from” exceptions.