content-security-policyscript-src

Is there anyway to configure content security policy to allow any third party scripts but disallow inline/eval


Is there anyway to configure content security policy to allow any third party scripts but disallow inline/eval?

I have some third party marketing/analytics scripts that has to be added and removed regularly. I would like to secure the page vs inline and eval style xss through user input. What would my CSP look like for this usecase? Thanks.


Solution

  • As you probably know you are not going to set 'unsafe-inline' or 'unsafe-eval' in the script-src directive. To allow everything else you can accept any host with * or accept everything on certain schemes such as https: data: and blob:, see https://www.w3.org/TR/CSP3/#framework-directive-source-list

    For the other CSP directives you'll have to decide based on your use case and requirements of the third party code.