Should Content-Security-Policy header be applied to all resources?
Is it necessary to apply the Content-Security-Policy Header to all resources on your domain (images/CSS/JavaScript) or just web pages?
For example, I noticed that https://content-security-policy.com/images/csp-book-cover-sm.png has a CSP header.
Most of the directives of CSP are only relevant to web pages that are rendered in a browser, as CSP controls the allowed sources for content of such pages. You will typically only need to set it on non-redirect responses with content type as "text/html" but it could also apply to edge cases such as SVG files including script.
The frame-ancestors directive can however be relevant for all file types that can be displayed in the browser in an iframe, such as images, media, pdf, etc.
As it is often simpler or only possible to just add a response header to all responses, CSPs are often applied to all content types and codes even though they are not strictly needed. Additionally it is recommended to add a CSP with a strict frame-ancestors to REST APIs to prevent drag-and-drop style clickjacking attacks, see https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#security-headers.
- Removing inline chunk error script in React
- Content Security Policy is blocking outgoing requests
- Strict-Transport-Security max-age not updating to 31536000 in ASP.NET Core application
- Unable to find the Wildcard directive in my CSP
- Loading of a resource blocked by Content Security Policy
- Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”
- Problems CSP with Spring Boot and PrimeReact
- Set Content-Security-Policy header for @google/model-viewer
- How to set CSP frame-ancestors in NelmioCORSBundle
- Should Content-Security-Policy header be applied to all resources?
- How to use unsafe-hashes Content Security Policy with Ruby on Rails
- Remove or replace the Content-Security-Policy (CSP) frame-ancestors 'self' directive that is autogenerated by the framework in .NET 9
- Duplicate Content Security Policies for frame ancestors generated (Blazor, IIS and Chrome)
- This document requires 'TrustedScriptURL' assignment
- Content Security Policy report-uri is not being recognized
- How to Fix "String as JavaScript" Errors in FLP? (Async Module Loading)
- reCAPTCHA with Content Security Policy
- Why do I get this error from my ASP.NET Core Web API when I attempt to fetch API endpoint?
- Refused to apply inline style because it violates the following Content Security Policy
- 'Preload' is blocked by CSP default-src 'none'
- Angular: avoid inline javascript
- Way to handle inline styles added from external library respecting CSP
- How to use ngCspNonce in Angular
- Why does CSP script-src unsafe-inline induce styling issues on my Angular webapp?
- content-security-policy allows any script tag without a nonce
- Add CSP nonce in script tag
- CSP and inline styles from color picker
- google maps api script does load due to content security policy
- Unrecognized Content-Security-Policy directive 'script-src:'
- IIS set header with url rewrite for 3xx response