Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
after I spent few days to setting up Content Security Policy I ended up with question: Is it worth it?
It could be worth it, but it sure is a pain in the euphemism to setup.
*Drinks coffee*
See https://scotthelme.co.uk/content-security-policy-an-introduction/ for more details.
If you have a too permissive CSP then that sort of defeats the purpose. Many people have a FB icon/like button, a Twitter feed in a side bar, a Youtube video etc. on their site. Without a CSP header the browser says “OK” and loads those referenced assets and scripts. It just works.
When you add CSP and you miss something then parts of your site stop working in your visitor’s browser. Not good. If you can get all of the references correct and your browser (try with Chrome and Firefox) does not complain about blocked by policy assets then you got it right.
Thread Starter
gore.m
(@gorem)
I know and I agree. I forgotten to write “I got it working” – but with lower my demands.
If I understand it right using ‘unsafe-inline’ with CSP is counter-productive.(?)
So…inline JS and CSS were the most painful parts… the best way – and maybe only one – was to use ‘self’ and aggregate all inline JS and CSS by Autoptimize.
But than I realised that I would rather dont aggregate cart and checkout page and that I need run <script> jQuery function </script> before content is loaded (so that I hardcoded it in header template)… and Im in troubles… than I realised: Is not everything escaped yet? So… Do you think is it worth it in my case?
Maybe… main problem is that I dont exactly understand how XSS works… is it possible injects anything without input boxes etc?
Thanks you
