Guide to Content Security Policy

This guide to Content Security Policy is meant to get a webmaster familiar with this security concept. The core part of a Content Security Policy are server defined rule for a browser to follow on what are safe content sources. Browsers that follow the rules will ignore content from non-trusted sources and log warnings and errors to the browsers developer console.

Ideally the Content Security Policy is part of the server header and not part of the HTML code. This means you will need access to your Apache, IIS, NGINX configuration to implement the rule. A CSP defined in HTML is not as strong as the server header. Additionally some parts of the CSP spec are not implemented for HTML.

The rule is a single line and can get very long. Two very important rules about the CSP rule.

1. You can not have multiple CSP rules defined.
2. Multiple directives of the same directive are not allowed in the CSP rule

The Basics

The most basic Content Security Policy is one that that tells the browser to only allow the source domain as an authority.

Content-Security-Policy: default-src 'self';

A more complicated Content Security Policy that supports Google Fonts

Content-Security-Policy: default-src 'self'; font-src fonts.gstatic.com; style-src 'self' fonts.googleapis.com

The same rule but also support for Google Analytics, Google Tag Manager and Google Advertising

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://tagmanager.google.com/ https://www.googletagmanager.com/ https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://tagmanager.google.com/ https://fonts.googleapis.com/; img-src 'self' https://ssl.gstatic.com/ https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; font-src 'self' fonts.gstatic.com; connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net;

As you can see this gets very complicated very quickly. It is important to note that when overriding the default-src directive that you add the value ‘self’ to new directives or your own web server will not be allowed. Directives are not additive, but replace the default-src value.

Server Header vs HTML

When using HTML you must place the code in your header as a meta tag. Browser will ignore the rule if found anywhere else. Additionally the rule will not be in effect until it is read so it should be the first tag in your header or as close to the top as possible.

<head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
</head>

Content-Security-Policy-Report-Only header is not supported with the meta tag and the following directives do not work with a Content Security Policy based meta tag:

• frame-ancestors
• report-uri
• sandbox

Tools for Content Security Policy

Because CSP are on one line it can be tough to manipulate a complex rule. The folks at report-uri.com have a handy generator. You can import a CSP from a site and then change what you need or start with a blank slate and walk through each step.

• https://report-uri.com/home/generate

To see what level of the CSP standard your browser supports you can use this tool: https://content-security-policy.com/browser-test/.

Increasing security for Google Tag Manager and Google Analytics

Check back later