If default-src and script-src in the CSP Content Security Policy are set at the same time, this section explains which has priority.
What is the CSP Content Security Policy?
CSP Content Security Policy (CSP Content Security Policy) is a policy that specifies which types of sources (scripts, images, stylesheets, etc.) are allowed to be loaded and from where, to prevent XSS (Cross Site Scripting: an attack in which external scripts are executed on a site) and, to some extent, to prevent users accessing the site from executing such malicious scripts even if malicious code is embedded due to site tampering. It can be implemented by writing settings in the HTACCESS file. This can be implemented by writing the settings in the HTACCESS file.
CSP has been implemented in many corporate sites in recent years, and some vendors require that it be properly configured for internal auditing purposes.
What happens if default-src and script-src are set at the same time?
CSP specifies the source of the source to be loaded for each item, such as default-src (batch specification) and script-src (specification of JAVASCRIPT loading) in HTACCESS, as shown below.
The following is an example of a very strict setting that allows scripts to be loaded only within the domain of your site.
Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
What happens if default-src (specified in bulk) and other settings such as script-src are out of sync?
The following settings are: default-src (batch specification) for self (only own domain is allowed), script-src is https://cdn.example.com, https://api.example.comの2ドメインからのスクリプトの読み込みが許可されるという意味に The following settings are used.
Header set Content-Security-Policy "default-src 'self'; script-src https://cdn.example.com https://api.example.com;"
A common mistake is that the script-src setting is combined with default-src.
In other words, it is often mistakenly assumed that the sources that can be loaded by script-src are ‘self’ (own domain) and https://cdn.example.comかつhttps://api.example.com;.
In fact, however, they are not combined, and “default-src ‘self'” is overridden and ignored by the script-src setting. This means that the only sources that can be read by script-src are the two domains https://cdn.example.com https://api.example.com;.
If you want to allow your own domain in script-src, you need to specify self again as shown below.
Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.example.com https://api.example.com;"
The default-src will be overwritten (replaced) by other settings, but it is easier to understand if you think of it as a kind of insurance policy that allows you to specify all items that are not set at once.
We hope this helps.
Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
