Content Security Policy: Allow all external images?

Question

Content Security Policy: Allow all external images?

I would like to allow scripts only from my local server with some exceptions, such as jQuery, etc., but be flexible for loading external images. I know that there is such a directive as

Content-Security-Policy: script-src 'self' https://apis.google.com; img-src 'self' https://www.flickr.com;

to allow images from both my web server and Flickr, but is it possible to allow images from all sources - or will this violate the whole concept of CSP and, therefore, will be impossible? I support a blog that often requires embedding external images, so it basically comes to deciding whether it makes sense and whether it is possible to add CSP to my site or not.

+4

security apache xss content-security-policy

richey Mar 03 '16 at 15:17

source share

1

oreoshake · Answer 1 · 2016-03-03T20:12:36+0000

, , .

, :

img-src * data:;

, https:, ( ):

img-src https: data:;

X-Content-Type-Options: nosniff", , Chrome/IE. , firefox , javascript, Javascript - , script-src . , apis.google.com .

Content Security Policy: Allow all external images?

More articles: