Welcome to WebmasterWorld Guest from 35.175.180.108

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

Content Security Policy - Per Directory

     
4:57 pm on Oct 18, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


Is it possible to have different CSPs per directory?

I require the whole site to be self only
One page to allow paypalobjects
One search page to allow googleapis
Two pages to allow globalsign
The forum part of the site requires youtube and * for images

The only way I can do this is to set this globally in httpd.conf


Header add Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https : // www .paypalobjects.com https : // seal.globalsign.com http : // www.youtube.com https : // www.youtube.com https : // ajax.googleapis.com; img-src *"


That seems such a waste, because thousands of pages would have this CSP whereas they only need the default-src 'self'.

It would be more efficient to set a global CSP for all pages and then extra CSP for individual pages and directories.

I tried setting this as a global default in httpd.conf:


Header add Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'


and then tried various ways to run a per director or per page CSP:


<Directory /www/forum>
Header add Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' http : // www.youtube.com https : // www.youtube.com; img-src *"


That does not work so I tried a .htaccess in the folder. That did not work either. Finally I tried setting the CSP in meta tags on the checkout page. That would not work either.

Am I doing this wrong or is it just not possible to setup cascading CSP on different folders and files?
9:11 pm on Oct 19, 2015 (gmt 0)

New User

joined:Apr 23, 2015
posts: 4
votes: 0


You can insert own CSP header in each directory or individaul pages/folders using php(for example, depending on $_SERVER['REQUEST_URI'] include appropriate header for this page or folder). Why don't you use php for your purpose?
What is the point in cascading CSP?
10:28 pm on Oct 19, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15932
votes: 887


<Directory /www/forum>
Header add

Does this format work in other situations? I'd be inclined to try a <FilesMatch> envelope inside the <Directory> envelope, so the headers are only attached to specified filetypes.

For future reference, what Apache version are you on? In the specific case of "Header add" it probably doesn't matter, but it never hurts to make sure.

Are you sure you want "add" rather than "append" or at least "merge"? The docs themselves (both 2.2 and 2.4) use the dreaded phrase "unforeseen consequences", which is never something you want to see.
8:31 am on Oct 20, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


Satori. The point is so that the CSP is not inefficient. Surely adding a CSP adds many bytes to the returned page. If a task is to make pages smaller / lighter (I know, were' only talking a few bytes when users have Fibre) then it's best to be optimised.

In my case I only ever want my whole site (300,000 pages) to have 'self'. But on just one checkout page I need to allow paypalobjects. It would therefore make sense to have self as the default for all pages and then for just that single page self, paypalobjects because there is no point in adding paypalobjects to 299,999 pages that dont need it.

Using the PHP header would be slightly inefficient too as you are then adding a few extra cycles for each page. I'm a stickler for efficiency and I was hoping httpd.conf or a .htaccess or a meta tags would over-ride the master but it does not.

Lucy24. It's the latest 2.4 branch.

Add, append, or overwrite it does not matter. Here's the flow:

If the page is * then server CSP allow for self only
If the page is checkout then allow self, paypalobjects
If the page is searchpage then allow self, googleapis
If the page is in the /forum/ directory then allow self, youtube, and images *

It's pretty much similar to having different .css files loaded for specific pages / folders.

I can not believe that CSP is such a blunt tool. Surely there should be a mechanism to do what I require. Surely other sites require the same thing?
9:14 am on Oct 22, 2015 (gmt 0)

New User

joined:Apr 23, 2015
posts: 4
votes: 0


Frank_Rizzo. You can set up htaccess. for each directory and folder. If folder doesn't contain own htaceess then it is used general htaccess. If all pages use general htaccess. not from it's own folder - it was closed in httpd.comf by AllowOverride Directive. By default it open. Httpd look in every directory/folder for .htaccess files
Put specific CSP header in folder's htaccess. - you get specific CSP for pages from this directive only. Rest of all pages server get CSP headers from general htaccess.
8:41 pm on Oct 22, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15932
votes: 887


You can set up htaccess for each directory and folder

Yes, of course. But I can't think offhand of any directive that would work in .htaccess but not in a <Directory> section of the config file, which is where the question started.
5:08 am on Jan 27, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts: 15180
votes: 180


A CSP checking tool was just referenced in Webmaster General [webmasterworld.com...] that might help checking these settings.

I was just bumping this thread to see whether you were able to get per directory/file CSP working. Most of the discussion I've seen about this focused on httpd.conf, but I can certainly see the benefit of making specific allowances for special CSP for only certain parts of your site.