joined:June 17, 2002
Is it possible to have different CSPs per directory?
I require the whole site to be self only
One page to allow paypalobjects
One search page to allow googleapis
Two pages to allow globalsign
The forum part of the site requires youtube and * for images
The only way I can do this is to set this globally in httpd.conf
Header add Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https : // www .paypalobjects.com https : // seal.globalsign.com http : // www.youtube.com https : // www.youtube.com https : // ajax.googleapis.com; img-src *"
That seems such a waste, because thousands of pages would have this CSP whereas they only need the default-src 'self'.
It would be more efficient to set a global CSP for all pages and then extra CSP for individual pages and directories.
I tried setting this as a global default in httpd.conf:
Header add Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'
and then tried various ways to run a per director or per page CSP:
Header add Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' http : // www.youtube.com https : // www.youtube.com; img-src *"
That does not work so I tried a .htaccess in the folder. That did not work either. Finally I tried setting the CSP in meta tags on the checkout page. That would not work either.
Am I doing this wrong or is it just not possible to setup cascading CSP on different folders and files?