Member-only story
For every question in this document, give me a CSP header that will result in the wanted behavior or answer the question
Question 1)
I want to create a CSP header with the following properties: By default, I want it to only accept any resource from the domain itself. I want scripts to be allowed from google.com and images as well.
Question 2)
I want to create a CSP meta tag with the following properties:
- the default source should be from anywhere
- the images should only come from HTTPS domains, any domain as long as it’s HTTPS
- The stylesheets should only come from https://www.google.com
Question 3)
I want to create a CSP header with the following properties:
- the default source should be from anywhere
- the stylesheets should only come from https://www.google.com or https://www.yahoo.com
- I need scripts to be evaluated unsafe inline because we are migrating our servers
Question 4)
CSP is a server-sided protocol that usually does not involve the client.
Is this correct?
Question 5)
Fill in the blanks:
CSP is enforced by ______ and while it is not made to protect against ____ attacks it can help prevent them or _____ their impact. CSP is an acronym for ______ and it is returned in the form of a _____ or in the form of a _____.
