Allow All Content Security Policy?

javascript web http-headers xss content-security-policy
joshlf picture joshlf · Mar 14, 2016 · Viewed 36.1k times · Source

Is it possible to configure the Content-Security-Policy to not block anything at all? I'm running a computer security class, and our web hacking project is running into issues on newer versions of Chrome because without any CSP headers, it's automatically blocking certain XSS attacks.

Answer

Rainb picture Rainb · Jun 27, 2018

For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough:

default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; 
script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; 
connect-src * data: blob: 'unsafe-inline'; 
img-src * data: blob: 'unsafe-inline'; 
frame-src * data: blob: ; 
style-src * data: blob: 'unsafe-inline';
font-src * data: blob: 'unsafe-inline';

Related questions

Cannot open local file - Chrome: Not allowed to load local resource

Test browser: Version of Chrome: 52.0.2743.116 It is a simple javascript that is to open an image file from local like 'C:\002.jpg' function run(){ var URL = "file:///C:\002.jpg"; window.open(URL, null); } run(); Here is my sample code. https://…

Read More
Cannot read property 'push' of undefined when combining arrays

When pushing an array's contents to another array I get "Uncaught TypeError: Cannot read property 'push' of undefined" error in this snippet. var order = new Object(), stack = []; for(var i=0;i<a.length;i++){ if(parseInt(a[i].daysleft) == 0){ …

Read More
How can I make the browser wait to display the page until it's fully loaded?

I hate how you can actually see webpages load. I think it'd be much more appealing to wait until the page is fully loaded and ready to be displayed, including all scripts and images, and then have the browser display …

Read More