Have any recommendations for a large content-security-policy http header? Some applications cannot handle reading from a large content-security header, due to limitations on header packet size. Yet to list the domains required for a site, specifically, that takes bytes for each domain. Have you observed this limitation of the spec and how did you work around it?

CodePudding user response：

In practice, there were 2 types of restrictions on the size of the HTTP header - server side and client side:

• The maximum size of all HTTP response headers for the Apache web server, by default it is 8190 bytes.
  If the total size of all HTTP headers (CSP "HTTP/1.1 200 OK" Content-type:"text/html; charset=utf-8" all others) exceeds the allowed limit, the web server returns error 502.

• limiting the size of the receiving buffer on some mobile devices. It can be detected by violation reports, the original-policy field is truncated in them. Last observed about 6 years ago.

To fix the problem:

• use * to whitelist a set of subdomains (*.google.com).
• use img-src * to allow images from any, since XSS through images is unlikely.
• use the 'strict-dynamic' token in the script-src directive and remove all host-based sources from it, except http: https:. See strict CSP by Google for details.