Have any recommendations for a large content-security-policy http header? Some applications cannot handle reading from a large content-security header, due to limitations on header packet size. Yet to list the domains required for a site, specifically, that takes bytes for each domain. Have you observed this limitation of the spec and how did you work around it?
CodePudding user response:
In practice, there were 2 types of restrictions on the size of the HTTP header - server side and client side:
The maximum size of all HTTP response headers for the Apache web server, by default it is 8190 bytes.
If the total size of all HTTP headers (CSP "HTTP/1.1 200 OK" Content-type:"text/html; charset=utf-8" all others) exceeds the allowed limit, the web server returns error 502.limiting the size of the receiving buffer on some mobile devices. It can be detected by violation reports, the
original-policy
field is truncated in them. Last observed about 6 years ago.
To fix the problem:
- use
*
to whitelist a set of subdomains (*.google.com). - use
img-src *
to allow images from any, since XSS through images is unlikely. - use the
'strict-dynamic'
token in thescript-src
directive and remove all host-based sources from it, excepthttp: https:
. See strict CSP by Google for details.