I had not heard of this before a couple of days. I was trying to run something from the firebug console on github and it gave me an error of this kind.
For Chrome,
The header is
And the value looks like
For Firefox,
The header is
And the value looks like
Error: call to eval() blocked by CSP
Nothing ran. And even more confusingly, similar errors were thrown on page load.
It seems like CSP is a great advancement in reducing the number of XSS (Cross Side Scripting) attacks. By adding a header to the response, we add a list of white listed sites where the scripts are allowed to run and the rest encounter errors similar to the one seen before. Naice
The header is
X-WebKit-CSPAnd the value looks like
"default-src 'self'; img-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri /Home/Report"For Firefox,
The header is
X-Content-Security-PolicyAnd the value looks like
"default-src 'self'; img-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; report-uri /Home/Report"
No comments:
Post a Comment