问题
I'm trying to override the Content Security Policy using a specific meta tag for some pages.
I've been trying for a couple of hours, but I've not succeed yet.
Is there a way to override CSP from the page itself (using JavaScript or meta tags) without having to modify the server configuration?
Thank you.
回答1:
No.
For security reasons the meta tag can only make the policy more strict, not to relax the policy defined in the headers.
If the meta tag could relax the policy, CSP would have no teeth. Any malicious party could just add a meta tag to disable the policy and avoid all of the restrictions that should be in place.
回答2:
You can tighten CSP, but not loosen it. You might reconfigure your site to tighten/loosen CSP within the code that generates the page. For example, in PHP you can create a header, but later overwrite the header -- so long as you do so before anything is actually output to the browser.
This is what I do on a site I manage -- every page has a default CSP header that is fairly strict, but on a particular page I might loosen it up to allow something specific to that one page. But you have to do that in generating the page itself; you can't with Meta tags or JavaScript after the initial CSP header is sent.
来源:https://stackoverflow.com/questions/34131814/how-to-relax-content-security-policy-with-meta-tag