CSP in <meta> is not analyzed when sent together with CSP in header #489

rw-AntoniRoszak · 2022-11-14T13:25:06Z

Steps:

Scan page: https://shop.rockwool.com

Observation:

Page scores 120 with most CSP directives listed as "none".

Expectation:

Page should score 110, as there are more directives in tag. They are analyzed by code, but discarded.

Problem appeared in commit a422b3a - when I check out master before this commit, the combined policy is analyzed properly.

CSP header data:
upgrade-insecure-requests; frame-ancestors 'self'

@april

The text was updated successfully, but these errors were encountered:

mirunacurtean · 2024-06-11T09:51:01Z

This appears to be fixed in 2023.

rw-AntoniRoszak · 2024-06-11T13:19:08Z

Yes, but this is because in this case, CSP was moved to HTTP header. So the problem is no longer visible on the listed page.
Unfortunately I don't know any other page that could be used for problem reproduction.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSP in <meta> is not analyzed when sent together with CSP in header #489

CSP in <meta> is not analyzed when sent together with CSP in header #489

rw-AntoniRoszak commented Nov 14, 2022 •

edited

Loading

mirunacurtean commented Jun 11, 2024

rw-AntoniRoszak commented Jun 11, 2024

CSP in <meta> is not analyzed when sent together with CSP in header #489

CSP in <meta> is not analyzed when sent together with CSP in header #489

Comments

rw-AntoniRoszak commented Nov 14, 2022 • edited Loading

mirunacurtean commented Jun 11, 2024

rw-AntoniRoszak commented Jun 11, 2024

rw-AntoniRoszak commented Nov 14, 2022 •

edited

Loading