CSP - What happens if i define multiple policies?

Sunday, November 17, 2024

3 min read

Content Security Policy can be implemented in multiple ways and even multiple times in the same page. While this offers flexibility, it requires careful consideration to avoid security gaps and maintenance issues.

Multiple policies defined in the same page

While it's possible to define your CSP across multiple headers, it's recommended to consolidate your policy into a single header. This approach offers better maintainability and makes it easier to predict the final policy behavior.

Single Header Approach (Recommended)

Example of a consolidated CSP in a single header

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com; style-src 'self' 'unsafe-inline';

Multiple Headers Approach

Example of CSP split across multiple headers

Content-Security-Policy: default-src 'self';

Content-Security-Policy: script-src 'self' https://trusted.com;

Content-Security-Policy: style-src 'self' 'unsafe-inline';

Policy Combination

When multiple policies are present, browsers will apply every directive from each policy, resulting in the most restrictive combination of all policies.

Policy Intersection Example

Since each Content Security Policy operates independently, when multiple policies are defined, the browser enforces each one separately. The resulting effective policy becomes the most restrictive combination of all defined policies. Let's see this in action:

First CSP header

Content-Security-Policy: script-src 'self' https://trusted.com https://analytics.com;

Second CSP header

Content-Security-Policy: script-src 'self' https://trusted.com;

Result

The final policy will only allow scripts from 'self' and https://trusted.com. The https://analytics.com source will be blocked because it's not present in all script-src directives.

CSP Multiple Policies behavior authorized

In this example, all the CSP defined are checking website.com, and it's allowed to execute because all the blocking policies are authorizing it.

Report

As the report-only policy is blocking website.com, it will be reported as a violation on the report uri defined in the report-only policy.

CSP Multiple Policies behavior blocked

In this example, one of the CSP enforced is blocking website.com, as a result, it will be blocked.

Report

As the one of the CSP enforced is blocking website.com, it will be reported as a violation on the report uri defined in the enforced policy 1.

Report-Only and Enforced Policies Together

You can use both Content-Security-Policy and Content-Security-Policy-Report-Only headers simultaneously. This allows you to enforce one policy while testing another one in report-only mode.

Enforced CSP header

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com;

Report-only CSP header (stricter policy being tested)

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self';

Behavior

In this example, scripts from trusted.com will be allowed to execute (due to the enforced policy) but will generate violation reports (due to the stricter report-only policy).

Conclusion

While it's possible to implement multiple CSP policies, consolidating them into a single, well-structured policy is the recommended approach. This simplifies maintenance, reduces the risk of conflicts, and makes it easier to understand and update your security policies. Always use CSP reporting to monitor policy effectiveness and identify potential issues.