If a browser requests a resource from a URI, and the CSP header from the first response indicates only to load resources from 'self', ie:
Content-Security-Policy: default-src 'self'
But subsequent requests for resources to the same origin return a more lenient CSP in their header, ie:
Content-Security-Policy: default-src 'self' *.trusted.com
Does the browser apply the most permissive policy indicated?
Aucun commentaire:
Enregistrer un commentaire