Posted: 13 Jan 2020 9:25 EST Last activity: 16 Jan 2020 13:42 EST
Content Security Policy
We have implemented custom CSP rule for our application. In CSP rule there is no option to implement prefetch-src as 'self' . Where should this be implemented ?
I have tried to implement it in response header and it gives me a warning as below:
The Content-Security-Policy directive 'prefetch-src' is implemented behind a flag which is currently disabled.
Also CSP headers are not a part of response on the login screen, and if CSP is added in response header will it be overridden by the CSP rule defined at application level once logged in. How can this be configured?
Below error can be seen when the browser doesn't recognize or not supported by default. Explore chrome://flags on your browser to find prefetch-src directive specific dependent flags and Enable it to check if error is observed. Resolving certain flags is up to the client's browser.
"The Content-Security-Policy directive 'prefetch-src' is implemented behind a flag which is currently disabled"
For the second part of your question,
In order to make sure these headers are set,
CSP header can potentially get skipped if there is direct streaming enabled.
In order to get CSP header on all requests, you can disable direct streaming (via setting below). The performance may degrade slightly because of this.
I am unsure why clientside browsers complain that it couldn't apply the prefetch-src directive. If you are using chrome, there are few more people complained about prefetch-src not being applied and it may be a bug.
In general, if the prefetch-src or manifect-src is absent, the user agent(browser) looks for default-src directive.
I think we don't have to look for other places where you can set these CSP headers, they are already set properly through DSS and due to the fact that browser coudln't resolve them, we see an error.
You can also try setting the requires CSP directives as HTTP response headers, at the load balancer or WebServer level (if you have one). That might just help setting it, but resolving them is up to the browser.