Page contains a CSP defined in a <meta> tag, and in a HTTP header

[craigfrancis]

Ref metaTagMessage "The page contains a CSP defined in a tag. Consider defining the CSP in an HTTP header if you can."

This shouldn't be an error if there is also a CSP HTTP header, because you can define multiple Content Security Policies, and each one will be enforced.

For example, I will often define a strict CSP in a HTTP header; then in the HTML <head>, I will define any <script> tags I need, then add a <meta> CSP (a second policy), which ensures no other JavaScript is defined (e.g. evil attacker finding a way to include a JavaScript file, that's on the allow-list, but should not be run on this page).

<meta http-equiv="Content-Security-Policy" content="script-src 'none'" /> <!-- No scripts after this -->

---

I've not tried this, but I assume /core/audits/csp-xss.js:143 could be changed with:

- if (cspMetaTags.length) {
+ if (cspMetaTags.length > 0 && cspHeaders.length == 0) {

[connorjclark]

Suggested change looks good to me. Would you like to send a PR? it's fine if not, we can take it from here!

as an alternative... @adamraine should we try running the csp evaluator twice, once on the header CSPs and again on all the CPSs, and warn only if there's a gap?

[adamraine]

@craigfrancis your suggestion seems reasonable for the use case you describe. There is still possible vulnerabilities if the header CSP is not strict. I think @connorjclark's suggestion would be reasonable to resolve this issue.

[craigfrancis]

Thanks for creating a PR @adamraine (and so quickly).

You're right, having the extra checks is a really good idea.