do more specific values in content security policy completely replace general ones?

Your second variant is correct:

Content-Security-Policy
   default-src 'self' *.facebook.com;
   script-src 'self' *.facebook.com *.googleapis.com;

When you do specify the script-src directive in the policy, browser do not use any sources from default-src for scripts at all (do not performs fallback to default-src). Only sources from script-src will used.

So if your app loads scripts from 'self' and *.facebook.com, you have to specify these in script-src independently of default-src content.

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top