do more specific values in content security policy completely replace general ones?

Your second variant is correct:

   default-src 'self' *;
   script-src 'self' * *;

When you do specify the script-src directive in the policy, browser do not use any sources from default-src for scripts at all (do not performs fallback to default-src). Only sources from script-src will used.

So if your app loads scripts from 'self' and *, you have to specify these in script-src independently of default-src content.

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top