Does Content Security Policy's connect-src directive allow you to make cross domain requests?

Question

Does specifying a connect-src directive in your content security policy relax the browser's same origin policy and allow you to make cross origin XHR requests? Or is this directive only used to limit already legal XHR (i.e. same origin calls or calls enabled by CORS)?

Answer 1

The connect-src directive does not relax the same-origin policy; it simply specifies a list of source to which you can connect, assuming that the browser will already allow you to connect to them (via CORS, for instance).

In general, Content Security Policy is an annotation that you as an author can use to limit the capabilities of your pages. It does not grant new privileges, but only removes them.