Does Content Security Policy's connect-src directive allow you to make cross domain requests?
https://stackoverflow.com/questions/12924717
-
07-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Does specifying a connect-src directive in your content security policy relax the browser's same origin policy and allow you to make cross origin XHR requests? Or is this directive only used to limit already legal XHR (i.e. same origin calls or calls enabled by CORS)?
Solution
The connect-src directive does not relax the same-origin policy; it simply specifies a list of source to which you can connect, assuming that the browser will already allow you to connect to them (via CORS, for instance).
In general, Content Security Policy is an annotation that you as an author can use to limit the capabilities of your pages. It does not grant new privileges, but only removes them.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
