Content Security Policy (CSP) implemented with the insecure scheme in passive content only

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 CWE-16 WASC-15 WSTG-CONF-12

Content Security Policy (CSP) is one of the essential computer security standards for establishing a proper and secure site. It was introduced to prevent attacks like cross-site scripting (XSS), clickjacking and other code injection attacks. These attacks might result in the execution of malicious content in the trusted web page context. There are many application with Content Security Policy implemented in an insecure way. Due to this configuration in the site, it allows images or media to be loaded over HTTP.


The impacts of this type of vulnerability include:-

  • Cross-site scripting - Cross-site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts into a website or web application.
  • clickjacking - Clickjacking is a malicious technique of tricking an end user into clicking on a malicious link.
  • code injection attacks - Code injection is the exploitation of a computer bug which includes processing invalid data.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Set proper Content Security Policy
        <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">

  • Try to implement HTTPS in the URI declaration.
  • Apply the whitelist and policies as strict as possible.
  • Try enabling CSP on your website. The CSP can be enabled by sending the Content-Security-Policy in HTTP response headers. This header will instruct the browser to apply the policies the administrator has specified.

Latest Articles