Meta CSP policy

cabana3 · December 10, 2021, 6:03am

Hi,

Can anyone share meta CSP policy settings

awesomerobot · December 10, 2021, 2:52pm

We have CSP enabled on Meta, and recommend everyone keeps it enabled on their own sites! It provides a good layer of protection against exploits. Content Security Policy (CSP) - HTTP | MDN

Jagster · December 10, 2021, 4:59pm

I’ll translate that We don’t have too many settings of CSP to share. Only on or off…

It is other systems where system admins can easily adjust CSP. Discourse is not one of those.

(Off topic, but CSP is strongly overrated, because there must use so many settings that actually allow too many things weekening CSP. And in global sites google ads and CSP is pain in the tender places…)

Falco · December 10, 2021, 5:07pm

You can add new domains to the script src CSP policy in site settings, which is the main use case for our users.

Plugins can extend any other CSP directives.

Jagster · December 11, 2021, 9:20am

Good to know I/we can override default with full scale CSP. Everyday something new

system · January 10, 2022, 9:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Content-Security-Policy now uses 'strict-dynamic' announcements	0	502	March 7, 2024
Experimenting with a 'strict-dynamic' Content Security Policy (CSP) admins	0	451	February 16, 2024
Add CSP sources to the plugin support advertising	7	2223	March 23, 2020
Mitigate XSS Attacks with Content Security Policy announcements security	32	22052	June 13, 2023
Can I add a snippet to the header? support	5	665	February 7, 2023

Meta CSP policy

Related Topics