Mitigate XSS Attacks with Content Security Policy

Maybe I am missing something, but I do not see these settings in the settings UI.

  • content_security_policy
  • content_security_policy_report_only
  • content_security_policy_collect_reports (I see that is hidden now)
  • content_security_policy_script_src

Are these options available to hosted instances? I didn’t see any mention of that being a limitation in the original post or comments.

Edit: Also attempted to set the security policy through a theme.

Does not seem to be working as instructed in original post.

image

I’m assuming the hosted plan I’m on doesn’t allow this, even when done via a theme or theme component?

Or maybe I am just doing something totally wrong.

1 Like