In my Getting Started With a Content Security Policy post, I setup a report only CSP policy so that I could try and identify things that could test out a policy before implementing it. It is time to parse through the results and see what needs to be updated in my deployed policy. The original policy was very simple
default-src https
Inspecting The Violations
I started trying to look at the current violations and I think it was clear that I had a rather permissive Content Security Policy because nothing much was being blocked.
default-src 'self'
and let the run for awhile before gathering more violation details like these
Building the New Header
In looking at some of the results, I’m not personally concerned with images so I’ll allow those from any https
default-src 'self'; img-src https:;
I know I have fonts loading from Google so we can also allow that next
default-src 'self'; img-src https:; font-src https://fonts.gstatic.com
The process continues until you finally have all of the known resources documented and the types of resource you plan to load until you have a final CSP. Once done, you should still continue with the reporting capability so that you can identify potentially new content on your site that should be allowed or worse yet malicious content that is trying to be introduced.
Resources
Here are some nice resources that can help you continue building your CSP as well