Have any recommendations for a large content-security-policy http header? Some applications cannot handle reading from a large content-security header, due to limitations on header packet size. Yet to list the domains required for a site, specifically, that takes bytes for each domain. Have you observed this limitation of the spec and how did you work around it?
In practice, there were 2 types of restrictions on the size of the HTTP header - server side and client side:
The maximum size of all HTTP response headers for the Apache web server, by default it is 8190 bytes.
If the total size of all HTTP headers (CSP + "HTTP/1.1 200 OK" + Content-type:"text/html; charset=utf-8" + all others) exceeds the allowed limit, the web server returns error 502.
limiting the size of the receiving buffer on some mobile devices. It can be detected by violation reports, the original-policy
field is truncated in them. Last observed about 6 years ago.
To fix the problem:
*
to whitelist a set of subdomains (*.google.com).img-src *
to allow images from any, since XSS through images is unlikely.'strict-dynamic'
token in the script-src
directive and remove all host-based sources from it, except http: https:
. See strict CSP by Google for details.