WebMessaging - Content Security Policy -default src self or none

fransiska.hendra · February 3, 2023, 12:10am

hi All,

Just wondering if anyone can help us. We are looking at implementing security webmessaging on mobile browser with Genesys recommendation https://developer.genesys.cloud/commdigital/digital/webmessaging/contentSecurityPolicy#asia-pacific--sydney-.

And we are in Asia Pacific (Sydney region). And there are 2 option for content:

Option 1 CSPv3 : default-src 'self'

Option 2 : blank

So what is the recommendation, which CSP is used by mostly ? “default-src – self” or none?

Appreciate for any advise.

Fransiska

Ranjith_Manikante_Sa · February 3, 2023, 5:53pm

Hi Fransiska,

It really depends on your security requirements which CSP version to go with.

CSPv3 is latest vs CSPv2 was there from quite some time and most browsers support it.

About choosing the value default-src – 'self' or none, it should be the first. There should always be a default-src – 'self' because that is the fallback directive that browser will look for when you don't explicitly define each one like content-src, script-src and so on. You can find more info about usage here.

So, the general recommendation is to always put default-src – 'self' whether you go with CSPv2 or CSPv3.

fransiska.hendra · February 3, 2023, 10:23pm

Thanks @Ranjith_Manikante_Sa

Appreciate for the advise.

Fransiska

system · March 5, 2023, 10:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.