fransiska.hendra | 2023-02-03 00:10:29 UTC | #1
hi All,
Just wondering if anyone can help us. We are looking at implementing security webmessaging on mobile browser with Genesys recommendation https://developer.genesys.cloud/commdigital/digital/webmessaging/contentSecurityPolicy#asia-pacific--sydney-.
And we are in Asia Pacific (Sydney region). And there are 2 option for content:
Option 1 CSPv3 : default-src 'self'
Option 2 : blank
So what is the recommendation, which CSP is used by mostly ? “default-src – self” or none?
Appreciate for any advise.
Fransiska
RanjithManikanteSa | 2023-02-06 13:26:31 UTC | #2
Hi Fransiska,
It really depends on your security requirements which CSP version to go with.
CSPv3 is latest vs CSPv2 was there from quite some time and most browsers support it.
About choosing the value default-src – 'self' or none, it should be the first. There should always be a default-src – 'self' because that is the fallback directive that browser will look for when you don't explicitly define each one like content-src, script-src and so on. You can find more info about usage here.
So, the general recommendation is to always put default-src – 'self' whether you go with CSPv2 or CSPv3.
fransiska.hendra | 2023-02-06 13:26:26 UTC | #3
Thanks @RanjithManikanteSa
Appreciate for the advise.
Fransiska
system | 2023-03-05 22:23:38 UTC | #4
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 18248