here is my aim : implement a Content Security Policy backend side and apply it frontend side. here is the issue : none of the rules set up are effective frontend side.
What I tried : I created a CSP that blocks any resource (on purpose for a test).
I can see that the CSP is sent by backend and received in browser (from HTTP headers in Firefox's Network tab).
content-security-policy : default-src 'none'; script-src 'none'; style-src 'none'; img-src 'none'; font-src 'none'; connect-src 'none'; frame-src 'none'; object-src 'none'; media-src 'none'; worker-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'
But none of these rules are effective : js scripts are executed, images from any domains are visible etc.
Finally, when I set up the CSP in the index.html frontend side : the CSP is working fine. But it's not the best practice.
How can a backend-CSP be applied in the frontend side ?
My config :
- Rails 7.1.3.4
- Node v20.18.2
- Tested on Firefox last version
- Tested on Chrome last version