(1) What is the strictest Content Security Policy possible that will allow a standard installation of Joomla to function properly and allow updates to extensions and the core without causing problems?
(2) Are 'unsafe-eval' and/or 'unsafe-inline' needed at all times or is it only necessary to include them when extensions and / or core updates are made after which they can be removed in order to strengthen security?
(3) Is the policy below better or worse than having no CSP at all?
(4) Could a hacker spoof (not sure what the correct term is) a file so that it seems like it is coming from one of the green-listed urls?
(5) Are there any obvious mistakes in the policy?
One observation is that google maps seems to require an excessive number of URL resources to work properly. If / when google change any of these URLs it will break one or more map functions in which case it could be some time before such errors are noticed and corrected by the client or site administrator. Therefore it would seem the less resources that are loaded from third party URLs the better especially from a security point of view.
Sorry for asking so many questions but any help would be appreciated. Thank you.
Code: Select all
##########Content Security Policy
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://maps.googleapis.com/; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/; img-src 'self' https://maps.gstatic.com https://csi.gstatic.com https://maps.googleapis.com/ https://khms0.googleapis.com/ https://khms1.googleapis.com/ https://lh3.ggpht.com/ https://cbks0.googleapis.com/ https://lh3.ggpht.com/ https://geo0.ggpht.com/ https://geo2.ggpht.com/ https://geo1.ggpht.com/ https://geo3.ggpht.com/; font-src 'self' https://fonts.gstatic.com/"