Allow All Content Security Policy?

javascript http-headers web xss content-security-policy

Solution 1:

For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough:

default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic'; 
script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; 
connect-src * data: blob: 'unsafe-inline'; 
img-src * data: blob: 'unsafe-inline'; 
frame-src * data: blob: ; 
style-src * data: blob: 'unsafe-inline';
font-src * data: blob: 'unsafe-inline';
frame-ancestors * data: blob: 'unsafe-inline';

Solution 2:

It's not secure at all, but as staring point the real allow all policy is:

default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';

See: https://content-security-policy.com/ and this CSP migration guide.

Solution 3:

The best way would be not applying any policy.

But to answer your question, an "allow all policy" would probably be:

default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;

Note: untested

Related

maven2: excluding directory from WAR
Haskell operator vs function precedence
How to wildcard include JAR files when compiling?
React native change listening port
Difference between android: and app: prefix in Android XML?
Stop $.ajax on beforeSend
Weird scoping behavior in python
How to bulk update mysql data with one query?
Cannot recover key [duplicate]
What's the use of the [\b] backspace regex?
How do I read a large CSV file with Scala Stream class?
On Windows 10, can programs read saved wifi passwords behind my back?