Blocking Mixed Content With Content Security Policy


#1

We will be moving from a passive Content-Security-Policy-Report-Only response header to an enforcing Content-Security-Policy header on twitter.com and our other web properties. This header will programmatically enforce the existing mixed-content policy that we have outlined for cards and other third-party content here.

In anticipation of this change, we will be performing a “blackout test”, in which we temporarily switch over to the enforce-mode CSP header for 24 hours on October 30, 2014. To verify that your content will render correctly during this timeframe, you can test in advance by loading your content and checking your browser’s console output for any logged CSP violations (note that some browser extensions may generate these too). We are monitoring incoming reports sent via the report-uri directive and have the ability to quickly rollback this setting if necessary.

To be specific about the details of this change, twitter.com and other web properties will serve an HTTP response header similar to the following:

content-security-policy:
default-src https:; connect-src https:; font-src https: data:; frame-src https:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:; report-uri https://twitter.com/i/csp_report

#2

#3