Can you set up per site rules? as to whether this would be toggled on for certain sites, and off for everything else not whitelisted?

[Vafarien]

No description provided.

[PhilGrayson]

Hi,
What sort of use case do you have in mind for this? This was originally developed to briefly turn off CSP while developing a web application.
I didn't imagine a scenario where you would want to always turn off the security feature for many sites.

Phil

[Vafarien]

like set up a rules setting, to allow certain web pages / domains to have CSP enabled for those specific sites.

[daddony]

I know this is old but I would also like to se per site rules. For Instance I use tampermonkey script to collect some data from a web page with a very long list of links. I also use GM_xmlhttpRequest to open those links and gather needed data. Before enforcement of CSP I've could create an iframe on that web page or create new page and load gathered data to that frame. Now that's impossible. So ability to disable CSP just for that web page would help me alot, without compromising security on other "dangerous" pages.

[PhilGrayson]

I see, so you are purposefully injecting a script onto a page to load in your own resources? In this case it's at least the frame-src policy that's denying your use case.

You'd like to config CSP to be disabled for a specific page, so you don't have to remember to disable it globally and re-enable it again.

It sounds like a reasonable request. It could looks similar to uMatrix in how it displays per domain configuration.

[daddony]

Yes, exactly. Although Tampermonkey has his own option to add itself to sites CSP, for some reason Frame-src policy prevents me from loading iframe.src = 'data:text/html;charset=utf-8,...' and document.getElementsByTagName ('body')[0].appendChild(iframe); And when CSP is disabled, this works.