BTW I posted the same question here https://lists.w3.org/Archives/Public/public-webappsec/2024Oct/0010.html to try get some info from the browser devs.

Thanks for the clarification, I will take a look as well and keep you posted with the results.

@riramar Do you have received any feedback about your question?

🤔If I'm not wrong, in case of a large CSP policy sent by the app server or the WAF or the reverse proxy, it is the browser or any network device handling the HTTP response that will cut or alter the CSP received. At the framework level, it is just a string.

Do you have an example to allow me to better understand the issue, and its context, in order that I work on a proposal?

Thanks a lot in advance for your insights 😃

Hi @righettod

I don't have a specific example for that. I found this paper from 2016 on Google which seems to point to the right direction.

https://research.google/pubs/csp-is-dead-long-live-csp-on-the-insecurity-of-whitelists-and-the-future-of-content-security-policy/
We expect that that the combination of a nonce-based approach and the ’strict-dynamic’ keyword will allow developers and organizations to finally enjoy real security benefits offered by the Content Security Policy.

The entire paper PDF can be found here: https://dl.acm.org/doi/pdf/10.1145/[2976749.2978363](https://dl.acm.org/doi/pdf/10.1145/2976749.2978363)

Regards,
Ricardo Iramar

👨‍💻I performed the following test.

📝Test page generating a large CSP based on a number of subdomains to add into the img-src directive:

<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
$csp="default-src 'self'; img-src 'self'";
$cnt=intval($_GET["c"]);
for ($x = 0; $x <= $cnt; $x++) {
	$csp .= " https://sub$x.righettod.eu";
}
$csp .= ";";
header("Content-type: text/html; charset=utf-8");
header("Content-Security-Policy: $csp", True, 200);
?>
<!DOCTYPE html>
<html>
<head>
	<title>test</title>
</head>
<body>
	<b>CSP policy generated (length: <?php echo(strlen($csp)); ?> characters): </b><br>
	<code><?php echo($csp); ?><br> 
	<script>alert("test xss");</script>
</body>
</html>

🌏Page exposed on Internet via a segfault instance:

💻Test of generation of 1000 subdomains and loading of the page in the Firefox 132.0.2 (last release):

✅CSP correctly loaded and applied to block the inline JS code.

💻Same test in Chromium 131.0.6755.0:

✅CSP correctly loaded and applied to block the inline JS code.

💻Same tes in Edge 131.0.2903.51 (last release):

✅CSP correctly loaded and applied to block the inline JS code.

👨‍💻I tested to reach the limit.

💻For Edge and Chromium it was when CSP was above 261926 characters:

💻For FF it was when CSP was above 392995 characters:

👀Above the limit specified, the error was the following on the browser side (response correctly generated and sent by the php server):