Scheme URI Detected in Content Security Policy (CSP) Directive
Description
This informational alert identifies Content Security Policy (CSP) directives that use scheme-based sources (such as 'https:', 'data:', or 'blob:') instead of more specific host-based sources. While scheme URIs are valid CSP syntax, they can be overly permissive and may introduce unintended security risks by allowing content from any origin using that scheme. This assessment provides recommendations for tightening CSP configurations to follow security best practices.
Remediation
Review the identified CSP directives and replace scheme-based sources with explicit host-based sources wherever possible. Instead of allowing all origins with a particular scheme, specify the exact domains your application needs to load resources from.
Example - Replace overly permissive scheme:
Content-Security-Policy: script-src https:;With specific host sources:
Content-Security-Policy: script-src 'self' https://trusted-cdn.example.com https://analytics.example.com;
If scheme-based sources are necessary for legitimate use cases (such as 'data:' for inline images), limit their scope to specific directives rather than applying them broadly. Regularly audit your CSP configuration to ensure it remains as restrictive as possible while supporting required functionality. Consult the provided references for detailed guidance on implementing secure CSP policies.