Should I Allow Blocked URL Access to Full File Path

Hi Dylan,

Sorry to bother you again.

Quick question: My domain is https://www.resurrectedhair.net. After enabling CSPs, I got a few errors I need to fix. I notice the log presents the errors some relating to my URL others for gravatar and google.

For specific errors specifically pertaining to my domain name, should I allow access for any path and any filename?

For example, this blocked URL violates the script-src CSP: https://www.resurrectedhair.net/…/…/…core.min.js? (didn’t disclose the full file path to remain clandestine).

Looking at the log, I can just either allow access to any path and any filename so the script-src box will show https://www.resurrectedhair.net once and once only. Or I can click the any path and any filename drop down box in the log and select the specific file path and name to allow access to. So, the script-src box will read: https://www.resurrectedhair.net/…/…/…core.min.js.

However, if I choose to allow access under option #2, any other CSP violation pertaining to the same or a different directive will show the full path I granted the blocked URL full access to. This will look messy and somewhat redundant. More importantly, those sensitive file paths and names will be leaked publicly via developer tools.

I am thinking just to list only my domain name and keeping the blocked URL set to any path and any filename without selecting any specific path or filename.

I hope this makes sense and any guidance, since I am still new, would be generously appreciated!

Thanks!

All my best,

Joe