16203 2012-03-02 16:14:28 +0000 Nothing is said about what happens when default-src is omitted. 2012-05-03 16:16:47 +0000 1 1 1 Unclassified WebAppsSec CSP unspecified All All NEW P2 normal --- 1 sixcorners+w3c w3c dveditz mike public-webappsec sixcorners+w3c w3c dave.null oldest_to_newest 64919 0 sixcorners+w3c 2012-03-02 16:14:28 +0000 The section right at the beginning of part 4 says that you should specify script-src and object-src, or you should specify default-src if you want to prevent xss attacks implying default-src is optional. What happens if default-src is left out? Back at Mozilla it seems like it would have been the same as specifying 'none' as the source list. https://wiki.mozilla.org/Security/CSP/Specification#Policy_Language_and_Syntax 64923 1 w3c 2012-03-02 16:38:48 +0000 Nothing happens if you omit default-src. An empty policy has no effect. We probably should say that explicitly. 64927 2 annevk 2012-03-02 18:02:00 +0000 Can we make a separate Bugzilla component for CSP? 64945 3 sixcorners+w3c 2012-03-03 00:30:11 +0000 Is no effect similar to default-src: *? Anything goes? Wow, oops.. I guess I should have thought about what CORS meant before posting this.. Did I at least get the product right? 64946 4 w3c 2012-03-03 00:37:52 +0000 > Is no effect similar to default-src: *? default-src * still restricts inline scripts and eval. > Anything goes? Yes. An empty policy is the same as having no policy at all. 67245 5 dveditz 2012-05-02 17:23:21 +0000 wait, if I have a policy that consists entirely of script-src: 'self'; img-src: * I'm really getting an implied * for everything else? That violates my understanding of CSP as a whitelist -- if I don't specify something (either explicitly or via the fallback default-src) then I expect not to get any. In other words, a missing default-src should be equivalent to "default-src: 'none'". 67293 6 w3c 2012-05-03 16:14:03 +0000 > wait, if I have a policy that consists entirely of > script-src: 'self'; img-src: * > > I'm really getting an implied * for everything else? Yes. More precisely, there are no restrictions on anything else. For example, inline style would also be allowed. > That violates my > understanding of CSP as a whitelist -- if I don't specify something (either > explicitly or via the fallback default-src) then I expect not to get any. In > other words, a missing default-src should be equivalent to "default-src: > 'none'". We had a long discussion about this topic in the working group. We ended up deciding that only directives present in the policy would have any effect. If you'd like to specify a default-src, you need to include the default-src directive. As a further example, a policy containing only the sandbox directive would have no effect on loading fonts.