This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
The section right at the beginning of part 4 says that you should specify script-src and object-src, or you should specify default-src if you want to prevent xss attacks implying default-src is optional. What happens if default-src is left out? Back at Mozilla it seems like it would have been the same as specifying 'none' as the source list. https://wiki.mozilla.org/Security/CSP/Specification#Policy_Language_and_Syntax
Nothing happens if you omit default-src. An empty policy has no effect. We probably should say that explicitly.
Can we make a separate Bugzilla component for CSP?
Is no effect similar to default-src: *? Anything goes? Wow, oops.. I guess I should have thought about what CORS meant before posting this.. Did I at least get the product right?
> Is no effect similar to default-src: *? default-src * still restricts inline scripts and eval. > Anything goes? Yes. An empty policy is the same as having no policy at all.
wait, if I have a policy that consists entirely of script-src: 'self'; img-src: * I'm really getting an implied * for everything else? That violates my understanding of CSP as a whitelist -- if I don't specify something (either explicitly or via the fallback default-src) then I expect not to get any. In other words, a missing default-src should be equivalent to "default-src: 'none'".
> wait, if I have a policy that consists entirely of > script-src: 'self'; img-src: * > > I'm really getting an implied * for everything else? Yes. More precisely, there are no restrictions on anything else. For example, inline style would also be allowed. > That violates my > understanding of CSP as a whitelist -- if I don't specify something (either > explicitly or via the fallback default-src) then I expect not to get any. In > other words, a missing default-src should be equivalent to "default-src: > 'none'". We had a long discussion about this topic in the working group. We ended up deciding that only directives present in the policy would have any effect. If you'd like to specify a default-src, you need to include the default-src directive. As a further example, a policy containing only the sandbox directive would have no effect on loading fonts.