The section right at the beginning of part 4 says that you should specify script-src and object-src, or you should specify default-src if you want to prevent xss attacks implying default-src is optional. What happens if default-src is left out?
Back at Mozilla it seems like it would have been the same as specifying 'none' as the source list. https://wiki.mozilla.org/Security/CSP/Specification#Policy_Language_and_Syntax
Nothing happens if you omit default-src. An empty policy has no effect. We probably should say that explicitly.
Can we make a separate Bugzilla component for CSP?
Is no effect similar to default-src: *? Anything goes?
Wow, oops.. I guess I should have thought about what CORS meant before posting this.. Did I at least get the product right?
> Is no effect similar to default-src: *?
default-src * still restricts inline scripts and eval.
> Anything goes?
Yes. An empty policy is the same as having no policy at all.
wait, if I have a policy that consists entirely of
script-src: 'self'; img-src: *
I'm really getting an implied * for everything else? That violates my understanding of CSP as a whitelist -- if I don't specify something (either explicitly or via the fallback default-src) then I expect not to get any. In other words, a missing default-src should be equivalent to "default-src: 'none'".
> wait, if I have a policy that consists entirely of
> script-src: 'self'; img-src: *
> I'm really getting an implied * for everything else?
Yes. More precisely, there are no restrictions on anything else. For example, inline style would also be allowed.
> That violates my
> understanding of CSP as a whitelist -- if I don't specify something (either
> explicitly or via the fallback default-src) then I expect not to get any. In
> other words, a missing default-src should be equivalent to "default-src:
We had a long discussion about this topic in the working group. We ended up deciding that only directives present in the policy would have any effect. If you'd like to specify a default-src, you need to include the default-src directive.
As a further example, a policy containing only the sandbox directive would have no effect on loading fonts.