Bug 16203 - Nothing is said about what happens when default-src is omitted.
Summary: Nothing is said about what happens when default-src is omitted.
Status: NEW
Alias: None
Product: WebAppsSec
Classification: Unclassified
Component: CSP (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal
Target Milestone: ---
Assignee: Adam Barth
QA Contact: This bug has no owner yet - up for the taking
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-02 16:14 UTC by sixcorners+w3c
Modified: 2012-05-03 16:16 UTC (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description sixcorners+w3c 2012-03-02 16:14:28 UTC
The section right at the beginning of part 4 says that you should specify script-src and object-src, or you should specify default-src if you want to prevent xss attacks implying default-src is optional. What happens if default-src is left out?
Back at Mozilla it seems like it would have been the same as specifying 'none' as the source list. https://wiki.mozilla.org/Security/CSP/Specification#Policy_Language_and_Syntax
Comment 1 Adam Barth 2012-03-02 16:38:48 UTC
Nothing happens if you omit default-src.  An empty policy has no effect.  We probably should say that explicitly.
Comment 2 Anne 2012-03-02 18:02:00 UTC
Can we make a separate Bugzilla component for CSP?
Comment 3 sixcorners+w3c 2012-03-03 00:30:11 UTC
Is no effect similar to default-src: *? Anything goes?
Wow, oops.. I guess I should have thought about what CORS meant before posting this.. Did I at least get the product right?
Comment 4 Adam Barth 2012-03-03 00:37:52 UTC
> Is no effect similar to default-src: *?

default-src * still restricts inline scripts and eval.

> Anything goes?

Yes.  An empty policy is the same as having no policy at all.
Comment 5 Daniel Veditz 2012-05-02 17:23:21 UTC
wait, if I have a policy that consists entirely of
   script-src: 'self'; img-src: *

I'm really getting an implied * for everything else? That violates my understanding of CSP as a whitelist -- if I don't specify something (either explicitly or via the fallback default-src) then I expect not to get any. In other words, a missing default-src should be equivalent to "default-src: 'none'".
Comment 6 Adam Barth 2012-05-03 16:14:03 UTC
> wait, if I have a policy that consists entirely of
>    script-src: 'self'; img-src: *
> 
> I'm really getting an implied * for everything else?

Yes.  More precisely, there are no restrictions on anything else.  For example, inline style would also be allowed.

> That violates my
> understanding of CSP as a whitelist -- if I don't specify something (either
> explicitly or via the fallback default-src) then I expect not to get any. In
> other words, a missing default-src should be equivalent to "default-src:
> 'none'".

We had a long discussion about this topic in the working group.  We ended up deciding that only directives present in the policy would have any effect.  If you'd like to specify a default-src, you need to include the default-src directive.

As a further example, a policy containing only the sandbox directive would have no effect on loading fonts.