W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Behavior when default-src is missing from a CSP

From: Neil Matatall <neilm@twitter.com>
Date: Wed, 9 Oct 2013 14:46:43 -0700
Message-ID: <CAOFLtbgSmUROadTtY1=nFbx-wBx4bse03v9q7G4XNuxQiS0n1A@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I became quite unpopular when I "broke" a site because I didn't do any
cross-browser testing. Shame on me on many levels :)

This happened because the CSP did not set default-src/allow. Chrome
appears to fallback to * where Firefox defaults to 'none'. I setup a
BS test page to illustrate the differences:
http://fathomless-taiga-4659.herokuapp.com/ Apologies if the site
takes forever to load, it's absolutely overkill for this purpose.

Firefox 26.02 will emit a warning message:

> Content Security Policy: 'allow' or 'default-src' directive required but not present.  Reverting to "default-src 'none'"

Apologies if this is already defined in the spec, I didn't see
anything but I also didn't re-read the entire thing (and in general
always set the default-src anyhow).

p.s. Thanks Garrett for pointing out the header was invalid in the
first place, apologies for the snarky response ;) We weren't getting
the flood of reports that you expected. Strange.
Received on Wednesday, 9 October 2013 21:47:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC