W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: Behavior when default-src is missing from a CSP

From: Neil Matatall <neilm@twitter.com>
Date: Wed, 9 Oct 2013 16:25:22 -0700
Message-ID: <CAOFLtbiQHjsPzcDMzhqA+EM5p1fjALCPUOO9G8kqX2QURDwbKA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Ian pointed out that this only happens with the X- header on Firefox.
However, it still appears to be undefined in the spec.

On Wed, Oct 9, 2013 at 2:46 PM, Neil Matatall <neilm@twitter.com> wrote:
> I became quite unpopular when I "broke" a site because I didn't do any
> cross-browser testing. Shame on me on many levels :)
>
> This happened because the CSP did not set default-src/allow. Chrome
> appears to fallback to * where Firefox defaults to 'none'. I setup a
> BS test page to illustrate the differences:
> http://fathomless-taiga-4659.herokuapp.com/ Apologies if the site
> takes forever to load, it's absolutely overkill for this purpose.
>
> Firefox 26.02 will emit a warning message:
>
>> Content Security Policy: 'allow' or 'default-src' directive required but not present.  Reverting to "default-src 'none'"
>
> Apologies if this is already defined in the spec, I didn't see
> anything but I also didn't re-read the entire thing (and in general
> always set the default-src anyhow).
>
> p.s. Thanks Garrett for pointing out the header was invalid in the
> first place, apologies for the snarky response ;) We weren't getting
> the flood of reports that you expected. Strange.
Received on Wednesday, 9 October 2013 23:25:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC