W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2020

Re: CSP Security query

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 2 Mar 2020 12:27:02 -0800
Message-ID: <CADYDTCBbL+P_zYTCk3+yDvVxR3h06RhQr2kbv4smZVkEaEFYkA@mail.gmail.com>
To: "Sunitha Kumar (sunithak)" <sunithak@cisco.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I'm not sure what you mean by "override default-src". If you include a
directive in a CSP, with nothing following it, you're essentially saying "I
want NONE of these"; "default-src ;" is interpreted as "default-src
'none';". In that sense everything you put in a directive is an "override",
though we prefer to call it a "whitelist". Each term is a hole poked in the
initial state of "nothing allowed". Don't add them if you don't need them,
but they're in the spec because in some cases people do need them. In
general the more specific you can be the better off, but there may be times
that broad grants like "http:" make sense.

Most likely you wouldn't use things like http in default-src. You might use
it in img-src if your default-src was very locked-down. For example, the
following CSP would only allow site-origin resources except images which
can be loaded from anywhere on the web:

   default-src 'self'; image-src https: http: ;

-Dan Veditz
Received on Monday, 2 March 2020 20:27:33 UTC

This archive was generated by hypermail 2.4.0 : Monday, 2 March 2020 20:27:34 UTC