- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Mon, 2 Mar 2020 12:27:02 -0800
- To: "Sunitha Kumar (sunithak)" <sunithak@cisco.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Monday, 2 March 2020 20:27:33 UTC
I'm not sure what you mean by "override default-src". If you include a directive in a CSP, with nothing following it, you're essentially saying "I want NONE of these"; "default-src ;" is interpreted as "default-src 'none';". In that sense everything you put in a directive is an "override", though we prefer to call it a "whitelist". Each term is a hole poked in the initial state of "nothing allowed". Don't add them if you don't need them, but they're in the spec because in some cases people do need them. In general the more specific you can be the better off, but there may be times that broad grants like "http:" make sense. Most likely you wouldn't use things like http in default-src. You might use it in img-src if your default-src was very locked-down. For example, the following CSP would only allow site-origin resources except images which can be loaded from anywhere on the web: default-src 'self'; image-src https: http: ; -Dan Veditz
Received on Monday, 2 March 2020 20:27:33 UTC