secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

Set `default-src` CSP Attribute to `none` by default

Open rzhade3 opened this issue 3 years ago • 1 comments

At GitHub, we set the default-src CSP attribute to none. This provides the strictest possible CSP as it'll thus only allow CSP directives that the user explicitly has allowlisted.

It would be desirable to set this default in secure_headers as well:

https://github.com/github/secure_headers/blob/7f89df2dafb22f1833702eef4a01d4794b2066f0/lib/secure_headers/headers/content_security_policy_config.rb#L133

This would be a breaking change, so if this is desirable, this would fit well in with https://github.com/github/secure_headers/issues/480

rzhade3 avatar Apr 05 '22 17:04 rzhade3

At GitHub, we set the default-src CSP attribute to none. This provides the strictest possible CSP as it'll thus only allow CSP directives that the user explicitly has allowlisted.

I see the idea, but I wonder if we should have a broader “defaults” feature. For example, base-uri is a weird one. It by default allows any URI, and does not respect default-src. So maybe in that spirit we want to provide a base-uri with a default unless specifically stated, or OPT_OUT or something along those lines.

vcsjones avatar Apr 15 '22 21:04 vcsjones