webbkoll icon indicating copy to clipboard operation
webbkoll copied to clipboard

Published 20 hours ago verified publisher icon andersju

CSP default-src 'none' not detected

Open stefankreutz opened this issue 2 years ago • 1 comments

With content security policies in both, HTTP header and HTML <meta> element, Webbkoll ignores default-src 'none'.

Example report from https://webbkoll.dataskydd.net:

Content Security Policy set in HTTP header: default-src 'none'; style-src 'self'; img-src 'self' data:; script-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'

Content Security Policy set in meta element: default-src 'none'; style-src 'self'; img-src 'self' data:

Content Security Policy (CSP) implemented without 'unsafe-inline' or 'unsafe-eval'

Test "Deny by default, using default-src 'none'" doesn't pass.

I think, the policy of the <meta> element should restrict the policy in the HTTP header, and the deny by default test should pass.

stefankreutz avatar Aug 25 '22 11:08 stefankreutz

Thanks for the report! You are right, this was a bug. The CSP analysis isn't optimal and should be overhauled at some point, but this particular problem should be fixed now (2dea29bf73497461f9ddda27e54b85d68a3db37f).

andersju avatar Sep 11 '22 18:09 andersju

Thanks for fixing this issue! It works fine now.

stefankreutz avatar Sep 19 '22 19:09 stefankreutz