Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report missing CSP directives #55

Open
aidantwoods opened this issue Jul 24, 2017 · 0 comments
Open

Report missing CSP directives #55

aidantwoods opened this issue Jul 24, 2017 · 0 comments
Labels
enhancement
Milestone
Version 2.1

Comments

@aidantwoods
Copy link
Owner

aidantwoods commented Jul 24, 2017
edited
Loading

base-uri must be defined to have blocking behaviour.
If default-src is not defined many directives will have no fallback (and so will operate as if * was specified if they too are undefined by the CSP).
Some key directives that should not be emitted include:

  • default-src (obviously)
  • object-src
  • script-src
  • style-src

SecureHeaders should emit a warning if any directive that falls back to default-src is absent from CSP and default-src is also absent.

We should also enumerate things that do not fallback to default-src (like base-uri) and warn about these separately (regardless of whether default-src is present).
@aidantwoods aidantwoods added this to the Version 2.1 milestone Jul 24, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
Version 2.1
Development

No branches or pull requests
1 participant
@aidantwoods