base-uri must be defined to have blocking behaviour.
If default-src is not defined many directives will have no fallback (and so will operate as if * was specified if they too are undefined by the CSP).
Some key directives that should not be emitted include:
default-src (obviously)
object-src
script-src
style-src
SecureHeaders should emit a warning if any directive that falls back to default-src is absent from CSP anddefault-src is also absent.
We should also enumerate things that do not fallback to default-src (like base-uri) and warn about these separately (regardless of whether default-src is present).
base-urimust be defined to have blocking behaviour. Ifdefault-srcis not defined many directives will have no fallback (and so will operate as if*was specified if they too are undefined by the CSP). Some key directives that should not be emitted include:default-src(obviously)object-srcscript-srcstyle-srcSecureHeaders should emit a warning if any directive that falls back to
default-srcis absent from CSP anddefault-srcis also absent.We should also enumerate things that do not fallback to
default-src(likebase-uri) and warn about these separately (regardless of whetherdefault-srcis present).