base-uri must be defined to have blocking behaviour.
If default-src is not defined many directives will have no fallback (and so will operate as if * was specified if they too are undefined by the CSP).
Some key directives that should not be emitted include:
default-src (obviously)
object-src
script-src
style-src
SecureHeaders should emit a warning if any directive that falls back to default-src is absent from CSP anddefault-src is also absent.
We should also enumerate things that do not fallback to default-src (like base-uri) and warn about these separately (regardless of whether default-src is present).
base-uri
must be defined to have blocking behaviour. Ifdefault-src
is not defined many directives will have no fallback (and so will operate as if*
was specified if they too are undefined by the CSP). Some key directives that should not be emitted include:default-src
(obviously)object-src
script-src
style-src
SecureHeaders should emit a warning if any directive that falls back to
default-src
is absent from CSP anddefault-src
is also absent.We should also enumerate things that do not fallback to
default-src
(likebase-uri
) and warn about these separately (regardless of whetherdefault-src
is present).