Closed stefankreutz closed 1 year ago
Thanks for the report! You are right, this was a bug. The CSP analysis isn't optimal and should be overhauled at some point, but this particular problem should be fixed now (2dea29bf73497461f9ddda27e54b85d68a3db37f).
Thanks for fixing this issue! It works fine now.
With content security policies in both, HTTP header and HTML
<meta>
element, Webbkoll ignoresdefault-src 'none'
.Example report from https://webbkoll.dataskydd.net:
Test "Deny by default, using
default-src 'none'
" doesn't pass.I think, the policy of the
<meta>
element should restrict the policy in the HTTP header, and the deny by default test should pass.