search

andersju / webbkoll

An online tool that checks how a website is doing with regards to privacy
MIT License
266 stars 28 forks source link

CSP default-src 'none' not detected #37

Closed stefankreutz closed 1 year ago

stefankreutz commented 1 year ago

With content security policies in both, HTTP header and HTML <meta> element, Webbkoll ignores default-src 'none'.

Example report from https://webbkoll.dataskydd.net:

Content Security Policy set in HTTP header: default-src 'none'; style-src 'self'; img-src 'self' data:; script-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'

Content Security Policy set in meta element: default-src 'none'; style-src 'self'; img-src 'self' data:

Content Security Policy (CSP) implemented without 'unsafe-inline' or 'unsafe-eval'

Test "Deny by default, using default-src 'none'" doesn't pass.

I think, the policy of the <meta> element should restrict the policy in the HTTP header, and the deny by default test should pass.

andersju commented 1 year ago

Thanks for the report! You are right, this was a bug. The CSP analysis isn't optimal and should be overhauled at some point, but this particular problem should be fixed now (2dea29bf73497461f9ddda27e54b85d68a3db37f).

stefankreutz commented 1 year ago

Thanks for fixing this issue! It works fine now.