Not setting directives that don't fallback to default-src should be raised as a severity finding.

[ddadon10]

Hi, thanks for this website, it's very useful.

There are multiple directives that don't fallback to default-src.

• base-uri
• form-action
• frame-ancestors
• plugin-types
• report-uri
• sandbox

Not setting them is the same as allowing anything for these directives.

Without some of these directive set, like form-action or base-url, it would be possible for a script to manipulate the DOM and allowing transmission of data to malicious websites.

Because of that, not setting these directives should be raised as a severity finding.

[lweichselbaum]

Hi David,

• base-uri if missing, is already flagged as an issue if a nonce-based CSP is used (relative scripts can be redirected). For CSPs with a host allowlist this is not an issue because the host check would still apply.
• form-action is currently out of scope as the CSP Evaluator is only checking if a CSP would provide a strong mitigation against XSS. Furthermore, CSP doesn't offer meaningful protection against data exfiltration (e.g. navigation is not covered by CSP and can be used to e.g. exfiltrate data). Once an attacker is able to execute scripts it's usually game over.