The csp_defaultsrc_none test fails if the CSP starts with 'base-uri';
[FAIL] Content-Security-Policy header should start with default-src 'none' (base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' ...)
Which makes sense, but it may be possible that this is a legitimate order, because base-uri does have the default-src fallback, according to the documentation? 🤔
The
csp_defaultsrc_none
test fails if the CSP starts with 'base-uri';Which makes sense, but it may be possible that this is a legitimate order, because
base-uri
does have thedefault-src
fallback, according to the documentation? 🤔https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri