w3c / webappsec-csp

WebAppSec Content Security Policy
https://w3c.github.io/webappsec-csp/
Other
210 stars 78 forks source link

Parsing multiple sources when one of them is 'none'? #411

Open mozfreddyb opened 5 years ago

mozfreddyb commented 5 years ago

I'm wondering how a browser should parse a CSP that's img-src 'none' https://example.com. So far I see Chrome and Firefox dropping the 'none'. Shouldn't they fail close and not allow any other source expression when 'none' is present?

egranty commented 4 years ago

The 'none' token itself does restrict nothing, it's used just for visual convenience when specifying an empty sources list in some directives. Resctrictive is only an empty list of sources (again, in some directives only). According to the CSP spec default-src 'none'; is absolutely the same as default-src ; with an empty list of sources. It has always been this way, since of CSP level 1 spec.

How do you suppose to interpret absolutely legitimate rules set: script-src 'none' 'report-sample' Deprive the user of the code samples that caused the violation?

I think it's better to let browser to operate according with the CSP spec.