Parsing multiple sources when one of them is 'none'?

[mozfreddyb]

I'm wondering how a browser should parse a CSP that's img-src 'none' https://example.com. So far I see Chrome and Firefox dropping the 'none'. Shouldn't they fail close and not allow any other source expression when 'none' is present?

[egranty]

The 'none' token itself does restrict nothing, it's used just for visual convenience when specifying an empty sources list in some directives. Resctrictive is only an empty list of sources (again, in some directives only). According to the CSP spec default-src 'none'; is absolutely the same as default-src ; with an empty list of sources. It has always been this way, since of CSP level 1 spec.

How do you suppose to interpret absolutely legitimate rules set: script-src 'none' 'report-sample' Deprive the user of the code samples that caused the violation?

I think it's better to let browser to operate according with the CSP spec.