The current default: Header set Content-Security-Policy "script-src 'self'; object-src 'self'" means authors need to explicitly specify all types of directives that apply which may be a bit tedious to set up and maintain, e.g. (not considering crossorigin resources) a sites policy could eventually look something like:
Header set Content-Security-Policy
"base-uri 'none';
connect-src 'self';
font-src 'self';
form-action 'self';
frame-ancestors 'none';
img-src 'self';
manifest-src 'self';
media-src 'self';
object-src 'self';
prefetch-src 'self';
style-src 'self';
script-src 'self';
worker-src 'self';
upgrade-secure-requests"
Instead I suggest setting default-src 'self' which acts like a fallback src to all fetch directives.
With this approach, you would still need to include:
This is important because unlike fetch directives, the document- and navigation directives do not fallback to default-src, and allows all origins by default.
New example default policy might look like:
Header set Content-Security-Policy
"base-uri 'none'; #[1]
default-src 'self';
form-action 'self';
frame-ancestors 'none';
upgrade-insecure-requests" #[2]
[1] Note that setting base-uri to 'self' while not intending to use the <base> element could break site functionality if an attacker manages to inject a <base href="https://my-site.com">. Because the majority of sites do not use the base element, the value 'none' may be a better default.
[2] Additionally, the upgrade-insecure-requests directive is recommended for secure context configurations to prevent mixed content.
Finally, I think having an example of adding an external resource would be useful, such as allowing fonts from another origin.
font-src is a fetch directive and falls back to default-src, however we still need to specify 'self' if we wish to add an external url such as google fonts:
font-src 'self' https://fonts.googleapis.com;
The current default:
Header set Content-Security-Policy "script-src 'self'; object-src 'self'"means authors need to explicitly specify all types of directives that apply which may be a bit tedious to set up and maintain, e.g. (not considering crossorigin resources) a sites policy could eventually look something like:Instead I suggest setting
default-src 'self'which acts like a fallback src to all fetch directives.With this approach, you would still need to include:
base-uridocument directive.form-actionandframe-ancestors[suggested in #154] navigation directives.This is important because unlike fetch directives, the document- and navigation directives do not fallback to
default-src, and allows all origins by default.New example default policy might look like:
[1] Note that setting
base-urito'self'while not intending to use the<base>element could break site functionality if an attacker manages to inject a<base href="https://my-site.com">. Because the majority of sites do not use the base element, the value'none'may be a better default.[2] Additionally, the
upgrade-insecure-requestsdirective is recommended for secure context configurations to prevent mixed content.Finally, I think having an example of adding an external resource would be useful, such as allowing fonts from another origin.
font-srcis a fetch directive and falls back todefault-src, however we still need to specify'self'if we wish to add an external url such as google fonts: