Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CSP: `defaultSrc` should not be required

See original GitHub issue

The new CSP module says it is a lot less restrictive on policy definition, but it added some new restrictions.

defaultSrc now apparently required, though if you follow guidelines like Google’s strict CSP, it is not necessary. https://csp.withgoogle.com/docs/strict-csp.html

If you read the specifications for V2 https://www.w3.org/TR/CSP2/ and V3 https://www.w3.org/TR/CSP3/ there is no mention that default-src is required.

But with the latest Helmet, now I must define a default even if I don’t want to use it. Without it I get "Content-Security-Policy needs a default-src but none was provided"

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:24 (13 by maintainers)

github_iconTop GitHub Comments

1reaction
EvanHahncommented, Dec 27, 2020

This has been released in helmet@4.3.0. Here’s how you disable default-src:

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc,
      // ...
    },
  })
);
0reactions
EvanHahncommented, Dec 13, 2020

Makes sense. I’ll move forward with that pull request.

Read more comments on GitHub >

github_iconTop Results From Across the Web

CSP: default-src - HTTP - MDN Web Docs
The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSP fetch directives. For each of the ...
Read more >
default-src Directive - Content Security Policy
The default-src Content Security Policy (CSP) directive allows you to specify the default or fallback resources that can be loaded (or fetched) on...
Read more >
Content-Security-Policy: default-src * - Stack Overflow
It seems to me that the asterisk can only be used for host sources. Yes. But what else can I do since only...
Read more >
Using Content Security Policy (CSP) to Secure Web Applications
default -src is a fallback directive used to specify the default content policy for most of the source directives. Common uses include default- ......
Read more >
Content security policy - web.dev
Even though https: is specified in default-src , the script and style directives don't automatically inherit that source. Each directive ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

CSP: report-to option

Next page

Issues with TypeScript imports in 4.0.0