Missing *-src directives when default-src is unspecified

[hansmach1ne]

The following CSP is regarded as secure: Content-Security-Policy: script-src 'none'; object-src 'none'

When default-src is unspecified and if any of the following directives are not present, those are therefore also not specified:

style-src
img-src
connect-src
font-src
media-src
frame-src
child-src
worker-src
manifest-src
prefetch-src

There are a couple of issues here, specifically when default-src is missing:

a) If style-src is explicitly not specified or unsafe-inline, attacker can leak parts of the HTML code with inline CSS injection.

b) if for example img-src is explicitly not specified, attacker can overwrite server-defined Referrer-Policy by injecting <img> tag with it's own referrerpolicy attribute and leak the whole site's URL where the injection is present. Check: https://issuetracker.google.com/issues/332052787 for more info.

c) Firefox and some other browsers have no Dangling Markup protections in place. Which means attacker can reference his/her site via any of those *-src directives and achieve cross-site leakage.

[lweichselbaum]

Thank you for your comment. The CSP Evaluator is assessing CSPs for their ability to mitigate XSS and does not cover other use cases like mitigating data leaks.