At GitHub, we set the default-src CSP attribute to none. This provides the strictest possible CSP as it'll thus only allow CSP directives that the user explicitly has allowlisted.
It would be desirable to set this default in secure_headers as well:
|
default_src: %w('self' https:), |
This would be a breaking change, so if this is desirable, this would fit well in with #480
At GitHub, we set the
default-srcCSP attribute tonone. This provides the strictest possible CSP as it'll thus only allow CSP directives that the user explicitly has allowlisted.It would be desirable to set this default in
secure_headersas well:secure_headers/lib/secure_headers/headers/content_security_policy_config.rb
Line 133 in 7f89df2
This would be a breaking change, so if this is desirable, this would fit well in with #480