Reputation: 13
Unable to find the Wildcard directive in my CSP
I conducted a ZAP assessment on my application, I received a flag 'CSP: Wildcard Directive' which has high confidence level. Still, I have not been able to locate the source of the wildcard directive. The CSP I use now:
script-src 'self' 'nonce-randomNonce' https://maps.googleapis.com/ https://lh3.ggpht.com/; style-src 'self' 'nonce-randomNonce' https://fonts.googleapis.com/; font-src 'self' https://fonts.googleapis.com/; img-src 'self' https://maps.gstatic.com/ ; worker-src 'self' blob:; connect-src 'self' https://maps.googleapis.com/;
Some notes:
The nonce in the header has been hardcoded as I am still working on generating random nonces
I expect the test to pass without any warnings since I am not using '*' anywhere.
Can someone find what is responsible for Wildcard Directive flag, or what is it that I am missing?
Thanks!
Upvotes: 1
Views: 111
Answers (1)
Reputation: 1528
There are a set of CSP directives that do not fall back to default source. If you haven't defined them it's the same as setting *
If you check the "Other Info" of the alert you should see specifics.
The following directives don't use
default-srcas a fallback. Remember that failing to set them is the same as allowing anything:
base-uriform-actionframe-ancestorsplugin-typesreport-urisandbox
Upvotes: 1
Related Questions
- Content Security Policy "data" not working for base64 Images in Chrome 28
- PHP / Mustache / CSP : scripts blocked by CSP despite use of nonce
- Laravel CSP (content security policy) frontegg ui integrate issue
- CSP Scanner: Wildcard Directive alert for OpenID Connect session management endpoint
- Sha hash not respected in CSP style-src
- Why CSP security header blocks google maps on Iphone?
- wildcard * in CSS for classes
- CSP policy error - Unable to show iframe from subdomain of primary source