helmet: CSP: `defaultSrc` should not be required

The new CSP module says it is a lot less restrictive on policy definition, but it added some new restrictions.

defaultSrc now apparently required, though if you follow guidelines like Google’s strict CSP, it is not necessary. https://csp.withgoogle.com/docs/strict-csp.html

If you read the specifications for V2 https://www.w3.org/TR/CSP2/ and V3 https://www.w3.org/TR/CSP3/ there is no mention that default-src is required.

But with the latest Helmet, now I must define a default even if I don’t want to use it. Without it I get "Content-Security-Policy needs a default-src but none was provided"

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 24 (13 by maintainers)

Most upvoted comments

This has been released in helmet@4.3.0. Here’s how you disable default-src:

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc,
      // ...
    },
  })
);
+1
EvanHahn on Dec 27, 2020
Read more comments on GitHub
← helmet: contentSecurityPolicy blocking cdn
helmet: Helmet + Express + Typescript = No overload matches this call error →