CSP: flag policies missing both default-src and object-src#97
Open
dmchaledev wants to merge 1 commit into
Open
CSP: flag policies missing both default-src and object-src#97dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
object-src falls back to default-src, but only when default-src is actually set. A policy like `script-src 'self'; form-action 'self'` currently scores 20/30 (good, zero findings) even though it leaves object-src and every other unlisted fetch directive (img-src, media-src, connect-src, etc.) completely unrestricted with no fallback to inherit from. This is one of the most common real-world CSP misconfigurations and is flagged by every comparable scanner (Google's CSP Evaluator, Mozilla Observatory).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
checkCSP(src/rules.ts) already has explicit checks forform-actionandbase-uri— both directives that do not inherit fromdefault-src— with comments explaining exactly why. But it has no check for the far more common case: a policy that sets narrow fetch directives (e.g.script-src) and never setsdefault-srcat all.Per the CSP spec,
object-src,img-src,media-src,connect-src,frame-src,style-src,font-src,worker-src, etc. all fall back todefault-src— but only whendefault-srcis present. If it's omitted, every one of those directives that isn't explicitly listed defaults to allow-all.Concretely, before this change:
A policy that restricts scripts but leaves
object-src,img-src,media-src,connect-src,frame-src, etc. completely unrestricted scores full marks with zero findings. This is one of the most common real-world CSP misconfigurations (a site restrictsscript-srcfor XSS and assumes that's "the CSP," never realizing everything else defaults open) and is one of the first things flagged by comparable scanners — Google's CSP Evaluator (missing-default-src-fallback/ noobject-srcfallback) and Mozilla's HTTP Observatory both check for it.object-srcspecifically remains a legacy but still-audited vector:<object>/<embed>plugin content is not governed byscript-src, so without adefault-srcfallback or an explicitobject-src 'none', plugin-based content injection is entirely unrestricted.Fix
Added one more explicit check to
checkCSP, following the exact same pattern as the existingform-action/base-urichecks: if neitherdefault-srcnorobject-srcis present in the policy, deduct 2 points and emit a finding + remediation. Matchingobject-src 'none'or anydefault-src(regardless of its own value — that's already covered by the existing wildcard check) satisfies it.Changes
src/rules.ts: new check incheckCSP, same shape/weight (-2) as the existingbase-uricheck.test/analyzer.test.ts: 3 new tests (missing both → flagged,default-srcpresent → satisfied,object-src 'none'alone → satisfied) plus an existing test's expected score updated from 20 → 18, since its fixture policy (script-src+strict-dynamic/nonce, nodefault-src/object-src) is exactly the case this now catches.README.md: updated the CSP row in "Headers Checked" to mention the newobject-srcfallback check.Verified:
npm run typecheck,npm test(88/88 passing), andnpm run buildall pass locally. No other existing test needed changes — every other CSP fixture in the suite already setsdefault-srcexplicitly (even ones with bad/permissive values, which is a separate, already-covered wildcard check), so this is purely additive for the one gap it targets.🤖 Generated with Claude Code
Generated by Claude Code