What is the behaviour of CSP if default-src not specified?

Question

Basically all in the title.

Imagine a simple CSP like

Content-Security-Policy: script-src 'self'

What is the behaviour of directives that would normally fall back to default-src which are not specified such as img-src or frame-src? Will they default to open (allow everything) or default to closed (allow nothing)?

Unless I'm missing it, neither

• the Mozilla CSP docs, and
• content-security-policy.com

specify the behaviour if directives are missing.

Answer 1

If no CSP is specified for a directive, it falls back to default-src.

If there is no default-src CSP, it does not fall back on any directive and thus it allows everything.

I have searched the RFC about it and I could hardly find anything to quote that would push my statement. However, this is implied multiple times.

To enforce a policy, the user agent MUST parse the policy and enforce each of the directives contained in the policy

default-src is a directive by itself. Thus, it WILL enforce default-src which actions is to set the default value for all others directive. If default-src the browser does not have to enforce any default restriction for other directives.

Answer 2

What is the behaviour of directives that would normally fall back to default-src which are not specified such as img-src or frame-src? Will they default to open (allow everything) or default to closed (allow nothing)?

A distinction should be made between 2 situations:

1. directive is specified with empty list of sources, ex, style-src ;. Empty source list means 'as much restrictive as possible", for the style-src it's equal to style-src 'none';

2. no directive specified at all. Common rule: if directive is not specified - it is allowed everything what's this directive controls.

But in the CSP was implemented a fallback mechanism for some directives, therefore those can be implicitly setted even not specified.
And here the devil hides in the details because those not always inites from default-src... Let's see your example below:

Imagine a simple CSP like

Content-Security-Policy: script-src 'self'

What is the behaviour of directives that would normally fall back to default-src

So we have the worker-src directive not specified and default-src too (means no restrictions if fallback). Are workers allowed from any sources o not?
The answer is:

• Edge browser: yes, all workers are allowed from any source
• other browsers: workers are allowed from 'self' only.

That's because a fallback performs more complicated way: worker-src -> child-src -> script-src -> default-src.
So worker-src does fallback to default-src only if absent child-src and script-src (Edge erroneously skips script-src in this chain).

Hence we have an additional rule:

3. Fetch-directives do fallback if omitted, but default-src is a final fallback, and some directives has an intermediate ones.

The above is a theoretical part of CSP spec. Some devils also hides in a practice of realisation too. Therefore it is a rule 4:

4. Don't rely on initiation via default-src in complicated cases, it not always work according to spec. Do specify directives explicitly.