too wide CSP header in redirect response

[ljeda]

CSP: Wildcard Directive

Issue Details:
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Parameter: content-security-policy

Evidence: default-src 'none'

Other Info:
The following directives are not defined: frame-ancestors, form-action.
The directives: frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.

Reference:
https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy
https://content-security-policy.com/
https://github.com/HtmlUnit/htmlunit-csp
https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
CWE Id 693
WASC Id 15
Plugin Id 10055

[wesleytodd]

Fixed in #190

[Phillip9587]

We had to revert this in #200 but we are going to investigate this for the next major release.

[ljeda]

@Phillip9587 OK, thanks for letting us know. Can I ask when in such case the fix could be expected to be released?