Allow content source to fallback to default-src

Remove defaults for script-src, style-src, connect-src, and img-src so that they can fallback to default-src. The default for default-src has been changed from 'none' to 'self'. This seems to be a safe default especially as browsers implement prefetch-src. If stricter policies are needed they can be specified when loading this middleware.
sinatra · jkowens · Mar 13, 2020 · Nov 4, 2018 · Nov 4, 2018 · Mar 13, 2020
commit 4758d5fde0279ddc4d05b4526cfc0a32fab0eadd
diff --git a/rack-protection/lib/rack/protection/content_security_policy.rb b/rack-protection/lib/rack/protection/content_security_policy.rb
@@ -36,9 +36,7 @@ module Protection
     #          to be used in a policy.
     #
     class ContentSecurityPolicy < Base
-      default_options default_src: :none, script_src: "'self'",
-                      img_src: "'self'", style_src: "'self'",
-                      connect_src: "'self'", report_only: false
+      default_options default_src: "'self'", report_only: false
 
       DIRECTIVES = %i(base_uri child_src connect_src default_src
                       font_src form_action frame_ancestors frame_src

diff --git a/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb b/rack-protection/spec/lib/rack/protection/content_security_policy_spec.rb
@@ -4,7 +4,7 @@
   it 'should set the Content Security Policy' do
     expect(
       get('/', {}, 'wants' => 'text/html').headers["Content-Security-Policy"]
-    ).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'")
+    ).to eq("default-src 'self'")
   end
 
   it 'should not set the Content Security Policy for other content types' do
@@ -33,7 +33,7 @@
     end
 
     headers = get('/', {}, 'wants' => 'text/html').headers
-    expect(headers["Content-Security-Policy"]).to eq("block-all_mixed_content; connect-src 'self'; default-src none; disown-opener; img-src 'self'; script-src 'self'; style-src 'self'; upgrade-insecure_requests")
+    expect(headers["Content-Security-Policy"]).to eq("block-all_mixed_content; default-src 'self'; disown-opener; upgrade-insecure_requests")
   end
 
   it 'should ignore CSP3 no arg directives unless they are set to true' do
@@ -44,7 +44,7 @@
     end
 
     headers = get('/', {}, 'wants' => 'text/html').headers
-    expect(headers["Content-Security-Policy"]).to eq("connect-src 'self'; default-src none; img-src 'self'; script-src 'self'; style-src 'self'")
+    expect(headers["Content-Security-Policy"]).to eq("default-src 'self'")
   end
 
   it 'should allow changing report only' do
@@ -56,7 +56,7 @@
 
     headers = get('/', {}, 'wants' => 'text/html').headers
     expect(headers["Content-Security-Policy"]).to be_nil
-    expect(headers["Content-Security-Policy-Report-Only"]).to eq("connect-src 'self'; default-src none; img-src 'self'; report-uri /my_amazing_csp_report_parser; script-src 'self'; style-src 'self'")
+    expect(headers["Content-Security-Policy-Report-Only"]).to eq("default-src 'self'; report-uri /my_amazing_csp_report_parser")
   end
 
   it 'should not override the header if already set' do