We used ZAP 2.8 to scan our angular web application implemented with IdentityServer4 (implicit flow).
It generated a Wildcard Directive alert (show in below), I am not sure it is a security issue or not.
If it is a security issue, what should we do? The OpenID Connect session management endpoint is not part of our app, it is IdentityServer4 build-in functionality. any suggestions? thanks
Medium (Medium) CSP Scanner: Wildcard Directive Description The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:frame-ancestor
URL https://server103.abc.com:54231/services.identity/connect/checksession
Method GET
Parameter Content-Security-Policy
Evidence default-src 'none'; script-src 'sha256-ZT3q7lL9GXNGhPTB1Vvrvds2xw/kOV0zoeok2tiV23I='
The issue is that the frame-ancestors isn't defined.
Per: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
default-src fallback No. Not setting this allows anything.
So even though you did define default-src, frame-ancestors doesn't fallback to it, so since it's unspecified it'll accept anything.
It's up to you (or whoever controls the other component) if that's an issue or not.