The default-src
has a special behavior as you can imagine it as a "fallback" or "alias" for other directives (such as script-src
, style-src
etc.).
At https://www.w3.org/TR/CSP3/#example-fae89c48 it is also mentioned that there is a certain "overwrite" behavior, if default-src
and one of its counterparts (e.g. script-src
) are mentioned in the same CSP header.
But what about order of the directives?
As an example: Is
Content-Security-Policy: default-src 'self'; script-src-elem https://example.com
semantically the same as
Content-Security-Policy: script-src-elem https://example.com; default-src 'self'
? Does now script-src-elem: 'self'
apply or script-src-elem: https://example.com
? I.e. is the string parsed from left to right or do we have "precedence by CSP directive name"?
https://www.w3.org/TR/CSP3/#framework-directives states that a policy is an ordered set of directives. This could suggest that order matters. However, the standard provides the statement that
For example: if the effective directive name is
worker-src
(meaning that we are currently checking a worker request), adefault-src
directive should not execute if a worker-src or script-src directive exists.
at https://www.w3.org/TR/CSP3/#should-directive-execute (emphasis provided by the author of this answer). This can be read that default-src
shall be ignored completely (independent of its position in a serialized-policy
), if a more specific CSP directive is provided.
A brief test also shows that contemporary browsers behave like this. Let's have an html file with the following content:
<img src="https://example.com/test.webp">
<br/>
<img src="test.webp">
This file is streamed by a webserver, which will add the following header to the html file's request:
Content-Security-Policy: default-src 'self'; img-src https://example.com
Content-Security-Policy: img-src https://example.com; default-src 'self'
The client (in my case a Firefox 121.0 (64-bit)) shows the same behavior for both variants: The first image (hosted on origin https://example.com
) is shown, whilst the loading of the second (hosted on 'self'
) is reported by the network tracer to be prohibited by CSP.
Although CSP's specification defines a policy to be an ordered list, the order of default-src
and img-src
do not matter. It is assumed that this is the same for all other directive names for which default-src
is defined as fallback.
Hence the evaluation is based on "precedence by CSP directive name".