I conducted a ZAP assessment on my application, I received a flag 'CSP: Wildcard Directive' which has high confidence level. Still, I have not been able to locate the source of the wildcard directive. The CSP I use now:
script-src 'self' 'nonce-randomNonce' https://maps.googleapis.com/ https://lh3.ggpht.com/; style-src 'self' 'nonce-randomNonce' https://fonts.googleapis.com/; font-src 'self' https://fonts.googleapis.com/; img-src 'self' https://maps.gstatic.com/ ; worker-src 'self' blob:; connect-src 'self' https://maps.googleapis.com/;
Some notes:
The nonce in the header has been hardcoded as I am still working on generating random nonces
I expect the test to pass without any warnings since I am not using '*' anywhere.
Can someone find what is responsible for Wildcard Directive flag, or what is it that I am missing?
Thanks!
There are a set of CSP directives that do not fall back to default source. If you haven't defined them it's the same as setting *
If you check the "Other Info" of the alert you should see specifics.
The following directives don't use
default-srcas a fallback. Remember that failing to set them is the same as allowing anything:
base-uriform-actionframe-ancestorsplugin-typesreport-urisandbox