CSP header should start with default-src 'none', but what if 'base-uri'?

The `csp_defaultsrc_none` test fails if the CSP starts with 'base-uri';

```
[FAIL] Content-Security-Policy header should start with default-src 'none' (base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' ...)
```
 
 
Which makes sense, but it may be possible that this is a legitimate order, because `base-uri` does have the `default-src` fallback, according to the documentation? 🤔

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSP header should start with default-src 'none', but what if 'base-uri'? #37

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

CSP header should start with default-src 'none', but what if 'base-uri'? #37

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions