Need to figure out what this means. I thought we had CSP fixed (it's "default-src: 'self'") but I guess ZAP wants more.
Simon, can you help? I can't find this in a quick search of the source: https://github.com/zaproxy/zap-extensions/search?utf8=%E2%9C%93&q=wildcard&type=
Yeah, this is one case where the extra info ZAP usually provides is really helpful. However when I've tried saving the full results the scans fail due to various resource issues :/ I've just run ZAP with the alpha cspscanner (https://github.com/zaproxy/zap-extensions/tree/alpha/src/org/zaproxy/zap/extension/cspscanner) and its warned about: Content-Security-Policy: default-src 'self' The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: frame-ancestor You didnt find that string in our source as we're using: https://github.com/shapesecurity/salvation :)
So I guess the issue is that we don't specify frame-ancestor, and its default value is too broad?
Yeah, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors If you dont need to support framing you can use: frame-ancestors 'none';
Ah, it looks like Express is helpfully injecting a different CSP for 404 errors..
Isnt that what you wanted? ;)
dustin@jemison ~ $ curl -v https://auth.taskcluster.net/v1 ... < HTTP/1.1 404 Not Found ... < Content-Security-Policy: default-src 'self' dustin@jemison ~ $ curl -v https://auth.taskcluster.net/ ... > < HTTP/1.1 302 Found ... < Content-Security-Policy: report-uri /__cspreport__;default-src 'none';frame-ancestors 'none';
You need to log in before you can comment on or make changes to this bug.