2

What is the default (modern) Web browsers behavior if a website does not set Content-Security-Policy in response header or in HTML <meta>. Here is list of different browser vendors compatibility.

Seems I can't find it under W3C CSP specification.

Default Web browser behavior without setting Access-Control-Allow-Origin is same origin policy. Adding Access-Control-Allow-Origin with more websites make it more permissive.

How about Content-Security-Policy? Without setting it, does it allow all (like this) or restrict to self only?

Lee Chee Kiam
  • 11,450
  • 10
  • 65
  • 87
  • 2
    The default behavior without a CSP policy specified is that nothing is restricted. (That is, nothing that you can control by use of CSP — of course you always have the same-origin policy as a restriction by default.) CSP policies only cause further restrictions to be applied. CSP policies never can cause any behavior to be more permissive than the default behavior without CSP. That is, a CSP policy is never going to cause something to be allowed that’s not allowed by default without CSP. – sideshowbarker Jul 03 '20 at 04:57
  • @sideshowbarker, thanks for your comment. Could you move it as Answer? If possible, also provide the specification / reference about the behavior? Thanks. – Lee Chee Kiam Jul 04 '20 at 02:09
  • 1
    ["If the site doesn't offer the CSP header, browsers likewise use the standard same-origin policy."](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) – root Jul 09 '20 at 04:51
  • @root same-origin-policy means CSP behaviour is `self`? This looks contradict with comment from @sideshowbarker. – Lee Chee Kiam Jul 09 '20 at 10:26
  • 1
    The default is not `'self'`, the default is to not use CSP and only enforce whatever the website set as the same-origin policy. – root Jul 12 '20 at 18:43

0 Answers0