Why does Firefox block based on a restrictive default-src directive, when more specific, more permissive *-src exist?
When I serve the content (over proper HTTPS with a CA-signed certificate) with a CSP that doesn't include any default-src directive, things work as I expect. For example, if the HTTP response contains the two HTTP headers
Content-Security-Policy: style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/; Content-Security-Policy: font-src 'self' https://fonts.gstatic.com/;
then Google-hosted fonts are loaded; if I remove the
https://fonts.gstatic.com/ entry from
font-src but leave the
font-src directive itself in place, then the browser reports that they were blocked based on
font-src. This is exactly what I expect to happen.
However, if I also add a third HTTP header
Content-Security-Policy: default-src 'self';
then I get a whole bunch of errors, including ones where the reference points at the beginning of an inline
<style> element, even though I'm still serving the same
style-src directive as above including the
'unsafe-inline' in its own CSP HTTP header.
MDN says that (my emphasis):
The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSP fetch directives. For each of the following directives that are absent, the user agent looks for the default-src directive and uses this value for it:
style-src is one of the directives thus listed, and
'self' is one of the valid values for
I would expect the more specific (and in this case, more permissive)
style-src to take precedence over the more restrictive, fallback
default-src, but that doesn't seem to be happening. Rather, it seems that the
default-src directive is being used instead of (or possibly as further restricting) the more specific
Although Firefox doesn't currently support the corresponding
*-src-elem directives, I tried adding
style-src-elem anyway with the same value as
style-src respectively just to see if it would make any difference. The only observable difference was the browser complaining about the four unsupported CSP directives.
What am I missing? Is the CSP
default-src directive useless for my use case, and I need to list all CSP directives explicitly to get the effect I am after, namely providing a highly restrictive policy for everything that doesn't actually need to be more permissive?