False positive? #10
Description
Hi, I’ve noticed that the CSP auditor from the BApp Store assumes an implicit 'default-src' directive even if there is none specify in the policy. As an example, the following CSP policy is configured with just one directive which is weak.
Content-Security-Policy: frame-ancestors https://corpnet.com/ https://*.corpnet.com;
Should this be flagged as a weak CSP policy, rather than no issue?
Thanks