I think having a template with a strict default (ideally, default-src 'none') would be best for both auditing and maintaining.
In T109023, @GWicke is arguing that most services should allow RESTBase to set the headers. But I favor setting a strict policy in the service template because:
- It encourages developers to justify adding policies instead of me asking why they can't be more strict during security review.
- The CSP standard doesn't look like it's going to change, nor (from what I can tell) is there strong sentiment by browsers to re-interpret any of the directives in the standard, so I think it should be very rare we're going to need a sweeping change to the default policy for all services
- RESTBase is always going to need a minimum policy that isn't essentially deny-all, which as I put in #1, is not the position I want to start from
- I believe RESTBase is currently setting style-src 'unsafe-inline' and frame-ancestors 'self' [1], so any new service should override the CSP, unless they have good reason for allowing inline styles and iframing.
[1] -
csteipp@herou:/tmp> curl -s -I 'https://en.wikipedia.org/api/rest_v1/page/html/Main_Page' | grep "^Content-Security-Policy:" Content-Security-Policy: default-src 'none'; media-src *; img-src *; style-src http://*.wikipedia.org https://*.wikipedia.org 'unsafe-inline'; frame-ancestors 'self'