CSP: Failure to Define Directive with No Fallback

[dsotirho-ucsc]

From ZAP scan 2025-04-01
Severity: Medium

The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.

The directive(s): form-action is/are among the directives that do not fallback to default-src.

Recommended Solution

Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

Other Info

• https://www.w3.org/TR/CSP/
• https://caniuse.com/#search=content+security+policy
• https://content-security-policy.com/

Evidence

https://explore.data.humancellatlas.org/

default-src 'self';object-src 'none';frame-src 'none';frame-ancestors 'none';child-src 'none';
img-src 'self' data: https://lh3.googleusercontent.com https://www.google-analytics.com
https://www.googletagmanager.com;script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://accounts.google.com/gsi/client https://www.google-analytics.com https://www.
googletagmanager.com;style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://p.
typekit.net https://use.typekit.net;font-src 'self' data: https://fonts.gstatic.com https://use.
typekit.net/af/;connect-src 'self' https://www.google-analytics.com https://www.googleapis.
com/oauth2/v3/userinfo https://www.googletagmanager.com https://support.terra.bio/api/v2/
https://sam.dsde-prod.broadinstitute.org/register/user/v1 https://sam.dsde-prod.
broadinstitute.org/register/user/v2/self/termsOfServiceDetails https://firecloud-orchestration.
dsde-prod.broadinstitute.org/api/nih/status https://service.azul.data.humancellatlas.org

https://explore.anvilproject.org/

default-src 'self';object-src 'none';frame-src 'none';frame-ancestors 'none';child-src 'none';
img-src 'self' data: https://lh3.googleusercontent.com https://www.google-analytics.com
https://www.googletagmanager.com;script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://accounts.google.com/gsi/client https://www.google-analytics.com https://www.
googletagmanager.com;style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://p.
typekit.net https://use.typekit.net;font-src 'self' data: https://fonts.gstatic.com https://use.
typekit.net/af/;connect-src 'self' https://www.google-analytics.com https://www.googleapis.
com/oauth2/v3/userinfo https://www.googletagmanager.com https://support.terra.bio/api/v2/
https://sam.dsde-prod.broadinstitute.org/register/user/v1 https://sam.dsde-prod.
broadinstitute.org/register/user/v2/self/termsOfServiceDetails https://firecloud-orchestration.
dsde-prod.broadinstitute.org/api/nih/status https://service.explore.anvilproject.org

[achave11-ucsc]

Assignee to coordinate with CC.

[NoopDog]

I'm happy to coordinate, but since this is on the Explorer, it should be assigned to the Azul team, right?

[dsotirho-ucsc]

You are correct Dave, this will require a change to Azul code, specifically browser.tf.json.template.py