Set default-src CSP Attribute to none by default

[rzhade3]

At GitHub, we set the default-src CSP attribute to none. This provides the strictest possible CSP as it'll thus only allow CSP directives that the user explicitly has allowlisted.

It would be desirable to set this default in secure_headers as well:

secure_headers/lib/secure_headers/headers/content_security_policy_config.rb

Line 133 in 7f89df2

default_src: %w('self' https:),

This would be a breaking change, so if this is desirable, this would fit well in with #480

[vcsjones]

At GitHub, we set the default-src CSP attribute to none. This provides the strictest possible CSP as it'll thus only allow CSP directives that the user explicitly has allowlisted.

I see the idea, but I wonder if we should have a broader “defaults” feature. For example, base-uri is a weird one. It by default allows any URI, and does not respect default-src. So maybe in that spirit we want to provide a base-uri with a default unless specifically stated, or OPT_OUT or something along those lines.