From fb8be690df634abb94f88138fd91d003819e2606 Mon Sep 17 00:00:00 2001 From: Max Stoiber Date: Thu, 5 Feb 2026 10:51:47 -0800 Subject: [PATCH] Change CSP defaults from "MUST" to "SHOULD" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In ChatGPT, we have security risk-accepted and shipped a slightly looser default CSP. We have a default domain allowlist that includes e.g. `cdn.tailwindcss.com`, `cdn.jsdelivr.net`, `*.oaiusercontent.com`,… that we add to the resourceDomains and connectDomains. We also set `frame-src 'none'` by default, unless frameDomains are specified. In order to stay compliant with the spec, we're proposing an update to the spec language around the default CSP from "MUST" to "SHOULD". --- specification/draft/apps.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/specification/draft/apps.mdx b/specification/draft/apps.mdx index fd431ae8..6549ca22 100644 --- a/specification/draft/apps.mdx +++ b/specification/draft/apps.mdx @@ -281,7 +281,7 @@ When `_meta.ui` is present on **both**, the content-item value takes precedence. #### Host Behavior: - **CSP Enforcement:** Host MUST construct CSP headers based on declared domains -- **Restrictive Default:** If `ui.csp` is omitted, Host MUST use: +- **Restrictive Default:** If `ui.csp` is omitted, Host SHOULD use: ``` default-src 'none';