Security/CSP/Specification: Difference between revisions

Security/CSP/Specification (view source)

554 bytes removed , 8 March 2010

canmove, Confirmed users

1,537

edits

@@ Line 338: / Line 338: @@
 ===No data: URIs unless opted-in to via explicit policy===
 <font color="#a00">
-* Restricted:
+* User Agents MUST block:
-** data: URIs as a source for inline content
+** data: URIs when used as a source for inline content
 </font>
 <font color="#060">
-* Allowed:
+* User Agents MUST not block:
-** data: URIs as a source for inline content when explicitly opted-in to, e.g. X-Content-Security-Policy: allow self; img-src data:
+** data: URIs when used as a source for inline content explicitly allowed by the protected document's policy.
 </font>
-* Justification:
-** The data: URI scheme is designed to allow the loading of arbitrary textual or binary data into a document, including HTML, scripts, images, media files, etc.
+User Agents MUST generate and send a violation report with the fields set appropriately when this base restriction is violated.
-** data: URIs are a potential vector for HTML and script injection which can be used by an attacker for XSS or website defacement.
-** The increase in attack surface created by data: URIs, and additional input sanitization required by sites wishing to use them justifies the opt-in requirement for this feature in CSP.
-* Vulnerability types mitigated:
-*# data: URL script injection
-* data: URIs can be re-enabled by adding "data:" as a source to any source directive.  For example: <tt>img-src data: https://my-host.com</tt>.
 ===XBL bindings must come from chrome: or resource: URIs===