Security/CSP/Specification: Difference between revisions

Jump to navigation Jump to search

Security/CSP/Specification (view source)

Revision as of 19:02, 1 June 2010

21 bytes added ,  1 June 2010
→‎Violation Report Syntax
Line 250: Line 250:
User Agents MUST notify any provided report-uri when its containing policy is violated. These reports contain information about the protected resource and the violating content, and MUST be transmitted to any specified <tt>report-uri</tt>s via HTTP POST if available in the employed scheme, otherwise User Agents MUST choose an appropriate "submit" method.   
User Agents MUST notify any provided report-uri when its containing policy is violated. These reports contain information about the protected resource and the violating content, and MUST be transmitted to any specified <tt>report-uri</tt>s via HTTP POST if available in the employed scheme, otherwise User Agents MUST choose an appropriate "submit" method.   
User Agents MUST not honor redirection responses.   
User Agents MUST not honor redirection responses.   
Reports MUST be an XML document containing the following fields:
The report body MUST be a JSON object having the following properties:


; <tt>request</tt> : HTTP request line of the resource whose policy is violated (including method, resource, path, HTTP version)
; <tt>request</tt> : HTTP request line of the resource whose policy is violated (including method, resource, path, HTTP version)
Line 260: Line 260:
NOTE: in the case where a protected resource is not rendered because the <tt>frame-ancestors</tt> directive was violated, User Agents MUST not send <tt>blocked-uri</tt> (it is assumed to be the same as the request URI).
NOTE: in the case where a protected resource is not rendered because the <tt>frame-ancestors</tt> directive was violated, User Agents MUST not send <tt>blocked-uri</tt> (it is assumed to be the same as the request URI).


Violation Report XML Schema:
Violation Report JSON Format:


  <?xml version="1.0" encoding="ISO-8859-1" ?>
  {
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
   csp-report: {
   <xs:element name="csp-report">
     request: "GET /index.html HTTP/1.1",
     <xs:complexType>
    request-headers: "Host: example.com
      <xs:sequence>
                      User-Agent: ...
        <xs:element name="request" type="string" use="required" />
                      ...",
        <xs:element name="request-headers" type="string" />
    blocked-uri: "...",
        <xs:element name="blocked-uri" type="string" />
    violated-directive: "..."
        <xs:element name="violated-directive" type="string" use="required" />
   }
        <xs:element name="original-policy" type="string" use="required" />
  }
      </xs:sequence>
    </xs:complexType>
   </xs:element>
  </xs:schema>


 
The MIME type of the transmitted report will be set to <tt>application/json</tt>.
The MIME type of the transmitted report will be set to <tt>application/xml</tt>.


===Violation Report Sample===
===Violation Report Sample===


In this example, a page located at <tt>http://example.com/index.html</tt> was requested using HTTP 1.1 via the GET method.  It provided a policy that included the directive "<tt>img-src self</tt>", which was violated by a request for <tt><nowiki>http://evil.com/some_image.png</nowiki></tt>.  The sample XML data sent to the policy-specified <tt>report-uri</tt> follows.
In this example, a page located at <tt>http://example.com/index.html</tt> was requested using HTTP 1.1 via the GET method.  It provided a policy that included the directive "<tt>img-src 'self'</tt>", which was violated by a request for <tt><nowiki>http://evil.com/some_image.png</nowiki></tt>.  The sample JSON object sent to the policy-specified <tt>report-uri</tt> follows.


  <csp-report>
  {
  <request>GET /index.html HTTP/1.1</request>
  "csp-report":
  <request-headers><![CDATA[
    {
            Host: example.com
      "request": "GET http://index.html HTTP/1.1",
            User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015 Firefox/3.0
      "request-headers": "Host: example.com                                                      
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.3a5pre) Gecko/20100601 Minefield/3.7a5pre                                                       
            Accept-Language: en-us,en;q=0.5
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Encoding: gzip,deflate
                          Accept-Language: en-us,en;q=0.5                                        
            Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
                          Accept-Encoding: gzip,deflate                                          
            Keep-Alive: 300
                          Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7                          
            Connection: keep-alive
                          Keep-Alive: 115                                                         
  ]]></request-headers>
                          Connection: keep-alive",
  <blocked-uri><nowiki>http://evil.com/some_image.png</nowiki></blocked-uri>
      "blocked-uri": "<nowiki>http://evil.com/some_image.png</nowiki>",
  <violated-directive>img-src self</violated-directive>
      "violated-directive": "img-src 'self'",
  <original-policy>allow 'none'; img-src *, allow self; img-src self</original-policy>
      "original-policy": "allow 'none'; img-src *, allow 'self'; img-src 'self'"
  </csp-report>
    }
  }


=User Agent Behavior=
=User Agent Behavior=
Bsterne
canmove, Confirmed users
120

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/226914"

Navigation menu