canmove, Confirmed users
1,537
edits
Security/CSP/Specification: Difference between revisions
no edit summary
m (→Directives: MUST NOT!) |
No edit summary |
||
| (8 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
This specification document is DEPRECATED (old and crusty). The W3C has undertaken standardization of CSP and you can find the [http://www.w3.org/TR/CSP/ W3C spec here]. | |||
=Specification= | =Specification= | ||
| Line 48: | Line 50: | ||
** <tt>inline-script</tt> enables inline scripts and <tt>javascript:</tt> URIs | ** <tt>inline-script</tt> enables inline scripts and <tt>javascript:</tt> URIs | ||
** <tt>eval-script</tt> enables the <tt>eval()</tt> functionality of scripts interpreted by the browser, and allows code to be created from strings in uses of the <tt>new Function()</tt> constructor, <tt>setTimeout</tt> and <tt>setInterval</tt> | ** <tt>eval-script</tt> enables the <tt>eval()</tt> functionality of scripts interpreted by the browser, and allows code to be created from strings in uses of the <tt>new Function()</tt> constructor, <tt>setTimeout</tt> and <tt>setInterval</tt> | ||
* User Agents | * User Agents MUST ignore any tokens not recognized by CSP, and SHOULD post a non-fatal warning to the error console. | ||
;img-src: | ;img-src: | ||
| Line 125: | Line 127: | ||
If a port is not specified as the source expression, a User Agent MUST use the default port for the source's scheme (whether it is inherited or explicitly specified in the source expression). | If a port is not specified as the source expression, a User Agent MUST use the default port for the source's scheme (whether it is inherited or explicitly specified in the source expression). | ||
When a scheme alone is the entire source expression (e.g., <tt>javascript:</tt>) a User Agent MUST | When a scheme alone is the entire source expression (e.g., <tt>javascript:</tt>) a User Agent MUST NOT enforce host and port restrictions. This is because for some schemes, host and port are irrelevant (e.g., <tt>data:</tt>). | ||
====Host-less Schemes==== | ====Host-less Schemes==== | ||
| Line 221: | Line 223: | ||
<ldh-str> ::= <let-dig-hyp> | <ldh-str> ::= <let-dig-hyp> | ||
| <ldh- | | <ldh-str><let-dig-hyp> | ||
<let-dig-hyp> ::= <letter> | <digit> | "-" | <let-dig-hyp> ::= <letter> | <digit> | "-" | ||
| Line 249: | Line 251: | ||
==Violation Report Syntax== | ==Violation Report Syntax== | ||
User Agents MUST notify any provided report-uri when its containing policy is violated. These reports contain information about the protected resource and the violating content, and MUST be transmitted to any specified <tt>report-uri</tt>s via HTTP POST if available in the employed scheme, otherwise User Agents MUST choose an appropriate "submit" method. | User Agents MUST notify any provided report-uri when its containing policy is violated. These reports contain information about the protected resource and the violating content, and MUST be transmitted to any specified <tt>report-uri</tt>s via HTTP POST if available in the employed scheme, otherwise User Agents MUST choose an appropriate "submit" method. | ||
User Agents MUST | User Agents MUST NOT honor redirection responses. | ||
The report body MUST be a JSON object having the following properties: | The report body MUST be a JSON object having the following properties: | ||
| Line 258: | Line 260: | ||
; <tt>original-policy</tt> : The original policy as served in the X-Content-Security-Policy HTTP header (or if there were multiple headers, a comma separated list of the policies) | ; <tt>original-policy</tt> : The original policy as served in the X-Content-Security-Policy HTTP header (or if there were multiple headers, a comma separated list of the policies) | ||
NOTE: in the case where a protected resource is not rendered because the <tt>frame-ancestors</tt> directive was violated, User Agents MUST | NOTE: in the case where a protected resource is not rendered because the <tt>frame-ancestors</tt> directive was violated, User Agents MUST NOT send <tt>blocked-uri</tt> (it is assumed to be the same as the request URI). | ||
Violation Report JSON Format: | Violation Report JSON Format: | ||
| Line 293: | Line 295: | ||
"blocked-uri": "<nowiki>http://evil.com/some_image.png</nowiki>", | "blocked-uri": "<nowiki>http://evil.com/some_image.png</nowiki>", | ||
"violated-directive": "img-src 'self'", | "violated-directive": "img-src 'self'", | ||
"original-policy": "allow 'none'; img-src * | "original-policy": "allow 'none'; img-src *; allow 'self'; img-src 'self'" | ||
} | } | ||
} | } | ||
| Line 310: | Line 312: | ||
</font> | </font> | ||
<font color="#060"> | <font color="#060"> | ||
* User Agents MUST | * User Agents MUST NOT block: | ||
** Scripts imported from external files whose sources are allowed by the protected document's policy AND are served with a Content-Type of <tt>application/javascript</tt> or <tt>application/json</tt>. | ** Scripts imported from external files whose sources are allowed by the protected document's policy AND are served with a Content-Type of <tt>application/javascript</tt> or <tt>application/json</tt>. | ||
</font> | </font> | ||
| Line 325: | Line 327: | ||
</font> | </font> | ||
<font color="#060"> | <font color="#060"> | ||
* User Agents MUST | * User Agents MUST NOT block: | ||
** Functions declared using the function operator, e.g. function f() { some_code }, or var f = function() { some_code } | ** Functions declared using the function operator, e.g. function f() { some_code }, or var f = function() { some_code } | ||
** calls to setTimeout using a Function argument, e.g. setTimeout(myFunc, 1000) | ** calls to setTimeout using a Function argument, e.g. setTimeout(myFunc, 1000) | ||
| Line 339: | Line 341: | ||
</font> | </font> | ||
<font color="#060"> | <font color="#060"> | ||
* User Agents MUST | * User Agents MUST NOT block: | ||
** data: URIs when used as a source for inline content explicitly allowed by the protected document's policy. | ** data: URIs when used as a source for inline content explicitly allowed by the protected document's policy. | ||
</font> | </font> | ||
| Line 353: | Line 355: | ||
</font> | </font> | ||
<font color="#060"> | <font color="#060"> | ||
* User Agents MUST | * User Agents MUST NOT block: | ||
** XBL bindings loaded via the chrome: or resource: protocols | ** XBL bindings loaded via the chrome: or resource: protocols | ||
</font> | </font> | ||