|
|
| Line 363: |
Line 363: |
|
| |
|
| ==Restrictions on policy-uri and report-uri== | | ==Restrictions on policy-uri and report-uri== |
| The optional directive policy-uri must refer to the same origin (scheme/host/port) as the protected document. The report-uri directive must refer to an origin with the same public suffix and base host. For instance, a report-uri in a policy for "www.mysite.com" may refer to anything that ends with "mysite.com". Additionally, policy-uri documents must be served with the MIME type text/x-content-security-policy to be valid
| | User Agents MUST raise a fatal error AND ignore any policy-uri that does not refer to the same origin (scheme/host/port) as the protected document OR that is not served with MIME type set to "text/x-content-security-policy". |
| | |
| | User Agents MUST raise a non-fatal warning AND ignore any report-uri directive values that refer to an origin not of the same public suffix AND base host. |
| | (For instance, a report-uri in a policy for "www.mysite.com" may refer to anything that ends with "mysite.com".) |
| | |
| <font color="#a00"> | | <font color="#a00"> |
| * Restricted: | | * User Agents MUST raise a fatal error AND revert to the policy "allow 'none'" when: |
| ** policy-uri directives which refer to a URI on a different host as the protected document, e.g. policy-uri http://other.tld/csp-policy.cgi | | ** parsing a policy-uri directive value referring to a URI on a different host from the protected document. |
| ** policy-uri responses served with Content-Type other than text/x-content-security-policy, e.g. Content-Type: text/html, or Content-type: image/jpeg | | ** receiving a policy-uri HTTP response served with Content-Type other than text/x-content-security-policy |
| ** report-uri directives which refer to a URI on a different public suffix or base host than the protected document, e.g. report-uri http://other.tld/csp-report.cgi | | * User Agents MUST raise a non-fatal warning AND ignore: |
| | ** any report-uri directive values that refer to a URI on a different public suffix from the protected document |
| | ** any report-uri directive values that refer to a base host than the protected document |
| </font> | | </font> |
| <font color="#060">
| | |
| * Allowed:
| | ''Privacy Consideration:'' The report sent to the report-uri contains potentially sensitive information, including cookie values and query string parameters. This information is intended only for the protected site for debugging purposes or similar. An attacker should not be allowed to steal the report information by injecting a report-uri, along with an arbitrary policy to be violated. |
| ** policy-uri directives which refer to a URI on the same host as the protected document, e.g. policy-uri http://same.site/csp-policy.cgi. The policy document must also be served with the response header, Content-Type: text/x-content-security-policy
| |
| ** report-uri directives which refer to a URI containing the same public suffix and base host as the protected document, e.g., on www.site.com there is a policy-uri http://same.site.com/csp-report.cgi
| |
| </font>
| |
| * Justification:
| |
| ** A site which has not opted-in to using CSP should not be forced into using CSP by an attacker who can inject a policy-uri directive into a HTTP header. Restricting the policy-uri to the same host as the protected document, and requiring it to be served as text/x-content-security-policy ensures the site has positively opted-in to CSP.
| |
| ** The report sent to the report-uri contains potentially sensitive information, including cookie values and query string parameters. This information is intended only for the protected site for debugging purposes or similar. An attacker should not be allowed to steal the report information by injecting a report-uri, along with an arbitrary policy to be violated.
| |
|
| |
|
| ==Activation and Enforcement== | | ==Activation and Enforcement== |