From MozillaWiki
< Security‎ | CSP
Jump to: navigation, search


This document is an example alternate design for content security policies that showcases modular design and a rich directive vocabulary. I'm not sure all the directives are great ideas, but they're intended to stimulate discussion.


An HTTP server can deliver a policy to the browser by including a header named X-Content-Security-Policy.  The general X-Content-Security-Policy header has the following syntax:

content-security-policy = "x-content-security-policy" ":" OWS csp-policy OWS
csp-policy              = csp-rule ["," csp-policy]
csp-rule                = future-rule / known-rule
future-rule             = (anything but ",")
known-rule              = *SP directive [ 1*SP origin-list ] *SP
directive               = (see below)
origin-list             = origin-descriptor [ 1*SP origin-list]
origin-descriptor       = "none" / "self" / "*" / [scheme "://"] host-descriptor
host-descriptor         = qualified-host-name / "*" ["." host-name ]
qualified-host-name     = dns-label "." host-name
host-name               = dns-label ["." host-name]

The user agent MUST ignore any X-Content-Security-Policy header fields occurring in an HTML meta tag or in the Trailer headers.  The syntax and semantics of the directives are described in the following sections.

Origin Lists

The origin-list production defines a set of URLs, which the directive can use for some purpose.  The origin-list denotes the union of all URLs denoted by the listed origin-descriptors.  The three constant origin-descriptors, self, none, and *, denote the following sets of URLs:

  • "self" denotes the set of URLs that share the same scheme and (fully qualified) host name as the current web page.
  • "none" denotes the empty set of URLs.
  • "*" denotes the set of all URLs.

Instead of a constant, the an origin-descriptor can contain a non-constant origin-descriptor such as the following:

If the descriptor lacks a scheme, then the scheme defaults to the same scheme as the current web page.  If the descriptor contains a *, then the star matches zero or more subdomains.  For example, * matches, and  The origin-descriptor, then, denotes the set of all URLs with schemes and (fully qualified) host names that match the descriptor.  Notice that in all cases the origin-list ignores port numbers for simplicity.

A resource load is said to respect an origin-list if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list.


This section describes a number of directives that might appear in a CSP policy. If a directive appears more than once in a policy, each occurrence acts independently, which is usually redundant. All directives are case-insensitive.


  • no-script
    Disables JavaScript and plug-ins for the current page.  Prevents the current page from generating requests for data URLs.
  • no-script-except <origin-list>
    Disables inline JavaScript for the current page, including inline script elements, inline event handlers, script in CSS style sheets, and JavaScript URLs.  Prevents the current page from generating requests for data URLs.  The current page can load external scripts and plug-ins only if those loads respect the origin list.
  • no-eval
    Disables the following JavaScript APIs: eval, the Function constructor, setTimeout (if the first argument is a string), and setInterval (if the first argument is a string).
  • no-plug-ins
    Disables plug-ins for the current page.  Note: this directive does not disable browser extensions (e.g., Firebug), only plug-ins loaded with the object or embed element.
  • no-style-except <origin-list>
    Disables inline style for the current page, including the style attribute. The current page can load external style sheets only if those loads respect the origin list.
  • no-frames-except <origin-list>
    Prevents the current page from loading frames that do not respect the origin list.
  • no-frame-ancestors-except <origin-list>
    Prevents the current page from being display inside of a frame unless all the frame's ancestors in the frame hierarchy are from origins contained in the origin-list.


  • no-script-in-css
    Disables JavaScript contained in style sheets for the current page.
  • no-javascript-urls
    Disables processing of JavaScript URLs for the current page, including JavaScript URLs typed into the browser's location bar by the user.
  • no-data-urls
    Prevents the current page from generating requests for data URLs.
  • no-plug-ins-except-types <media-type-list>
    Disables all plug-ins for the current page except those that register a media type in the media type list.
  • no-mixed-content
    If the current page was retrieved from an HTTPS URL, the current page and all child frames cannot load non-HTTPS resources.
  • no-form-action-except <origin-list>
    Prevents the current page from submitting a form unless the request generated by the form respects the origin list.


  • no-frame-busting
    Child frames of the current page cannot navigate the current frame.
  • no-cookies-for-images
    Disables cookies when loading images for the current page.
  • no-cookies-for-scripts
    Disables cookies when loading scripts for the current page.  (TODO: What is the use case here?)
  • no-http-auth-prompts
    Disables HTTP authentication prompts for requests generated by the current page and all of its child frames.
  • no-outgoing-referrer
    Removes the referrer from outgoing requests from the current page. Documents loaded from the current page will have an empty document.referrer property.
  • no-outgoing-opener
    Frames opened by the current page will have their window.opener property set to null.
  • no-outgoing-cookies
    Requests generated from this page will lack cookies.
  • no-outgoing-cookies-except <origin-list>
    Requests to URLs other than those on the origin-list will lack cookies.
  • no-password-manager
    Disables the password manager (both recording and recalling passwords) for the current page.
  • no-form-autofill
    Disable form autofill (both recording and recalling form values) for the current page.


TODO(abarth): Write me!

Open Issues

  • Should we restrict XMLHttpRequest targets?