This document is an example alternate design for content security policies that showcases modular design and a rich directive vocabulary. I'm not sure all the directives are great ideas, but they're intended to stimulate discussion.
An HTTP server can deliver a policy to the browser by including a header named X-Content-Security-Policy. The general X-Content-Security-Policy header has the following syntax:
content-security-policy = "x-content-security-policy" ":" OWS csp-policy OWS csp-policy = csp-rule ["," csp-policy] csp-rule = future-rule / known-rule future-rule = (anything but ",") known-rule = *SP directive [ 1*SP origin-list ] *SP directive = (see below) origin-list = origin-descriptor [ 1*SP origin-list] origin-descriptor = "none" / "self" / "*" / [scheme "://"] host-descriptor host-descriptor = qualified-host-name / "*" ["." host-name ] qualified-host-name = dns-label "." host-name host-name = dns-label ["." host-name]
The user agent MUST ignore any X-Content-Security-Policy header fields occurring in an HTML meta tag or in the Trailer headers. The syntax and semantics of the directives are described in the following sections.
The origin-list production defines a set of URLs, which the directive can use for some purpose. The origin-list denotes the union of all URLs denoted by the listed origin-descriptors. The three constant origin-descriptors, self, none, and *, denote the following sets of URLs:
- "self" denotes the set of URLs that share the same scheme and (fully qualified) host name as the current web page.
- "none" denotes the empty set of URLs.
- "*" denotes the set of all URLs.
Instead of a constant, the an origin-descriptor can contain a non-constant origin-descriptor such as the following:
example.com *.example.org https://example.net http://*.foo.example.com
If the descriptor lacks a scheme, then the scheme defaults to the same scheme as the current web page. If the descriptor contains a *, then the star matches zero or more subdomains. For example, *.example.org matches example.org, foo.example.org and bar.foo.example.org. The origin-descriptor, then, denotes the set of all URLs with schemes and (fully qualified) host names that match the descriptor. Notice that in all cases the origin-list ignores port numbers for simplicity.
A resource load is said to respect an origin-list if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list.
This section describes a number of directives that might appear in a CSP policy. If a directive appears more than once in a policy, each occurrence acts independently, which is usually redundant. All directives are case-insensitive.
- no-script-except <origin-list>
Disables plug-ins for the current page. Note: this directive does not disable browser extensions (e.g., Firebug), only plug-ins loaded with the object or embed element.
- no-style-except <origin-list>
Disables inline style for the current page, including the style attribute. The current page can load external style sheets only if those loads respect the origin list.
- no-frames-except <origin-list>
Prevents the current page from loading frames that do not respect the origin list.
- no-frame-ancestors-except <origin-list>
Prevents the current page from being display inside of a frame unless all the frame's ancestors in the frame hierarchy are from origins contained in the origin-list.
Prevents the current page from generating requests for data URLs.
- no-plug-ins-except-types <media-type-list>
Disables all plug-ins for the current page except those that register a media type in the media type list.
If the current page was retrieved from an HTTPS URL, the current page and all child frames cannot load non-HTTPS resources.
- no-form-action-except <origin-list>
Prevents the current page from submitting a form unless the request generated by the form respects the origin list.
Child frames of the current page cannot navigate the current frame.
Disables cookies when loading images for the current page.
Disables cookies when loading scripts for the current page. (TODO: What is the use case here?)
Disables HTTP authentication prompts for requests generated by the current page and all of its child frames.
Removes the referrer from outgoing requests from the current page. Documents loaded from the current page will have an empty document.referrer property.
Frames opened by the current page will have their window.opener property set to null.
Requests generated from this page will lack cookies.
- no-outgoing-cookies-except <origin-list>
Requests to URLs other than those on the origin-list will lack cookies.
Disables the password manager (both recording and recalling passwords) for the current page.
Disable form autofill (both recording and recalling form values) for the current page.
TODO(abarth): Write me!
- Should we restrict XMLHttpRequest targets?