MozillaWiki

Security/CSP/Spec: Difference between revisions

Page Discussion

Security/CSP/Spec (view source)

Revision as of 17:59, 11 March 2009

4 bytes added ,  11 March 2009
m
Minor markup edits
(Initial info dump for CSP spec)
 
m (Minor markup edits)
Line 109: Line 109:
In place of host name expressions, these keywords can be used to specify classes of sources.
In place of host name expressions, these keywords can be used to specify classes of sources.


*<tt>self</tt> - Refers to the host serving the protected content
; <tt>self</tt> : Refers to the host serving the protected content
*<tt>none</tt> - Refers to the empty set (no hosts are valid)
; <tt>none</tt> : Refers to the empty set (no hosts are valid)
*<tt>data</tt> - Specifies <tt>data:</tt> URIs as valid resources
; <tt>data</tt> : Specifies <tt>data:</tt> URIs as valid resources
*<tt>*</tt> - Refers to all sources (including <tt>data:</tt> URIs)
; <tt>*</tt> : Refers to all sources (including <tt>data:</tt> URIs)


==Formal Policy Syntax==
==Formal Policy Syntax==
Line 149: Line 149:
CSP supports a reporting mechanism that allows browsers to notify content providers when their policy is violated. When a <tt>report-uri</tt> is provided and a policy is violated, information about the protected resource and the violating content is transmitted to the <tt>report-uri</tt>.  Such a report is an XML document containing the following fields:
CSP supports a reporting mechanism that allows browsers to notify content providers when their policy is violated. When a <tt>report-uri</tt> is provided and a policy is violated, information about the protected resource and the violating content is transmitted to the <tt>report-uri</tt>.  Such a report is an XML document containing the following fields:


* <tt>request</tt> - HTTP request line of the resource whose policy is violated (including method, resource, path, HTTP version)
; <tt>request</tt> : HTTP request line of the resource whose policy is violated (including method, resource, path, HTTP version)
* <tt>request-headers</tt> - HTTP request headers sent with the request (above) for the CSP-Protected content
; <tt>request-headers</tt> : HTTP request headers sent with the request (above) for the CSP-Protected content
* <tt>blocked-uri</tt> - URI of the resource that was blocked from loading due to a violation in policy
; <tt>blocked-uri</tt> : URI of the resource that was blocked from loading due to a violation in policy
* <tt>violated-directive</tt> - The policy section that was violated (e.g., "<tt>script-src *.mozilla.org</tt>").
; <tt>violated-directive</tt> : The policy section that was violated (e.g., "<tt>script-src *.mozilla.org</tt>").


NOTE: in the case where a protected resource is not rendered because the <tt>frame-ancestors</tt> directive was violated, <tt>blocked-uri</tt> is not sent and is assumed to be the same as the request URI.  The reason for this is because this situation is different from other policy violations: no third-party content was blocked, rather the protected content elected not to load since it does not trust the sites that have enframed it.
NOTE: in the case where a protected resource is not rendered because the <tt>frame-ancestors</tt> directive was violated, <tt>blocked-uri</tt> is not sent and is assumed to be the same as the request URI.  The reason for this is because this situation is different from other policy violations: no third-party content was blocked, rather the protected content elected not to load since it does not trust the sites that have enframed it.
Sidstamm
canmove, Confirmed users
1,537

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/133469"