Security/CSP/Spec: Difference between revisions

Jump to navigation Jump to search

Security/CSP/Spec (view source)

Revision as of 18:28, 23 July 2009

168 bytes removed ,  23 July 2009
→‎Activation and Enforcement
Line 125: Line 125:


The Content Security Policy to be enforced can be delivered to the browser in one of two ways: directly as the value in the <tt>X-Content-Security-Policy</tt> HTTP header or a file served from the same host as the resource to be secured. The <tt>X-Content-Security-Policy</tt> header must either contain a policy definition <i>or</i> a <tt>policy-uri</tt> field; if both are present, the browser will raise a [[Security/CSP/Spec#Error_Handling|CSP console error]] and enforce the most restrictive ("allow none") policy.
The Content Security Policy to be enforced can be delivered to the browser in one of two ways: directly as the value in the <tt>X-Content-Security-Policy</tt> HTTP header or a file served from the same host as the resource to be secured. The <tt>X-Content-Security-Policy</tt> header must either contain a policy definition <i>or</i> a <tt>policy-uri</tt> field; if both are present, the browser will raise a [[Security/CSP/Spec#Error_Handling|CSP console error]] and enforce the most restrictive ("allow none") policy.
If multiple <tt>X-Content-Security-Policy</tt> headers are present in the HTTP response, then the first one encountered is used and the rest are discarded.
          
          
The syntax is identical between file-based and header-based policy. The contents of a policy file are equivalent to the value of the X-Content-Security-Policy header.
The syntax is identical between file-based and header-based policy. The contents of a policy file are equivalent to the value of the X-Content-Security-Policy header.
Line 133: Line 131:
The <tt>X-Content-Security-Policy</tt> HTTP Response header should be present in the [http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 Message Headers] section of a server's HTTP response.  Specifically, it must NOT appear in the [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.40 Trailer Headers] section of the response, so that the policy may be enforced as the rest of the page content loads.  Multiple <tt>X-Content-Security-Policy</tt> Response headers will be considered; if more than one is present, the intersection of the policies is enforced.
The <tt>X-Content-Security-Policy</tt> HTTP Response header should be present in the [http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 Message Headers] section of a server's HTTP response.  Specifically, it must NOT appear in the [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.40 Trailer Headers] section of the response, so that the policy may be enforced as the rest of the page content loads.  Multiple <tt>X-Content-Security-Policy</tt> Response headers will be considered; if more than one is present, the intersection of the policies is enforced.


==Policy Refinements with a Multiply-Specified Header==
==Policy Refinements with Multiple Headers==
When multiple instances of the <tt>X-Content-Security-Policy</tt> HTTP header are present in an HTTP response, the intersection of the policies is enforced; essentially, the browser enforces a policy that is more strict than both the policies specified in the multiple headers, but only strict enough to correspond to rules in all policies.  Any web request that satisfied ''all'' policies alone will be accepted by the new policy, but any request rejected by ''any of'' of the two policies will be rejected.  The intersection is calculated on a directive-by-directive basis (i.e., the intersection of the <tt>allow</tt> directive is taken and enforced as the <tt>allow</tt> part of the effective policy). Explicitly, for two policies:
When multiple instances of the <tt>X-Content-Security-Policy</tt> HTTP header are present in an HTTP response, the intersection of the policies is enforced; essentially, the browser enforces a policy that is more strict than both the policies specified in the multiple headers, but only strict enough to correspond to rules in all policies.  Any web request that satisfied ''all'' policies alone will be accepted by the new policy, but any request rejected by ''any of'' of the two policies will be rejected.  The intersection is calculated on a directive-by-directive basis (i.e., the intersection of the <tt>allow</tt> directive is taken and enforced as the <tt>allow</tt> part of the effective policy). Explicitly, for two policies:


Sidstamm
canmove, Confirmed users
1,537

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/157160"

Navigation menu