Security/CSP/Spec: Difference between revisions

Jump to navigation Jump to search

Security/CSP/Spec (view source)

Revision as of 22:29, 12 August 2009

17 bytes added ,  12 August 2009
m
→‎User-Agent and Other Client-Side Considerations
(→‎Handling Parse Errors: handle options directive issues)
Line 418: Line 418:
The user-agent states its support for CSP in the [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.43 User-Agent HTTP header], by adding a [http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.8 product token] resembling "CSP/1.0" into the User-Agent string sent with HTTP requests.  The recipient may use this product string to identify which clients employ which version of CSP (in case different policies are needed across versions).  This product string must be absent if CSP is disabled by the client software.
The user-agent states its support for CSP in the [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.43 User-Agent HTTP header], by adding a [http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.8 product token] resembling "CSP/1.0" into the User-Agent string sent with HTTP requests.  The recipient may use this product string to identify which clients employ which version of CSP (in case different policies are needed across versions).  This product string must be absent if CSP is disabled by the client software.


; User Scripts : CSP should not interfere with the operation of user-supplied scripts (such as browser add-ons).
; User Scripts : CSP should not interfere with the operation of user-supplied scripts (such as browser add-ons and bookmarklets).


; Redirects to Content : When a resource is requested from a URI ''X[0]'' protected by a policy ''CSP'', that resource's URI is only loaded if permitted by ''CSP''.  If the URI ''X[0]'' resolves to an HTTP redirect of any kind (temporary or permanent) the new URI ''X[1]'' is also required to be permitted by the policy ''CSP''.  The effect is that all requests generated by the document must be permitted by the CSP whether they are the initial request or the steps taken during a redirect.
; Redirects to Content : When a resource is requested from a URI ''X[0]'' protected by a policy ''CSP'', that resource's URI is only loaded if permitted by ''CSP''.  If the URI ''X[0]'' resolves to an HTTP redirect of any kind (temporary or permanent) the new URI ''X[1]'' is also required to be permitted by the policy ''CSP''.  The effect is that all requests generated by the document must be permitted by the CSP whether they are the initial request or the steps taken during a redirect.
Sidstamm
canmove, Confirmed users
1,537

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/161765"

Navigation menu