canmove, Confirmed users
1,537
edits
Security/CSP/Spec: Difference between revisions
→Restrictions on policy-uri and report-uri
| Line 109: | Line 109: | ||
==Restrictions on policy-uri and report-uri== | ==Restrictions on policy-uri and report-uri== | ||
The optional directive policy-uri must refer to the same origin (scheme/host/port) as the protected document. The report-uri directive must refer to an origin with the same public suffix and base host (ETLD + 1). For instance, a report-uri in a policy for "www.mysite.com" may refer to anything that ends with "mysite.com". Additionally, policy-uri documents must be served with the MIME type text/x-content-security-policy to be valid | |||
<font color="#a00"> | <font color="#a00"> | ||
* Restricted: | * Restricted: | ||
** policy-uri directives which refer to a URI on a different host as the protected document, e.g. policy-uri http://other.tld/csp-policy.cgi | ** policy-uri directives which refer to a URI on a different host as the protected document, e.g. policy-uri http://other.tld/csp-policy.cgi | ||
** policy-uri responses served with Content-Type other than text/x-content-security-policy, e.g. Content-Type: text/html, or Content-type: image/jpeg | ** policy-uri responses served with Content-Type other than text/x-content-security-policy, e.g. Content-Type: text/html, or Content-type: image/jpeg | ||
** report-uri directives which refer to a URI on a different host than the protected document, e.g. report-uri http://other.tld/csp-report.cgi | ** report-uri directives which refer to a URI on a different public suffix or base host (ETLD+1) than the protected document, e.g. report-uri http://other.tld/csp-report.cgi | ||
</font> | </font> | ||
<font color="#060"> | <font color="#060"> | ||
* Allowed: | * Allowed: | ||
** policy-uri directives which refer to a URI on the same host as the protected document, e.g. policy-uri http://same.site/csp-policy.cgi. The policy document must also be served with the response header, Content-Type: text/x-content-security-policy | ** policy-uri directives which refer to a URI on the same host as the protected document, e.g. policy-uri http://same.site/csp-policy.cgi. The policy document must also be served with the response header, Content-Type: text/x-content-security-policy | ||
** report-uri directives which refer to a URI | ** report-uri directives which refer to a URI containing the same public suffix and base host as the protected document, e.g., on www.site.com there is a policy-uri http://same.site.com/csp-report.cgi | ||
</font> | </font> | ||
* Justification: | * Justification: | ||