118
edits
Security/CSP/AllowedScripts: Difference between revisions
Jump to navigation
Jump to search
→Semantics
No edit summary |
|||
| Line 15: | Line 15: | ||
The user agent MUST ignore any X-Allowed-Scripts header fields occurring in an HTML meta tag or in the Trailer headers. | The user agent MUST ignore any X-Allowed-Scripts header fields occurring in an HTML meta tag or in the Trailer headers. | ||
= Semantics = | = Semantics = | ||
If the X-Allowed-Scripts header is present, the user agent MUST take the following steps: | |||
*Disable inline JavaScript for the current page, including inline script elements, inline event handlers, script in CSS style sheets, and JavaScript URLs. | |||
*Prevent the current page from generating requests for data URLs. | |||
*Prevent the current page from loading external scripts and plug-ins unless those loads respect the effective origin list. | |||
A URL is contained in the effective origin list if the URL is contained in the origin list of every X-Allowed-Scripts header field associated with the HTTP response. | |||
The origin list of an X-Allowed-Scripts header field is the union of all URLs denoted by the listed origin-descriptors. The three constant origin-descriptors, self, none, and *, denote the following sets of URLs: | |||
*"self" denotes the set of URLs that share the same scheme and (fully qualified) host name as the current web page. | |||
*"none" denotes the empty set of URLs. | |||
*"*" denotes the set of all URLs. | |||
Instead of a constant, the an origin-descriptor can contain a non-constant origin-descriptor such as the following: | |||
<pre>example.com | |||
*.example.org | |||
https://example.net | |||
http://*.foo.example.com</pre> | |||
If the descriptor lacks a scheme, then the scheme defaults to the same scheme as the current web page. If the descriptor contains a *, then the star matches zero or more subdomains. For example, *.example.org matches example.org, foo.example.org and bar.foo.example.org. The origin-descriptor, then, denotes the set of all URLs with schemes and (fully qualified) host names that match the descriptor. Notice that in all cases the origin-list ignores port numbers for simplicity. | |||
A resource load is said to ''respect an origin-list'' if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list. | |||