Canmove, confirm
1,537
edits
Changes
→Directives
===Directives===
* The catch-all section that defines the security policy for all types of content which are not called out in any of the other directives. Defines the default policy for un-specified content types.
* If User Agents MUST not load content from any source if the allow directive is not explicitly specified, no content from any source will be loaded. This is can be considered equivalent to the policy "allow 'none'".* All User Agents MUST enforce this directive for all HTTP requests not subject to one of the more specific directives are subject to the allow directive (including XMLHttpRequests).
* Options for modifying the underlying behavior of CSP are specified here.
* The value of this directive is a space-separated list of LDH tokens, each specifying a feature to enable or disable:
** <tt>inline-script</tt> enables inline scripts and <tt>javascript:</tt> URIs
** <tt>eval-script</tt> enables the <tt>eval()</tt> functionality of scripts interpreted by the browser, and allows code to be created from strings in uses of the <tt>new Function()</tt> constructor, <tt>setTimeout</tt> and <tt>setInterval</tt>
* Any User Agents must ignore any tokens not recognized by CSP are ''ignored'', and SHOULD post a non-fatal warning is posted to the error console.
* Indicates which sources are valid for images and favicons.
* Images User Agents MUST not request images from non-approved sources will not be requested or loaded.* If User Agents MUST subject image requests to the allow directive if img-src is not explicitly specified, image requests are subject to the allow directive.
* Indicates which sources are valid for <tt>audio</tt> and <tt>video</tt> elements.
* User Agents MUST not request <tt>audio</tt> and <tt>video</tt> elements from non-approved sources will not be requested or loaded.* If User Agents MUST subject audio and video requests to the allow directive if media-src is not explicitly specified, media requests are subject to the allow directive.
* Indicates which sources are valid for scripts.
* Only Regulates which scripts can be loaded via the <tt>src=</tt> attribute will be loaded.* Scripts User Agents MUST not request scripts from non-approved sources will not be requested or loaded.* If User Agents MUST subject script requests to the allow directive if script-src is not explicitly specified, script requests are subject to the allow directive.* Sites may opt-out of the [[Security/CSP/Spec#No_inline_scripts_will_execute|"No inline script"]] restriction by adding the <tt>'inline-script'</tt> token to the <tt>options</tt> directive* Sites may opt-out of the [[Security/CSP/Spec#Code_will_not_be_created_from_strings|"No code from strings"]] restriction by adding the <tt>'eval-script'</tt> token to the <tt>options</tt> directive
* Indicates which sources are valid for <tt>object</tt>, <tt>embed</tt>, and <tt>applet</tt> elements.
* Objects User Agents MUST not request objects from non-approved sources will not be requested or loaded.* If User Agents MUST subject object, embed, and applet requests to the allow directive if object-src is not explicitly specified, object requests are subject to the allow directive.
* Indicates which sources are valid for <tt>frame</tt> and <tt>iframe</tt> elements.
* Answers the question: "Documents from which sources may be embedded in my resource?"* Frame User Agents MUST not request frame content from non-approved sources will not be requested or loaded.* If User Agents MUST subject frame requests to the allow directive if frame-src is not explicitly specified, frame requests are subject to the allow directive.
* Indicates which sources are valid for <tt>@font-src</tt> CSS loads.
* Fonts User Agents MUST not request fonts served from non-approved sources must not be requested when intended for use as a font in CSS.* If font-src is not explicitly specified, User Agents MUST subject requests caused by <tt>@font-src</tt> are subject to the allow directiveif font-src is not explicitly specified.
* Indicates which sources are valid for <tt>XMLHttpRequest</tt> connections.
* User Agents MUST not cause XMLHttpRequests may not be opened to open requests to sources not permitted by this directive.* If xhr-src is not explicitly specified, User Agents MUST subject requests caused by <tt>XMLHttpRequest</tt> objects are subject to the allow directiveif xhr-src is not explicitly specified.
* Indicates which sources are valid <b>ancestors</b> for embedding the protected resource via <tt>object</tt>, <tt>frame</tt> and <tt>iframe</tt> tags. An ancestor is any HTML document between the protected resource and the top of the window frame tree; for example, if A embeds B which embeds C, both A and B are <b>ancestors</b> of C. If A embeds both B and C, B is <i>not</i> an ancestor of C, but A still <i>is</i>.
* All web pages that are ancestors of the protected content must be indicated by the value of this directive. For example, if A embeds B which embeds C, and C defines a <tt>frame-ancestors</tt> as "B,C" then C is not rendered as a subframe.
* Answers the question: "Which sites may embed this resource?"
* User Agents MUST not render the protected document when any of its frame ancestors are not allowed by this directive.
* User Agents MUST always render the protected document if frame-ancestors is not explicitly specified.
* Note that this directive addresses the [http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html clickjacking] threat, but not [http://www.cgisecurity.com/articles/csrf-faq.shtml CSRF]
** Using frame-ancestors, it is possible to prevent a resource from being framed within a malicious webpage. The browser will stop loading the protected document as soon as its frame-ancestors policy is received and a policy violation is determined.
** However, this directive <em>does not prevent the request for the document from being sent</em> to the framed document's server, as policy directives are received by the browser in the server's response. To mitigate Cross-Site Request Forgery, the [[Security/Sec-From|Sec-From header]] provides a more robust mechanism.
* Indicates which sources are valid for externally linked stylesheets.
* Inline User Agents MUST always allow inline stylesheets and style attributes of HTML tags are globally allowed.* Stylesheets User Agents MUST not request stylesheets from non-white-listed sources will not be requested or loadedallowed by the style-src directive.* If User Agents MUST subject stylesheet requests to the allow directive if style-src is not explicitly specified, stylesheet requests are subject to the allow directive.
* Instructs the browser where to send a report when CSP is violated.
* The report will be an XML document with MIME type application/xml sent via POST to the specified URI contained in the value of this directive.
* Report Acceptable report URIs must be from MUST use the scheme and port as the protected content, and the [http://publicsuffix.org public suffix] and most general DNS label of the protected content and the report URI must match. For example www.foo.co.uk and reports.foo.co.uk, but not reports.bar.co.uk. Relative URIs are acceptable, and are resolved within the same scheme, host and port as the document served with the CSP. * User Agents MUST send violation reports to any acceptable URIs in this directive. Details about the information provided in violation reports are found in the [[#Violation Report Syntax|Violation Report Syntax]] section.* User Agents MUST ignore report URIs that don't match the public suffix and base host match requirements will not be sent reports and . User Agents SHOULD log one error will be logged to an error console. User Agents MUST then continue CSP enforcement will continue as if the report URI were not specified.* Details about the information provided in violation reports are found in the [[#Violation Report Syntax|Violation Report Syntax]] section.* User Agents MUST not honor HTTP 3xx response codes are not honored by the user agent. No redirection from the Report URI is allowed to prevent HTTP header leakage across domains.
* Indicates the location of a file containing the security policies for the protected resource.
* <tt>policy-uri</tt> should MUST only be defined in the absence of other policy definitions in the <tt>X-Content-Security-Policy</tt> HTTP header. If <tt>policy-uri</tt> is defined among other directives in the header, * User Agents MUST raise a [[Security/CSP#Error_Handling|console fatal error]] is raised and MUST enforce the policy enforced by CSP is the most restrictive policy: "allow 'none'"if <tt>policy-uri</tt> is defined among other directives in the header.* Policy User Agents MUST ignore any policy URIs must be of the same a different origin (scheme/, host/, or port) as from the protected content. Relative User Agents SHOULD resolve relative URIs are acceptable, and are resolved within the same scheme, host and port as the protected document served with the CSP.
===Source Expression List===
