canmove, Confirmed users
1,537
edits
Security/CSP/Spec: Difference between revisions
m
→Terminology
m (→Terminology) |
|||
| Line 11: | Line 11: | ||
=Terminology= | =Terminology= | ||
A <b>policy</b> is composed of <b>directives</b>, such as "<tt>allow | A <b>policy</b> is composed of <b>directives</b>, such as "<tt>allow foo.com</tt>". Each directive is composed of a <b>directive name</b> and a <b>directive value</b>, which is either a list of <b>host items</b> or a <b>URI</b>, for certain types of directives. | ||
When CSP is activated for a site, a few <b>[[Security/CSP#Content_Restrictions|refinements]]</b> to the browser environment are made <i>no matter the policy</i> to help provide proper enforcement of any policy defined. These refinements provide general security enhancements by placing restrictions on the types of dynamic content that is allowed: generally any script on a site that converts text into code (through the use of <tt>eval()</tt> or similar functions) is disallowed. Details of the refinements can be found in the [[Security/CSP#Content_Restrictions|Content Restrictions]] section. | When CSP is activated for a site, a few <b>[[Security/CSP#Content_Restrictions|refinements]]</b> to the browser environment are made <i>no matter the policy</i> to help provide proper enforcement of any policy defined. These refinements provide general security enhancements by placing restrictions on the types of dynamic content that is allowed: generally any script on a site that converts text into code (through the use of <tt>eval()</tt> or similar functions) is disallowed. Details of the refinements can be found in the [[Security/CSP#Content_Restrictions|Content Restrictions]] section. | ||