Canmove, confirm
1,537
edits
Changes
no edit summary
=Definitions=
A <b>policy</b> is composed of <b>directives</b>, such as "<tt>allow 'none'</tt>". Each directive is composed of a <b>directive name</b> and a <b>directive value</b>, which is either a list of <b>host items</b> or a <b>URI</b>, for certain types of directives.
When CSP is activated for a site, a few <b>[[Security/CSP#Content_Restrictions|base restrictions]]</b> in the browser environment are enforced <i>by default</i> to help provide proper enforcement of any policy defined. These base restrictions provide general security enhancements by limiting the types of dynamic content that is allowed: generally any script on a site that converts text into code (through the use of <tt>eval()</tt> or similar functions) is disallowed. Details of the refinements can be found in the [[Security/CSP/Specification#Base_Restrictions|Base Restrictions]] section.
<policy> ::= <allow-directive>";"<directive-list>
<allow-directive> ::= allow <sourcesrc-listdir-value>
<directive-list> ::= <empty> | <directive>";"<directive-list>
<blocked-uri><nowiki>http://evil.com/some_image.png</nowiki></blocked-uri>
<violated-directive>img-src self</violated-directive>
<original-policy>allow 'none'; img-src *, allow self; img-src self</original-policy>
</csp-report>
;Unrecognized <tt>options</tt> token: If an unrecognized token is present in the <tt>options</tt> directive value, the User Agent MUST ignore it and SHOULD report a warning message to the Error Console stating the unrecognized token.
;Missing "allow": If the "allow" directive is not present, the User Agent SHOULD report a warning message to the Error Console and MUST assume the directive value "allow 'none'" for the policy. The User Agent MUST enforce the rest of the policy as written (assuming no other policy errors are encountered).
;Directive Syntax Error: When any known directive contains a value that violates [[Security/CSP/Spec#Policy_Language_and_Syntax|CSP syntax]], the User Agent SHOULD report a warning message stating the invalid syntax to the Error Console AND MUST "fail closed" by enforcing the most secure policy, "allow 'none'" for the protected document.
;No Recognized Directives: If no recognized directives are present in the stated policy, the User Agent SHOULD report a warning message to the Error Console stating "invalid policy" AND MUST enforce the policy "allow 'none'" on the protected document.
;Other Parsing Errors: Any other parsing errors not covered here SHOULD cause the User Agent to enforce the policy "allow 'none'". If such a case should arise, the User Agent SHOULD report a descriptive error to the Error Console describing the problem.
