canmove, Confirmed users
1,537
edits
Security/CSP/Specification: Difference between revisions
Jump to navigation
Jump to search
→Directives
| Line 39: | Line 39: | ||
;allow: | ;allow: | ||
* The catch-all section that defines the security policy for all types of content which are not called out in any of the other directives. Defines the default policy for un-specified content types. | * The catch-all section that defines the security policy for all types of content which are not called out in any of the other directives. Defines the default policy for un-specified content types, except for <tt>frame-ancestors</tt>, which MUST be enforced as "*" when not explicitly stated. | ||
* User Agents MUST not load content from any source if the allow directive is not explicitly specified. This can be considered equivalent to the policy "allow 'none'". | * User Agents MUST not load content from any source if the allow directive is not explicitly specified. This can be considered equivalent to the policy "allow 'none'". | ||
* User Agents MUST enforce this directive for all HTTP requests not subject to one of the more specific directives. | * User Agents MUST enforce this directive for all HTTP requests not subject to one of the more specific directives. | ||
| Line 88: | Line 88: | ||
;frame-ancestors: | ;frame-ancestors: | ||
* Indicates which sources are valid <b>ancestors</b> for embedding the protected resource via <tt>object</tt>, <tt>frame</tt> and <tt>iframe</tt> tags. An ancestor is any HTML document between the protected resource and the top of the window frame tree; for example, if A embeds B which embeds C, both A and B are <b>ancestors</b> of C. If A embeds both B and C, B is <i>not</i> an ancestor of C, but A still <i>is</i>. | * Indicates which sources are valid <b>ancestors</b> for embedding the protected resource via <tt>object</tt>, <tt>frame</tt> and <tt>iframe</tt> tags. An ancestor is any HTML document between the protected resource and the top of the window frame tree; for example, if A embeds B which embeds C, both A and B are <b>ancestors</b> of C. If A embeds both B and C, B is <i>not</i> an ancestor of C, but A still <i>is</i>. | ||
* If this directive is not explicitly stated in the policy, it is assumed to be "*". This is different than the other source directives that inherit the value of <tt>allow</tt>. | |||
* All web pages that are ancestors of the protected content must be indicated by the value of this directive. For example, if A embeds B which embeds C, and C defines a <tt>frame-ancestors</tt> as "B,C" then C is not rendered as a subframe. | * All web pages that are ancestors of the protected content must be indicated by the value of this directive. For example, if A embeds B which embeds C, and C defines a <tt>frame-ancestors</tt> as "B,C" then C is not rendered as a subframe. | ||
* Answers the question: "Which sites may embed this resource?" | * Answers the question: "Which sites may embed this resource?" | ||