Changes

Security/CSP/Specification

21 bytes added, 19:02, 1 June 2010

→‎Violation Report Syntax

User Agents MUST notify any provided report-uri when its containing policy is violated. These reports contain information about the protected resource and the violating content, and MUST be transmitted to any specified <tt>report-uri</tt>s via HTTP POST if available in the employed scheme, otherwise User Agents MUST choose an appropriate "submit" method.

User Agents MUST not honor redirection responses.

~~Reports~~ The report body MUST be ~~an XML document containing~~ a JSON object having the following ~~fields~~properties:

; <tt>request</tt> : HTTP request line of the resource whose policy is violated (including method, resource, path, HTTP version)

NOTE: in the case where a protected resource is not rendered because the <tt>frame-ancestors</tt> directive was violated, User Agents MUST not send <tt>blocked-uri</tt> (it is assumed to be the same as the request URI).

Violation Report ~~XML Schema~~JSON Format:

~~<?xml version="1.0" encoding="ISO-8859-1" ?>~~ ~~<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">~~{ ~~<xs:element name="~~csp-report">: { ~~<xs:complexType>~~ ~~<xs:sequence>~~ ~~<xs~~request:~~element name=~~"~~request" type="string" use=~~GET /index.html HTTP/1.1"~~required" />~~, ~~<xs:element name="~~ request-headers: " ~~type="string" />~~Host: example.com ~~<xs~~ User-Agent:~~element name=~~... ...", blocked-uri: " ~~type=~~..."~~string" />~~, ~~<xs:element name="~~ violated-directive~~" type="string" use="required" />~~ ~~<xs~~:~~element name=~~"~~original-policy" type="string" use="required~~..." /> ~~</xs:sequence>~~ ~~</xs:complexType>~~ ~~</xs:element>~~} ~~</xs:schema>~~}

The MIME type of the transmitted report will be set to <tt>application/~~xml~~json</tt>.

===Violation Report Sample===

In this example, a page located at <tt>http://example.com/index.html</tt> was requested using HTTP 1.1 via the GET method. It provided a policy that included the directive "<tt>img-src 'self'</tt>", which was violated by a request for <tt><nowiki>http://evil.com/some_image.png</nowiki></tt>. The sample ~~XML data~~ JSON object sent to the policy-specified <tt>report-uri</tt> follows.

<{ "csp-report>": { < "request>": "GET http://index.html HTTP/1.1~~</request>~~", < "request-headers~~><![CDATA[~~ ": "Host: example.com User-Agent: Mozilla/5.0 (~~X11~~Macintosh; U; ~~Linux i686~~Intel Mac OS X 10.5; en-US; rv:1.9.3a5pre) Gecko/~~2008061015 Firefox~~20100601 Minefield/3.07a5pre Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: ~~300~~115 Connection: keep-alive", ~~]]></request-headers>~~ < "blocked-uri>": "<nowiki>http://evil.com/some_image.png</nowiki>~~</blocked-uri>~~", < "violated-directive>": "img-src 'self~~</violated-directive>~~'", < "original-policy>": "allow 'none'; img-src *, allow 'self'; img-src 'self~~</original-policy>~~'" } ~~</csp-report>~~}

=User Agent Behavior=

Bsterne

Canmove, confirm

120

edits

Changes

Security/CSP/Specification

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools