MozillaWiki

Security/CSP/Specification: Difference between revisions

Page Discussion

Security/CSP/Specification (view source)

Revision as of 17:30, 5 October 2012

6,216 bytes removed ,  5 October 2012
no edit summary
No edit summary
No edit summary
 
(27 intermediate revisions by 2 users not shown)
Line 1: Line 1:
This specification document is DEPRECATED (old and crusty). The W3C has undertaken standardization of CSP and you can find the [http://www.w3.org/TR/CSP/ W3C spec here].
=Specification=
=Specification=


Line 7: Line 9:
=Definitions=
=Definitions=


A <b>policy</b> is composed of <b>directives</b>, such as "<tt>allow none</tt>".  Each directive is composed of a <b>directive name</b> and a <b>directive value</b>, which is either a list of <b>host items</b> or a <b>URI</b>, for certain types of directives.
A <b>policy</b> is composed of <b>directives</b>, such as "<tt>allow 'none'</tt>".  Each directive is composed of a <b>directive name</b> and a <b>directive value</b>, which is either a list of <b>host items</b> or a <b>URI</b>, for certain types of directives.


When CSP is activated for a site, a few <b>[[Security/CSP#Content_Restrictions|base restrictions]]</b> in the browser environment are enforced <i>by default</i> to help provide proper enforcement of any policy defined.  These base restrictions provide general security enhancements by limiting the types of dynamic content that is allowed: generally any script on a site that converts text into code (through the use of <tt>eval()</tt> or similar functions) is disallowed.  Details of the refinements can be found in the [[Security/CSP/Specification#Base_Restrictions|Base Restrictions]] section.
When CSP is activated for a site, a few <b>[[Security/CSP#Content_Restrictions|base restrictions]]</b> in the browser environment are enforced <i>by default</i> to help provide proper enforcement of any policy defined.  These base restrictions provide general security enhancements by limiting the types of dynamic content that is allowed: generally any script on a site that converts text into code (through the use of <tt>eval()</tt> or similar functions) is disallowed.  Details of the refinements can be found in the [[Security/CSP/Specification#Base_Restrictions|Base Restrictions]] section.
Line 13: Line 15:
==Policy Language and Syntax==
==Policy Language and Syntax==


A policy is composed of directives with their corresponding values.  Any number of directives can be defined, but the <b><tt>allow</tt> directive must always be present</b>.  Each directive is followed with a list of host expressions except for <tt>policy-uri</tt> and <tt>report-uri</tt> which contain a single URI value. Some [[Security/CSP/Spec#Sample_Policy_Definitions|example policy sets]] are provided below.
A policy is composed of directives with their corresponding values.  Any number of directives can be defined, but the <b><tt>allow</tt> directive must always be present</b>, or CSP will revert to enforcing the policy <tt>allow 'none'</tt> for the protected content.  Each directive is followed with a list of host expressions except for <tt>policy-uri</tt> and <tt>report-uri</tt> which contain a single URI value. Some [[Security/CSP/Spec#Sample_Policy_Definitions|example policy sets]] are provided below.


Note: In the case of policy refinements as described above, it is possible to have two report-uri values; in this situation, a copy of the report is sent to each of the two URIs.
Note: In the case of policy refinements as described above, it is possible to have two report-uri values; in this situation, a copy of the report is sent to each of the two URIs.
Line 38: Line 40:
===Directives===
===Directives===


====allow====
;allow:
* The catch-all section that defines the security policy for all types of content which are not called out in any of the other directives.  Defines the default policy for un-specified content types.
* The catch-all section that defines the security policy for all types of content which are not called out in any of the other directives.  Defines the default policy for un-specified content types, except for <tt>frame-ancestors</tt>, which MUST be enforced as "*" when not explicitly stated.
* If the allow directive is not explicitly specified, no content from any source will be loaded. This is equivalent to the policy "allow 'none'".
* User Agents MUST NOT load content from any source if the allow directive is not explicitly specified. This can be considered equivalent to the policy "allow 'none'".
* All HTTP requests not subject to one of the more specific directives are subject to the allow directive (including XMLHttpRequests).
* User Agents MUST enforce this directive for all HTTP requests not subject to one of the more specific directives.


====options====
;options:
* Options for modifying the underlying behavior of CSP are specified here.
* Options for modifying the underlying behavior of CSP are specified here.
* The value of this directive is a space-separated list of LDH tokens, each specifying a feature to enable or disable:
* The value of this directive is a space-separated list of LDH tokens, each specifying a feature to enable or disable:
** <tt>inline-script</tt> enables inline scripts and <tt>javascript:</tt> URIs
** <tt>inline-script</tt> enables inline scripts and <tt>javascript:</tt> URIs
** <tt>eval-script</tt> enables the <tt>eval()</tt> functionality of scripts interpreted by the browser, and allows code to be created from strings in uses of the <tt>new Function()</tt> constructor, <tt>setTimeout</tt> and <tt>setInterval</tt>
** <tt>eval-script</tt> enables the <tt>eval()</tt> functionality of scripts interpreted by the browser, and allows code to be created from strings in uses of the <tt>new Function()</tt> constructor, <tt>setTimeout</tt> and <tt>setInterval</tt>
* Any tokens not recognized by CSP are ''ignored'', and a non-fatal warning is posted to the error console.
* User Agents MUST ignore any tokens not recognized by CSP, and SHOULD post a non-fatal warning to the error console.


====img-src====
;img-src:
* Indicates which sources are valid for images and favicons.
* Indicates which sources are valid for images and favicons.
* Images from non-approved sources will not be requested or loaded.
* User Agents MUST NOT request images from non-approved sources.
* If img-src is not explicitly specified, image requests are subject to the allow directive.  
* User Agents MUST subject image requests to the allow directive if img-src is not explicitly specified.  


====media-src====
;media-src:
* Indicates which sources are valid for <tt>audio</tt> and <tt>video</tt> elements.
* Indicates which sources are valid for <tt>audio</tt> and <tt>video</tt> elements.
* <tt>audio</tt> and <tt>video</tt> elements from non-approved sources will not be requested or loaded.
* User Agents MUST NOT request <tt>audio</tt> and <tt>video</tt> elements from non-approved sources.
* If media-src is not explicitly specified, media requests are subject to the allow directive.
* User Agents MUST subject audio and video requests to the allow directive if media-src is not explicitly specified.


====script-src====
;script-src:
* Indicates which sources are valid for scripts.
* Indicates which sources are valid for scripts.
* Only scripts loaded via the <tt>src=</tt> attribute will be loaded
* Regulates which scripts can be loaded via the <tt>src=</tt> attribute.
* Scripts from non-approved sources will not be requested or loaded.
* User Agents MUST NOT request scripts from non-approved sources.
* If script-src is not explicitly specified, script requests are subject to the allow directive.
* User Agents MUST subject script requests to the allow directive if script-src is not explicitly specified.
* Sites may opt-out of the [[Security/CSP/Spec#No_inline_scripts_will_execute|"No inline script"]] restriction by adding the <tt>'inline-script'</tt> token to the <tt>options</tt> directive
* Sites may opt-out of the [[Security/CSP/Spec#Code_will_not_be_created_from_strings|"No code from strings"]] restriction by adding the <tt>'eval-script'</tt> token to the <tt>options</tt> directive


====object-src====
;object-src:
* Indicates which sources are valid for <tt>object</tt>, <tt>embed</tt>, and <tt>applet</tt> elements.
* Indicates which sources are valid for <tt>object</tt>, <tt>embed</tt>, and <tt>applet</tt> elements.
* Objects from non-approved sources will not be requested or loaded.
* User Agents MUST NOT request objects from non-approved sources.
* If object-src is not explicitly specified, object requests are subject to the allow directive.
* User Agents MUST subject object, embed, and applet requests to the allow directive if object-src is not explicitly specified.


====frame-src====
;frame-src:
* Indicates which sources are valid for <tt>frame</tt> and <tt>iframe</tt> elements.
* Indicates which sources are valid for <tt>frame</tt> and <tt>iframe</tt> elements.
* Answers the question: "Documents from which sources may be embedded in my resource?"
* User Agents MUST NOT request frame content from non-approved sources.
* Frame content from non-approved sources will not be requested or loaded.
* User Agents MUST subject frame requests to the allow directive if frame-src is not explicitly specified.
* If frame-src is not explicitly specified, frame requests are subject to the allow directive.


====font-src====
;font-src:
* Indicates which sources are valid for <tt>@font-src</tt> CSS loads.
* Indicates which sources are valid for <tt>@font-src</tt> CSS loads.
* Fonts served from non-approved sources must not be requested for use as a font in CSS.
* User Agents MUST NOT request fonts served from non-approved sources when intended for use as a font in CSS.
* If font-src is not explicitly specified, requests by <tt>@font-src</tt> are subject to the allow directive.
* User Agents MUST subject requests caused by <tt>@font-src</tt> to the allow directive if font-src is not explicitly specified.


====xhr-src====
;xhr-src:
* Indicates which sources are valid for <tt>XMLHttpRequest</tt> connections.
* Indicates which sources are valid for <tt>XMLHttpRequest</tt> connections.
* XMLHttpRequests may not be opened to sources not permitted by this directive.
* User Agents MUST NOT cause XMLHttpRequests to open requests to sources not permitted by this directive.
* If xhr-src is not explicitly specified, requests by <tt>XMLHttpRequest</tt> objects are subject to the allow directive.
* User Agents MUST subject requests caused by <tt>XMLHttpRequest</tt> to the allow directive if xhr-src is not explicitly specified.


====frame-ancestors====
;frame-ancestors:
* Indicates which sources are valid <b>ancestors</b> for embedding the protected resource via <tt>object</tt>, <tt>frame</tt> and <tt>iframe</tt> tags.  An ancestor is any HTML document between the protected resource and the top of the window frame tree; for example, if A embeds B which embeds C, both A and B are <b>ancestors</b> of C.  If A embeds both B and C, B is <i>not</i> an ancestor of C, but A still <i>is</i>.
* Indicates which sources are valid <b>ancestors</b> for embedding the protected resource via <tt>object</tt>, <tt>frame</tt> and <tt>iframe</tt> tags.  An ancestor is any HTML document between the protected resource and the top of the window frame tree; for example, if A embeds B which embeds C, both A and B are <b>ancestors</b> of C.  If A embeds both B and C, B is <i>not</i> an ancestor of C, but A still <i>is</i>.
* If this directive is not explicitly stated in the policy, it is assumed to be "*".  This is different than the other source directives that inherit the value of <tt>allow</tt>.
* All web pages that are ancestors of the protected content must be indicated by the value of this directive.  For example, if A embeds B which embeds C, and C defines a <tt>frame-ancestors</tt> as "B,C" then C is not rendered as a subframe.
* All web pages that are ancestors of the protected content must be indicated by the value of this directive.  For example, if A embeds B which embeds C, and C defines a <tt>frame-ancestors</tt> as "B,C" then C is not rendered as a subframe.
* Answers the question: "Which sites may embed this resource?"
* Answers the question: "Which sites may embed this resource?"
* User Agents MUST NOT render the protected document when any of its frame ancestors are not allowed by this directive.
* User Agents MUST always render the protected document if frame-ancestors is not explicitly specified.
* Note that this directive addresses the [http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html clickjacking] threat, but not [http://www.cgisecurity.com/articles/csrf-faq.shtml CSRF]
* Note that this directive addresses the [http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html clickjacking] threat, but not [http://www.cgisecurity.com/articles/csrf-faq.shtml CSRF]
** Using frame-ancestors, it is possible to prevent a resource from being framed within a malicious webpage. The browser will stop loading the protected document as soon as its frame-ancestors policy is received and a policy violation is determined.
** Using frame-ancestors, it is possible to prevent a resource from being framed within a malicious webpage. The browser will stop loading the protected document as soon as its frame-ancestors policy is received and a policy violation is determined.
** However, this directive <em>does not prevent the request for the document from being sent</em> to the framed document's server, as policy directives are received by the browser in the server's response.  To mitigate Cross-Site Request Forgery, the [[Security/Sec-From|Sec-From header]] provides a more robust mechanism.
** However, this directive <em>does not prevent the request for the document from being sent</em> to the framed document's server, as policy directives are received by the browser in the server's response.  To mitigate Cross-Site Request Forgery, the [[Security/Sec-From|Sec-From header]] provides a more robust mechanism.
* If frame-ancestors is not explicitly specified, any site may embed the page employing this policy.


====style-src====
;style-src:
* Indicates which sources are valid for externally linked stylesheets.
* Indicates which sources are valid for externally linked stylesheets.
* Inline stylesheets and style attributes of HTML tags are globally allowed.
* User Agents MUST always allow inline stylesheets and style attributes of HTML tags.
* Stylesheets from non-white-listed sources will not be requested or loaded.
* User Agents MUST NOT request stylesheets from sources not allowed by the style-src directive.
* If style-src is not explicitly specified, stylesheet requests are subject to the allow directive.
* User Agents MUST subject stylesheet requests to the allow directive if style-src is not explicitly specified.


====report-uri====
;report-uri:
* Instructs the browser where to send a report when CSP is violated.
* Instructs the browser where to send a report when CSP is violated.
* The report will be an XML document with MIME type application/xml sent via POST to the specified URI contained in the value of this directive.
* The report will be an JSON object with MIME type application/json sent via POST to the specified URI contained in the value of this directive.
* Report URIs must be from the scheme and port as the protected content, and the [http://publicsuffix.org public suffix] and most general DNS label of the protected content and the report URI must match.  For example www.foo.co.uk and reports.foo.co.uk, but not reports.bar.co.uk.  Relative URIs are acceptable, and are resolved within the same scheme, host and port as the document served with the CSP.   
* Acceptable report URIs MUST use the scheme and port as the protected content, and the [http://publicsuffix.org public suffix] and most general DNS label of the protected content and the report URI must match.  For example www.foo.co.uk and reports.foo.co.uk, but not reports.bar.co.uk.  Relative URIs are acceptable, and are resolved within the same scheme, host and port as the document served with the CSP.   
* Report URIs that don't match the public suffix and base host match requirements will not be sent reports and one error will be logged to an error console.  CSP enforcement will continue as if the report URI were not specified.
* User Agents MUST send violation reports to any acceptable URIs in this directive.  Details about the information provided in violation reports are found in the [[#Violation Report Syntax|Violation Report Syntax]] section.
* Details about the information provided in violation reports are found in the [[#Violation Report Syntax|Violation Report Syntax]] section.
* User Agents MUST ignore report URIs that don't match the public suffix and base host match requirements.  User Agents SHOULD log one error to an error console.  User Agents MUST then continue CSP enforcement as if the report URI were not specified.  
* HTTP 3xx response codes are not honored by the user agent.  No redirection from the Report URI is allowed to prevent HTTP header leakage across domains.
* User Agents MUST NOT honor HTTP 3xx response codes to prevent HTTP header leakage across domains.


====policy-uri====
;policy-uri:
* Indicates the location of a file containing the security policies for the protected resource.
* Indicates the location of a file containing the security policies for the protected resource.
* <tt>policy-uri</tt> should only be defined in the absence of other policy definitions in the <tt>X-Content-Security-Policy</tt> HTTP header.  If <tt>policy-uri</tt> is defined among other directives in the header, a [[Security/CSP#Error_Handling|console error]] is raised and the policy enforced by CSP is the most restrictive policy: "allow none".
* <tt>policy-uri</tt> MUST only be defined in the absence of other policy definitions in the <tt>X-Content-Security-Policy</tt> HTTP header.   
* Policy URIs must be of the same origin (scheme/host/port) as the protected content. Relative URIs are acceptable, and are resolved within the same scheme, host and port as the document served with the CSP.
* User Agents MUST raise a [[Security/CSP#Error_Handling|fatal error]] and MUST enforce the policy "allow 'none'" if <tt>policy-uri</tt> is defined among other directives in the header.  
* User Agents MUST ignore any policy URIs of a different origin (scheme, host, or port) from the protected content. User Agents SHOULD resolve relative URIs within the same scheme, host and port as the protected document.


===Source Expression List===
===Source Expression List===
Line 122: Line 124:


Source expressions may also specify a scheme and/or port.   
Source expressions may also specify a scheme and/or port.   
If the scheme is not specified as part of the source expression it ''defaults to the same scheme as the protected document.''   
If the scheme is not specified as part of the source expression, a User Agent MUST ''use the same scheme as the protected document.''   
If a port is not specified as the source expression, the port used for the source is the default port for the source's scheme (whether it is inherited or explicitly specified in the source expression).
If a port is not specified as the source expression, a User Agent MUST use the default port for the source's scheme (whether it is inherited or explicitly specified in the source expression).


When a scheme alone is the entire source expression (e.g., <tt>javascript:</tt>) host and port restrictions are not enforced.  This is because for some schemes, host and port are irrelevant (e.g., <tt>data:</tt>).
When a scheme alone is the entire source expression (e.g., <tt>javascript:</tt>) a User Agent MUST NOT enforce host and port restrictions.  This is because for some schemes, host and port are irrelevant (e.g., <tt>data:</tt>).
 
Note that this inheriting of scheme causes SSL mixed content mode to be disabled by default.  If a site wishes to include non-secure content in their top-level SSL page, they must opt-in to mixed content mode by specifying a non-secure scheme in the host expression. 


====Host-less Schemes====
====Host-less Schemes====
Valid sources do not always require a host.  Schemes such as <tt>data</tt> and <tt>javascript</tt> can be enabled as a source by stating the name of the scheme followed by a colon.  For example:
Valid sources do not always require a host.  Schemes such as <tt>data</tt> can be enabled as a source by stating the name of the scheme followed by a colon.  For example:
;<tt>javascript:</tt>: allows javascript URIs
;<tt>data:</tt>: expresses support for all data URIs.
;<tt>data:</tt>: expresses support for all data URIs.


Line 143: Line 142:
====Hostname Wildcards====
====Hostname Wildcards====


Each source expression's host name may contain up to one wildcard (*) and it must be the left-most DNS label.   
Each source expression's host name MAY contain up to one wildcard (*) and it MUST be the left-most DNS label.   


<i>Valid</i> wildcard host names expressions include "<tt>*.mozilla.com</tt>" and "<tt>*</tt>".   
<i>Valid</i> wildcard host names expressions include "<tt>*.mozilla.com</tt>" and "<tt>*</tt>".   
Line 161: Line 160:
  <policy>            ::= <allow-directive>";"<directive-list>
  <policy>            ::= <allow-directive>";"<directive-list>
   
   
  <allow-directive>  ::= allow <source-list>
  <allow-directive>  ::= allow <src-dir-value>
   
   
  <directive-list>    ::= <empty> | <directive>";"<directive-list>
  <directive-list>    ::= <empty> | <directive>";"<directive-list>
Line 224: Line 223:
   
   
  <ldh-str>          ::= <let-dig-hyp>
  <ldh-str>          ::= <let-dig-hyp>
                       | <ldh-symbol><let-dig-hyp>
                       | <ldh-str><let-dig-hyp>
   
   
  <let-dig-hyp>      ::= <letter> | <digit> | "-"
  <let-dig-hyp>      ::= <letter> | <digit> | "-"
Line 251: Line 250:


==Violation Report Syntax==
==Violation Report Syntax==
 
User Agents MUST notify any provided report-uri when its containing policy is violated. These reports contain information about the protected resource and the violating content, and MUST be transmitted to any specified <tt>report-uri</tt>s via HTTP POST if available in the employed scheme, otherwise User Agents MUST choose an appropriate "submit" method.   
CSP supports a reporting mechanism that allows browsers to notify content providers when their policy is violated. When a <tt>report-uri</tt> is provided and a policy is violated, information about the protected resource and the violating content is transmitted to the <tt>report-uri</tt> via HTTP POST if available in the employed scheme, otherwise an appropriate "submit" method is usedThe user agent <i>must not</i> honor redirection responses.  Such a report is an XML document containing the following fields:
User Agents MUST NOT honor redirection responses.   
The report body MUST be a JSON object having the following properties:


; <tt>request</tt> : HTTP request line of the resource whose policy is violated (including method, resource, path, HTTP version)
; <tt>request</tt> : HTTP request line of the resource whose policy is violated (including method, resource, path, HTTP version)
Line 260: Line 260:
; <tt>original-policy</tt> : The original policy as served in the X-Content-Security-Policy HTTP header (or if there were multiple headers, a comma separated list of the policies)
; <tt>original-policy</tt> : The original policy as served in the X-Content-Security-Policy HTTP header (or if there were multiple headers, a comma separated list of the policies)
   
   
NOTE: in the case where a protected resource is not rendered because the <tt>frame-ancestors</tt> directive was violated, <tt>blocked-uri</tt> is not sent and is assumed to be the same as the request URI. The reason for this is because this situation is different from other policy violations: no third-party content was blocked, rather the protected content elected not to load since it does not trust the sites that have enframed it.
NOTE: in the case where a protected resource is not rendered because the <tt>frame-ancestors</tt> directive was violated, User Agents MUST NOT send <tt>blocked-uri</tt> (it is assumed to be the same as the request URI).
 
Violation Report XML Schema:


<?xml version="1.0" encoding="ISO-8859-1" ?>
Violation Report JSON Format:
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
  <xs:element name="csp-report">
    <xs:complexType>
      <xs:sequence>
        <xs:element name="request" type="string" use="required" />
        <xs:element name="request-headers" type="string" />
        <xs:element name="blocked-uri" type="string" />
        <xs:element name="violated-directive" type="string" use="required" />
        <xs:element name="original-policy" type="string" use="required" />
      </xs:sequence>
    </xs:complexType>
  </xs:element>
</xs:schema>


{
  csp-report: {
    request: "GET /index.html HTTP/1.1",
    request-headers: "Host: example.com
                      User-Agent: ...
                      ...",
    blocked-uri: "...",
    violated-directive: "..."
  }
}


The MIME type of the transmitted report will be set to <tt>application/xml</tt>.
The MIME type of the transmitted report will be set to <tt>application/json</tt>.


===Violation Report Sample===
===Violation Report Sample===


In this example, a page located at <tt>http://example.com/index.html</tt> was requested using HTTP 1.1 via the GET method.  It provided a policy that included the directive "<tt>img-src self</tt>", which was violated by a request for <tt><nowiki>http://evil.com/some_image.png</nowiki></tt>.  The sample XML data sent to the policy-specified <tt>report-uri</tt> follows.
In this example, a page located at <tt>http://example.com/index.html</tt> was requested using HTTP 1.1 via the GET method.  It provided a policy that included the directive "<tt>img-src 'self'</tt>", which was violated by a request for <tt><nowiki>http://evil.com/some_image.png</nowiki></tt>.  The sample JSON object sent to the policy-specified <tt>report-uri</tt> follows.


  <csp-report>
  {
  <request>GET /index.html HTTP/1.1</request>
  "csp-report":
  <request-headers><![CDATA[
    {
            Host: example.com
      "request": "GET http://index.html HTTP/1.1",
            User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008061015 Firefox/3.0
      "request-headers": "Host: example.com                                                      
            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                          User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.3a5pre) Gecko/20100601 Minefield/3.7a5pre                                                       
            Accept-Language: en-us,en;q=0.5
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            Accept-Encoding: gzip,deflate
                          Accept-Language: en-us,en;q=0.5                                        
            Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
                          Accept-Encoding: gzip,deflate                                          
            Keep-Alive: 300
                          Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7                          
            Connection: keep-alive
                          Keep-Alive: 115                                                         
  ]]></request-headers>
                          Connection: keep-alive",
  <blocked-uri><nowiki>http://evil.com/some_image.png</nowiki></blocked-uri>
      "blocked-uri": "<nowiki>http://evil.com/some_image.png</nowiki>",
  <violated-directive>img-src self</violated-directive>
      "violated-directive": "img-src 'self'",
  <original-policy>allow none; img-src *, allow self; img-src self</original-policy>
      "original-policy": "allow 'none'; img-src *; allow 'self'; img-src 'self'"
  </csp-report>
    }
  }


=User Agent Behavior=
=User Agent Behavior=
Line 310: Line 306:
===No inline scripts will execute===
===No inline scripts will execute===
<font color="#a00">
<font color="#a00">
* Restricted:
* User Agents MUST block:
** The contents of internal <script> nodes
** The contents of internal <script> nodes
** javascript: URIs, e.g. <a href="javascript:bad_stuff()"> (unless enabled by policy)
** javascript: URIs, e.g. <a href="javascript:bad_stuff()"> (unless enabled by policy)
Line 316: Line 312:
</font>
</font>
<font color="#060">
<font color="#060">
* Allowed:
* User Agents MUST NOT block:
** Script imported from external files hosted by white-listed sources and served with a Content-Type of <tt>application/javascript</tt> or <tt>application/json</tt>.
** Scripts imported from external files whose sources are allowed by the protected document's policy AND are served with a Content-Type of <tt>application/javascript</tt> or <tt>application/json</tt>.
</font>
</font>
* Justification:
** XSS attacks are possible because the browser has no way to differentiate between content the server intended to send and content injected by an attacker. Content Security Policy forces the separation of code from content and requires authors to be explicit about the code they intend to execute
** Common vectors for injecting script into web pages have been restricted in CSP. With CSP enabled, the bar for a successful XSS attack is raised substantially, requiring an attacker to:
**# inject a <script> tag into the target document
**# point this tag at a script file on a white-listed host
**# control the contents of the white-listed script file
** Note: websites are still able to peform event-handling in the following ways, both of which require being used from within valid white-listed script files:
**# setting the on<event> properties of an element, e.g. element.onclick = myFunc;
**# using addEventListener, e.g. element.addEventListener("click", myFunc, false);
* Sites may opt-out of this restriction by adding the <tt>inline</tt> keyword to the [[Security/CSP/Spec#script-src|script-src]] directive.
* Vulnerability types mitigated:
*# Reflected XSS
*# Stored XSS
*# javascript: link injection
*# HTML attribute injection


'''On Violation:''' a violation report will be sent with the <tt>violated-directive</tt> value set to "Base Restriction Violation: no inline scripts will execute.".
User Agents MUST generate and send a violation report with the <tt>violated-directive</tt> value set to "Base Restriction Violation: no inline scripts will execute" when this base restriction is violated.


===Code will not be created from strings===
===Code will not be created from strings===
<font color="#a00">
<font color="#a00">
* Restricted:
* User Agents MUST block:
** eval()
** calls to eval()
** setTimeout called with a String argument, e.g. setTimeout("evil string...", 1000)
** calls to setTimeout using a String argument, e.g. setTimeout("evil string...", 1000)
** setInterval called with a String argument, e.g. setInterval("evil string...", 1000)
** calls to setInterval using a String argument, e.g. setInterval("evil string...", 1000)
** new Function constructor, e.g. var f = new Function("evil string...")
** calls to the Function constructor, e.g. var f = new Function("evil string...")
</font>
</font>
<font color="#060">
<font color="#060">
* Allowed:
* User Agents MUST NOT block:
** Functions declared using the function operator, e.g. function f() { some_code }, or var f = function() { some_code }
** Functions declared using the function operator, e.g. function f() { some_code }, or var f = function() { some_code }
** setTimeout called with a Function argument, e.g. setTimeout(myFunc, 1000)
** calls to setTimeout using a Function argument, e.g. setTimeout(myFunc, 1000)
** setInterval called with a Function argument, e.g. setInterval(myFunc, 1000)
** calls to setInterval using a Function argument, e.g. setInterval(myFunc, 1000)
</font>
</font>
* Justification:
** eval and related functions make trivial the task of generating code from strings, which commonly come from untrusted sources, are loaded via insecure protocols, and can become tainted with attacker controlled data.
** Once tainted data has been introduced to a JavaScript program, it is extremely difficult to control its propogation and calls to eval and similar are likely to incorporate tainted strings containing malicious code.
** Note: the common AJAX pattern in which a site makes a XMLHttpRequest to fetch JSON data is still enabled under CSP using a JSON parser or inside a browser that has native JSON support.
* Sites may opt-out of this entire restriction by adding the <tt>eval-script</tt> keyword to the [[Security/CSP/Spec#options|options]] directive.  This allows the blocked <tt>eval()</tt>, <tt>setTimeout()</tt>, <tt>setInterval()</tt>, and <tt>new Function()</tt> calls to proceed.
* Vulnerability types mitigated:
*# AJAX request tampering
*# Improper use of dynamic properties


'''On Violation:''' a violation report will be sent with the <tt>violated-directive</tt> value set to "Base Restriction Violation: no code will be created with strings".
User Agents must generate and send a violation report with the <tt>violated-directive</tt> value set to "Base Restriction Violation: no code will be created with strings" when this base restriction is violated.


===No data: URIs unless opted-in to via explicit policy===
===No data: URIs unless opted-in to via explicit policy===
<font color="#a00">
<font color="#a00">
* Restricted:
* User Agents MUST block:
** data: URIs as a source for inline content
** data: URIs when used as a source for inline content
</font>
</font>
<font color="#060">
<font color="#060">
* Allowed:
* User Agents MUST NOT block:
** data: URIs as a source for inline content when explicitly opted-in to, e.g. X-Content-Security-Policy: allow self; img-src data:
** data: URIs when used as a source for inline content explicitly allowed by the protected document's policy.  
</font>
</font>
* Justification:
 
** The data: URI scheme is designed to allow the loading of arbitrary textual or binary data into a document, including HTML, scripts, images, media files, etc.
User Agents MUST generate and send a violation report with the fields set appropriately when this base restriction is violated.
** data: URIs are a potential vector for HTML and script injection which can be used by an attacker for XSS or website defacement.
** The increase in attack surface created by data: URIs, and additional input sanitization required by sites wishing to use them justifies the opt-in requirement for this feature in CSP.
* Vulnerability types mitigated:
*# data: URL script injection
* data: URIs can be re-enabled by adding "data:" as a source to any source directive.  For example: <tt>img-src data: https://my-host.com</tt>.


===XBL bindings must come from chrome: or resource: URIs===
===XBL bindings must come from chrome: or resource: URIs===
''NOTE: this is currently Firefox-Specific, but related behavior in other User Agents should also be limited.''
<font color="#a00">
<font color="#a00">
* Restricted:
* User Agents MUST block:
** XBL bindings loaded via any protocol other than chrome: or resource:
** XBL bindings loaded via any protocol other than chrome: or resource:
</font>
</font>
<font color="#060">
<font color="#060">
* Allowed:
* User Agents MUST NOT block:
** XBL bindings loaded via the chrome: or resource: protocols
** XBL bindings loaded via the chrome: or resource: protocols
</font>
</font>
* Justification:
** XBL is used to define the properties and behaviors of elements in HTML, XUL, and SVG documents from external files and as such is a vector for script injection.
** Requiring that XBL bindings be loaded from either the chrome: or resource: protocol ensures that the bindings are part of a package already installed on a user's system. This prevents script from arbitrary locations on the Web from being included in a document via CSS.
** Note: this restriction still enables user stylesheets to use XBL, custom browser add-on bindings to be referenced by web content, and chrome UI features to be implemented in XBL, e.g. &lt;video> controls.
* Vulnerability types mitigated:
*# Stylesheet script injection
*# Style attribute injection


User Agents MUST generate and send a violation report with the fields set appropriately when this base restriction is violated.


==Restrictions on policy-uri and report-uri==
==Restrictions on policy-uri and report-uri==
The optional directive policy-uri must refer to the same origin (scheme/host/port) as the protected document. The report-uri directive must refer to an origin with the same public suffix and base host. For instance, a report-uri in a policy for "www.mysite.com" may refer to anything that ends with "mysite.com". Additionally, policy-uri documents must be served with the MIME type text/x-content-security-policy to be valid
User Agents MUST raise a fatal error AND ignore any policy-uri that does not refer to the same origin (scheme/host/port) as the protected document OR that is not served with MIME type set to "text/x-content-security-policy".
 
User Agents MUST raise a non-fatal warning AND ignore any report-uri directive values that refer to an origin not of the same public suffix AND base host.
(For instance, a report-uri in a policy for "www.mysite.com" may refer to anything that ends with "mysite.com".)
 
<font color="#a00">
<font color="#a00">
* Restricted:
* User Agents MUST raise a fatal error AND revert to the policy "allow 'none'" when:
** policy-uri directives which refer to a URI on a different host as the protected document, e.g. policy-uri http://other.tld/csp-policy.cgi
** parsing a policy-uri directive value referring to a URI on a different host from the protected document.
** policy-uri responses served with Content-Type other than text/x-content-security-policy, e.g. Content-Type: text/html, or Content-type: image/jpeg
** receiving a policy-uri HTTP response served with Content-Type other than text/x-content-security-policy
** report-uri directives which refer to a URI on a different public suffix or base host than the protected document, e.g. report-uri http://other.tld/csp-report.cgi
* User Agents MUST raise a non-fatal warning AND ignore:
** any report-uri directive values that refer to a URI on a different public suffix from the protected document
** any report-uri directive values that refer to a base host than the protected document
</font>
</font>
<font color="#060">
 
* Allowed:
''Privacy Consideration:'' The report sent to the report-uri contains potentially sensitive information, including cookie values and query string parameters. This information is intended only for the protected site for debugging purposes or similar. An attacker should not be allowed to steal the report information by injecting a report-uri, along with an arbitrary policy to be violated.
** policy-uri directives which refer to a URI on the same host as the protected document, e.g. policy-uri http://same.site/csp-policy.cgi.  The policy document must also be served with the response header, Content-Type: text/x-content-security-policy
** report-uri directives which refer to a URI containing the same public suffix and base host as the protected document, e.g., on www.site.com there is a policy-uri http://same.site.com/csp-report.cgi
</font>
* Justification:
** A site which has not opted-in to using CSP should not be forced into using CSP by an attacker who can inject a policy-uri directive into a HTTP header. Restricting the policy-uri to the same host as the protected document, and requiring it to be served as text/x-content-security-policy ensures the site has positively opted-in to CSP.
** The report sent to the report-uri contains potentially sensitive information, including cookie values and query string parameters. This information is intended only for the protected site for debugging purposes or similar. An attacker should not be allowed to steal the report information by injecting a report-uri, along with an arbitrary policy to be violated.


==Activation and Enforcement==
==Activation and Enforcement==
CSP is activated by a client's browser when the <tt>X-Content-Security-Policy</tt> HTTP header is provided in a HTTP response.
User Agents MUST activate CSP and enforce it for a document when the <tt>X-Content-Security-Policy</tt> HTTP header is provided in its HTTP response.  User Agents MUST parse AND begin enforcing the policy before any of the protected content is parsed.


The Content Security Policy to be enforced can be delivered to the browser in one of two ways: directly as the value in the <tt>X-Content-Security-Policy</tt> HTTP header or a file served from the same host as the resource to be secured. The <tt>X-Content-Security-Policy</tt> header must either contain a policy definition <i>or</i> a <tt>policy-uri</tt> field; if both are present, the browser will raise a [[Security/CSP/Spec#Error_Handling|CSP console error]] and enforce the most restrictive ("allow none") policy.
==Policy Refinements with Multiple Headers==
       
When multiple instances of the <tt>X-Content-Security-Policy</tt> HTTP header are present in an HTTP response, the User Agent MUST enforce the intersection of the policies; essentially, the User Agent SHOULD enforce a policy that is more strict than both the policies specified in the multiple headers, but only strict enough to correspond to rules in all policies.  Any web request that satisfied ''all'' policies alone MUST be accepted by the new policy, but any request rejected by ''any of'' of the two policies MUST be rejected by the new policy.
The syntax is identical between file-based and header-based policy. The contents of a policy file are equivalent to the value of the X-Content-Security-Policy header.


==Policy Refinements with Multiple Headers==
User Agents MUST calculate the intersection on a directive-by-directive basis (i.e., the intersection of the <tt>allow</tt> directive is taken and enforced as the <tt>allow</tt> part of the effective policy). Explicitly, for two policies:
When multiple instances of the <tt>X-Content-Security-Policy</tt> HTTP header are present in an HTTP response, the intersection of the policies is enforced; essentially, the browser enforces a policy that is more strict than both the policies specified in the multiple headers, but only strict enough to correspond to rules in all policies.  Any web request that satisfied ''all'' policies alone will be accepted by the new policy, but any request rejected by ''any of'' of the two policies will be rejected.  The intersection is calculated on a directive-by-directive basis (i.e., the intersection of the <tt>allow</tt> directive is taken and enforced as the <tt>allow</tt> part of the effective policy). Explicitly, for two policies:


<blockquote>
<blockquote>
Line 435: Line 397:
</blockquote>
</blockquote>


If more than two instances of the <tt>X-Content-Security-Policy</tt> header are present in the response, the intersection is done digest-style: the first two policies are removed from the set of headers to digest, intersected, and the result is placed back in the set.  This continues until only one policy remains.  e.g.,
If more than two instances of the <tt>X-Content-Security-Policy</tt> header are present in the response, the User Agent MUST perform intersection digest-style: the first two policies are removed from the set of headers to digest, intersected, and the result is placed back in the set.  This continues until only one policy remains.  e.g.,
  intersect(A, B, C, D) = intersect(A, intersect(B, intersect(C,D)))
  intersect(A, B, C, D) = intersect(A, intersect(B, intersect(C,D)))


If two policy headers are present, one (P<sub>1</sub>) may allow scripts from domains A, B and C.  The policy in the other header (P<sub>2</sub>) may allow scripts from domains B, C and D.  The policy enforced (P<sub>enforced</sub>) by the browser will allow scripts from domains B and C only (P<sub>enforced</sub> = P<sub>1</sub> &cap; P<sub>2</sub>).
''Example: If two policy headers are present, one (P<sub>1</sub>) may allow scripts from domains A, B and C.  The policy in the other header (P<sub>2</sub>) may allow scripts from domains B, C and D.  The policy enforced (P<sub>enforced</sub>) by the browser will allow scripts from domains B and C only (P<sub>enforced</sub> = P<sub>1</sub> &cap; P<sub>2</sub>).''
 
===Why Intersect Policies?===
 
Because the <tt>X-Content-Security-Policy</tt> header may appear multiple times in the response, it is possible they're crafted by different entities and may conflict.  A decision must be made about which policy to use, or whether to combine them or not.  Assuming there are two different policies present, there are five obvious ways to address this conflict:
 
#<b>Ignore both.  Raise error in the console.  Enforce "allow none" (most secure).</b><br/>Simplest and safest way to lock down when the policies conflict.
#<b>Ignore both. Raise error in the console.  Enforce "allow *" (most relaxed).</b><br/>This is a fail-open policy and will keep the site from breaking if two policies conflict.
#<b>Use the first header's policy.</b>
#<b>Use the second header's policy.</b>
#<b>Enforce the intersection of the policies.</b><br/><i>This is the technique used by CSP</i>.  For each URI that is accepted by <i>both</i> policies, the new intersected policy will also accept the URI.  Any request that is not accepted by <i>both</i> policies will be rejected by the new policy. This provides the ability for interaction between multiple policy specifications, allowing infrastructure admins to add a global policy to all sites on their network that may additionally want more restrictions.  This technique allows the use of multiple headers to make a widely used policy more restrictive, but never more relaxed.
 
The fifth option, enforcing the intersection of the policies, is the best balance between safety and flexibility so CSP implements this conflict resolution technique.  Furthermore, it is likely that those controlling the network are not always the same people who maintain or create the web application itself -- the ability to "refine" or further restrict enforced policies allows the web programmers to tighten the belt on a CSP-protected page without violating the policy set out by the network (possibly set by the sysadmins).


===Conflicting <tt>report-uri</tt> values===
===Conflicting <tt>report-uri</tt> values===
If multiple headers define policies with <tt>report-uri</tt> values, a single report is sent to each of the provided URIs.  If any <tt>report-uri</tt> values are the same, only one report for each violation is sent to that URI; essentially one report is sent to each distinct URI upon policy violation.
User Agents MUST send a single report to each URI when multiple headers define policies with different <tt>report-uri</tt> values


Report-duplication (or multiple reporting) is useful in the case where two different groups want to receive reports, but may not share access to the reports archive.  Take for instance a large web company that has a separate sysadmin staff (who are also in charge of security at some level) and project teams.  One project team may be interested in receiving reports about violations of their CSP, but are not interested in violations on other parts of the web site.  The sysadmin team wants to record all violations from all parts of the site into a massive archive.  The multiple reporting technique allows both entities to receive the reports they want without causing extra data-mining work on the part of the sysadmin team to isolate the reports that each project team may want.
''Example: Report-duplication (or multiple reporting) is useful in the case where two different groups want to receive reports, but may not share access to the reports archive.  Take for instance a large web company that has a separate sysadmin staff (who are also in charge of security at some level) and project teams.  One project team may be interested in receiving reports about violations of their CSP, but are not interested in violations on other parts of the web site.  The sysadmin team wants to record all violations from all parts of the site into a massive archive.  The multiple reporting technique allows both entities to receive the reports they want without causing extra data-mining work on the part of the sysadmin team to isolate the reports that each project team may want.''


====Data Leak Vectors====
====Data Leak Vectors====
Since HTTP headers and the entire request string are sent in the report, it is possible that, in case of compromise, a violation report could leak private information to an arbitrary URI.  To avoid any possible cross-domain cookie or authentication token transfer, <b>all reports must be sent to the same origin (scheme/host/port) that served the protected content</b>.
Since HTTP headers and the entire request string are sent in the report, it is possible that, in case of compromise, a violation report could leak private information to an arbitrary URI.   
 
To avoid any possible cross-domain cookie or authentication token transfer, User Agents MUST only transmit reports to ''the same origin (scheme, host, and port)'' that served the protected content.


===Policy Refinement Procedure===
===Policy Refinement Procedure===


Two headers present conflicting policies, they are resolved through a straightforward process: first the policies are made explicit (see below), then they are intersected, and the resulting policy is enforced.  Through this process, the enforced policy will <i>never be more lenient</i> than either of the conflicting policies.
User Agents MUST resolve two headers present conflicting policies through the following process:
# The policies are made explicit (see below)
# They are intersected
# The resulting policy is enforced.   


[[Image:CSP_Policy_Refinement_Overview.png|Policy Refinement Overview]]
[[Image:CSP_Policy_Refinement_Overview.png|Policy Refinement Overview]]


This refinement procedure is only followed if there are multiple instances of the <tt>X-Content-Security-Policy</tt> HTTP header present in the HTTP response.
User Agents MUST follow this refinement procedure when there are multiple instances of the <tt>X-Content-Security-Policy</tt> HTTP header present in the HTTP response, or multiple policies are present in the HTTP header (separated by commas).


====Making a Policy Explicit====
====Making a Policy Explicit====
Line 484: Line 439:


[[Image:CSP_Directive_Intersect.png|Intersecting two directives]]
[[Image:CSP_Directive_Intersect.png|Intersecting two directives]]


==Handling Parse Errors==
==Handling Parse Errors==
A number of different problems may be encountered while parsing the CSP policy.
A number of different problems may be encountered while parsing the CSP policy.
These parse errors are not <em>policy violations</em>, and any error messages caused by parse errors are separate from the violation report sites may elect to receive when their site's <em>policies are violated</em>, via the report-uri directive.  Parse errors are only reported locally in the user agent.
These parse errors are not <em>policy violations</em>, and any error messages caused by parse errors are separate from the violation report sites may elect to receive when their site's <em>policies are violated</em>, via the report-uri directive.   


;Unrecognized Directive: If an unrecognized directive (name not recognized) is encountered by CSP, the directive and its value are skipped (up to a semicolon or end of header, whichever is first) and a warning message is logged to the Error Console stating the unrecognized directive name.
User Agents SHOULD report parse errors locally in the user agent's error console.


;Unrecognized <tt>options</tt> token: If an unrecognized token is present in the <tt>options</tt> directive value, it is ignored and a warning message is logged to the Error Console stating the unrecognized token.
;Unrecognized Directive: If an unrecognized directive (name not recognized) is encountered by a User Agent, the directive and its value are skipped (up to a semicolon or end of header, whichever is first) and the User Agent SHOULD report a warning message to the Error Console stating the unrecognized directive name.


;Missing "allow": If the "allow" directive is not present, a warning message is logged to the Error Console and "allow none" is assumed by the policy.  The rest of the policy is enforced as written assuming no other policy errors are encountered.
;Unrecognized <tt>options</tt> token: If an unrecognized token is present in the <tt>options</tt> directive value, the User Agent MUST ignore it and SHOULD report a warning message to the Error Console stating the unrecognized token.


;Directive Syntax Error: When any known directive contains a value that violates [[Security/CSP/Spec#Policy_Language_and_Syntax|CSP syntax]], Content Security Policy follows a "fail closed" security model and falls back to the most secure policy, "allow none".
;Missing "allow": If the "allow" directive is not present, the User Agent SHOULD report a warning message to the Error Console and MUST assume the directive value "allow 'none'" for the policy.  The User Agent MUST enforce the rest of the policy as written (assuming no other policy errors are encountered).


;No Recognized Directives: If no recognized directives are present in the stated policy, a warning message will be logged to the Error Console stating "invalid policy", and CSP will enforce the policy "allow none".
;Directive Syntax Error: When any known directive contains a value that violates [[Security/CSP/Spec#Policy_Language_and_Syntax|CSP syntax]], the User Agent SHOULD report a warning message stating the invalid syntax to the Error Console AND MUST "fail closed" by enforcing the most secure policy, "allow 'none'" for the protected document.


;Other Parsing Errors: Any other parsing errors not covered here may cause CSP to fail closed.  If such a case should arise, a message will be logged to the Error Console describing the violation.
;No Recognized Directives: If no recognized directives are present in the stated policy, the User Agent SHOULD report a warning message to the Error Console stating "invalid policy" AND MUST enforce the policy "allow 'none'" on the protected document.


;Other Parsing Errors: Any other parsing errors not covered here SHOULD cause the User Agent to enforce the policy "allow 'none'".  If such a case should arise, the User Agent SHOULD report a descriptive error to the Error Console describing the problem.


=Non-Normative Client-Side Considerations=
=Non-Normative Client-Side Considerations=
Line 513: Line 467:


== Report-Only mode ==
== Report-Only mode ==
To ease deployment, CSP can be deployed in "report-only" mode where a policy served is not enforced, but any violations are reported to a provided URI.  The effect is a "what if" scenario where a site can specify a policy and measure how much breaks.
To ease deployment, CSP can be deployed in "report-only" mode where a policy served is not enforced, but any violations are reported to a provided URI.  The effect is a "what if" scenario where a site can specify a policy and measure how much breaks.  Additionally, a report-only header can be used to test a future revision to a policy without actually deploying it.


Report-only mode is enabled by specifying a policy in the <tt>X-Content-Security-Policy-Report-Only</tt> header instead of the <tt>X-Content-Security-Policy</tt> header.   
Report-only mode is enabled by specifying a policy in the <tt>X-Content-Security-Policy-Report-Only</tt> header instead of the <tt>X-Content-Security-Policy</tt> header.   


If both a <tt>X-Content-Security-Policy-Report-Only</tt> header and a <tt>X-Content-Security-Policy</tt> header are present in the same response, a warning is posted to the user agent's error console and any policy specified in <tt>X-Content-Security-Policy-Report-Only</tt> is ignoredThe policy specified in <tt>X-Content-Security-Policy</tt> headers is enforced.
If both a <tt>X-Content-Security-Policy-Report-Only</tt> header and a <tt>X-Content-Security-Policy</tt> header are present in the same response, both policies are honored.  The policy specified in <tt>X-Content-Security-Policy</tt> headers is enforcedAll loads/scripts are compared the one specified in the <tt>X-Content-Security-Policy-Report-Only</tt> header, and any violations generate reports but are not enforced.
 


=HTTP Server Behavior=
=HTTP Server Behavior=


==HTTP Header Placement==
;HTTP Header Placement:
The <tt>X-Content-Security-Policy</tt> HTTP Response header should be present in the [http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 Message Headers] section of a server's HTTP response.  Specifically, it must NOT appear in the [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.40 Trailer Headers] section of the response, so that the policy may be enforced as the rest of the page content loads.  Multiple <tt>X-Content-Security-Policy</tt> Response headers will be considered; if more than one is present, the intersection of the policies is enforced.
The <tt>X-Content-Security-Policy</tt> HTTP Response header MAY be present in the [http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 Message Headers] section of a server's HTTP response.  Specifically, it MUST NOT appear in the [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.40 Trailer Headers] section of the response, so that the policy may be enforced as the rest of the page content loads.  Multiple <tt>X-Content-Security-Policy</tt> Response headers MAY be inserted.
Sidstamm
canmove, Confirmed users
1,537

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/206808...476897"