Security/CSP/Specification: Difference between revisions

Security/CSP/Specification (view source)

Revision as of 23:29, 8 March 2010

171 bytes removed , 8 March 2010

→‎Directives

Sidstamm

canmove, Confirmed users

1,537

edits

@@ Line 38: / Line 38: @@
 ===Directives===
-====allow====
+;allow:
 * The catch-all section that defines the security policy for all types of content which are not called out in any of the other directives.  Defines the default policy for un-specified content types.
-* If the allow directive is not explicitly specified, no content from any source will be loaded. This is equivalent to the policy "allow 'none'".
+* User Agents MUST not load content from any source if the allow directive is not explicitly specified. This can be considered equivalent to the policy "allow 'none'".
-* All HTTP requests not subject to one of the more specific directives are subject to the allow directive (including XMLHttpRequests).
+* User Agents MUST enforce this directive for all HTTP requests not subject to one of the more specific directives.
-====options====
+;options:
 * Options for modifying the underlying behavior of CSP are specified here.
 * The value of this directive is a space-separated list of LDH tokens, each specifying a feature to enable or disable:
 ** <tt>inline-script</tt> enables inline scripts and <tt>javascript:</tt> URIs
 ** <tt>eval-script</tt> enables the <tt>eval()</tt> functionality of scripts interpreted by the browser, and allows code to be created from strings in uses of the <tt>new Function()</tt> constructor, <tt>setTimeout</tt> and <tt>setInterval</tt>
-* Any tokens not recognized by CSP are ''ignored'', and a non-fatal warning is posted to the error console.
+* User Agents must ignore any tokens not recognized by CSP, and SHOULD post a non-fatal warning to the error console.
-====img-src====
+;img-src:
 * Indicates which sources are valid for images and favicons.
-* Images from non-approved sources will not be requested or loaded.
+* User Agents MUST not request images from non-approved sources.
-* If img-src is not explicitly specified, image requests are subject to the allow directive.
+* User Agents MUST subject image requests to the allow directive if img-src is not explicitly specified.
-====media-src====
+;media-src:
 * Indicates which sources are valid for <tt>audio</tt> and <tt>video</tt> elements.
-* <tt>audio</tt> and <tt>video</tt> elements from non-approved sources will not be requested or loaded.
+* User Agents MUST not request <tt>audio</tt> and <tt>video</tt> elements from non-approved sources.
-* If media-src is not explicitly specified, media requests are subject to the allow directive.
+* User Agents MUST subject audio and video requests to the allow directive if media-src is not explicitly specified.
-====script-src====
+;script-src:
 * Indicates which sources are valid for scripts.
-* Only scripts loaded via the <tt>src=</tt> attribute will be loaded
+* Regulates which scripts can be loaded via the <tt>src=</tt> attribute.
-* Scripts from non-approved sources will not be requested or loaded.
+* User Agents MUST not request scripts from non-approved sources.
-* If script-src is not explicitly specified, script requests are subject to the allow directive.
+* User Agents MUST subject script requests to the allow directive if script-src is not explicitly specified.
-* Sites may opt-out of the [[Security/CSP/Spec#No_inline_scripts_will_execute|"No inline script"]] restriction by adding the <tt>'inline-script'</tt> token to the <tt>options</tt> directive
-* Sites may opt-out of the [[Security/CSP/Spec#Code_will_not_be_created_from_strings|"No code from strings"]] restriction by adding the <tt>'eval-script'</tt> token to the <tt>options</tt> directive
-====object-src====
+;object-src:
 * Indicates which sources are valid for <tt>object</tt>, <tt>embed</tt>, and <tt>applet</tt> elements.
-* Objects from non-approved sources will not be requested or loaded.
+* User Agents MUST not request objects from non-approved sources.
-* If object-src is not explicitly specified, object requests are subject to the allow directive.
+* User Agents MUST subject object, embed, and applet requests to the allow directive if object-src is not explicitly specified.
-====frame-src====
+;frame-src:
 * Indicates which sources are valid for <tt>frame</tt> and <tt>iframe</tt> elements.
-* Answers the question: "Documents from which sources may be embedded in my resource?"
+* User Agents MUST not request frame content from non-approved sources.
-* Frame content from non-approved sources will not be requested or loaded.
+* User Agents MUST subject frame requests to the allow directive if frame-src is not explicitly specified.
-* If frame-src is not explicitly specified, frame requests are subject to the allow directive.
-====font-src====
+;font-src:
 * Indicates which sources are valid for <tt>@font-src</tt> CSS loads.
-* Fonts served from non-approved sources must not be requested for use as a font in CSS.
+* User Agents MUST not request fonts served from non-approved sources when intended for use as a font in CSS.
-* If font-src is not explicitly specified, requests by <tt>@font-src</tt> are subject to the allow directive.
+* User Agents MUST subject requests caused by <tt>@font-src</tt> to the allow directive if font-src is not explicitly specified.
-====xhr-src====
+;xhr-src:
 * Indicates which sources are valid for <tt>XMLHttpRequest</tt> connections.
-* XMLHttpRequests may not be opened to sources not permitted by this directive.
+* User Agents MUST not cause XMLHttpRequests to open requests to sources not permitted by this directive.
-* If xhr-src is not explicitly specified, requests by <tt>XMLHttpRequest</tt> objects are subject to the allow directive.
+* User Agents MUST subject requests caused by <tt>XMLHttpRequest</tt> to the allow directive if xhr-src is not explicitly specified.
-====frame-ancestors====
+;frame-ancestors:
 * Indicates which sources are valid <b>ancestors</b> for embedding the protected resource via <tt>object</tt>, <tt>frame</tt> and <tt>iframe</tt> tags.  An ancestor is any HTML document between the protected resource and the top of the window frame tree; for example, if A embeds B which embeds C, both A and B are <b>ancestors</b> of C.  If A embeds both B and C, B is <i>not</i> an ancestor of C, but A still <i>is</i>.
 * All web pages that are ancestors of the protected content must be indicated by the value of this directive.  For example, if A embeds B which embeds C, and C defines a <tt>frame-ancestors</tt> as "B,C" then C is not rendered as a subframe.
 * Answers the question: "Which sites may embed this resource?"
+* User Agents MUST not render the protected document when any of its frame ancestors are not allowed by this directive.
+* User Agents MUST always render the protected document if frame-ancestors is not explicitly specified.
 * Note that this directive addresses the [http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html clickjacking] threat, but not [http://www.cgisecurity.com/articles/csrf-faq.shtml CSRF]
 ** Using frame-ancestors, it is possible to prevent a resource from being framed within a malicious webpage. The browser will stop loading the protected document as soon as its frame-ancestors policy is received and a policy violation is determined.
 ** However, this directive <em>does not prevent the request for the document from being sent</em> to the framed document's server, as policy directives are received by the browser in the server's response.  To mitigate Cross-Site Request Forgery, the [[Security/Sec-From|Sec-From header]] provides a more robust mechanism.
-* If frame-ancestors is not explicitly specified, any site may embed the page employing this policy.
-====style-src====
+;style-src:
 * Indicates which sources are valid for externally linked stylesheets.
-* Inline stylesheets and style attributes of HTML tags are globally allowed.
+* User Agents MUST always allow inline stylesheets and style attributes of HTML tags.
-* Stylesheets from non-white-listed sources will not be requested or loaded.
+* User Agents MUST not request stylesheets from sources not allowed by the style-src directive.
-* If style-src is not explicitly specified, stylesheet requests are subject to the allow directive.
+* User Agents MUST subject stylesheet requests to the allow directive if style-src is not explicitly specified.
-====report-uri====
+;report-uri:
 * Instructs the browser where to send a report when CSP is violated.
 * The report will be an XML document with MIME type application/xml sent via POST to the specified URI contained in the value of this directive.
-* Report URIs must be from the scheme and port as the protected content, and the [http://publicsuffix.org public suffix] and most general DNS label of the protected content and the report URI must match.  For example www.foo.co.uk and reports.foo.co.uk, but not reports.bar.co.uk.  Relative URIs are acceptable, and are resolved within the same scheme, host and port as the document served with the CSP.
+* Acceptable report URIs MUST use the scheme and port as the protected content, and the [http://publicsuffix.org public suffix] and most general DNS label of the protected content and the report URI must match.  For example www.foo.co.uk and reports.foo.co.uk, but not reports.bar.co.uk.  Relative URIs are acceptable, and are resolved within the same scheme, host and port as the document served with the CSP.
-* Report URIs that don't match the public suffix and base host match requirements will not be sent reports and one error will be logged to an error console.  CSP enforcement will continue as if the report URI were not specified.
+* User Agents MUST send violation reports to any acceptable URIs in this directive.  Details about the information provided in violation reports are found in the [[#Violation Report Syntax|Violation Report Syntax]] section.
-* Details about the information provided in violation reports are found in the [[#Violation Report Syntax|Violation Report Syntax]] section.
+* User Agents MUST ignore report URIs that don't match the public suffix and base host match requirements.  User Agents SHOULD log one error to an error console.  User Agents MUST then continue CSP enforcement as if the report URI were not specified.
-* HTTP 3xx response codes are not honored by the user agent.  No redirection from the Report URI is allowed to prevent HTTP header leakage across domains.
+* User Agents MUST not honor HTTP 3xx response codes to prevent HTTP header leakage across domains.
-====policy-uri====
+;policy-uri:
 * Indicates the location of a file containing the security policies for the protected resource.
-* <tt>policy-uri</tt> should only be defined in the absence of other policy definitions in the <tt>X-Content-Security-Policy</tt> HTTP header.  If <tt>policy-uri</tt> is defined among other directives in the header, a [[Security/CSP#Error_Handling|console error]] is raised and the policy enforced by CSP is the most restrictive policy: "allow none".
+* <tt>policy-uri</tt> MUST only be defined in the absence of other policy definitions in the <tt>X-Content-Security-Policy</tt> HTTP header.
-* Policy URIs must be of the same origin (scheme/host/port) as the protected content. Relative URIs are acceptable, and are resolved within the same scheme, host and port as the document served with the CSP.
+* User Agents MUST raise a [[Security/CSP#Error_Handling|fatal error]] and MUST enforce the policy "allow 'none'" if <tt>policy-uri</tt> is defined among other directives in the header.
+* User Agents MUST ignore any policy URIs of a different origin (scheme, host, or port) from the protected content.  User Agents SHOULD resolve relative URIs within the same scheme, host and port as the protected document.
 ===Source Expression List===