This document is an example alternate design for content security policies that showcases modular design and a rich directive vocabulary. I'm not sure all the directives are great ideas, but they're intended to stimulate discussion.

An HTTP server can deliver a policy to the browser by including a header named X-Content-Security-Policy.  The general X-Content-Security-Policy header as the following syntax:

content-security-policy = "x-content-security-policy" ":" OWS csp-policy OWS
csp-policy              = csp-rule ["," csp-policy]
csp-rule                = future-rule / known-rule
future-rule             = (anything but ",")
known-rule              = *SP directive [ 1*SP origin-list ] *SP
directive               = (see below)
origin-list             = origin-descriptor [ 1*SP origin-list]
origin-descriptor       = "none" / "self" / "*" / [scheme "://"] host-descriptor
host-descriptor         = qualified-host-name / "*" ["." host-name ]
qualified-host-name     = dns-label "." host-name
host-name               = dns-label ["." host-name]

The user agent MUST ignore any X-Content-Security-Policy header fields occurring in an HTML meta tag or in the Trailer headers.  The syntax and semantics of the directives are described in the following sections.

The origin-list production defines a set of URLs, which the directive can use for some purpose.  The origin-list denotes the union of all URLs denoted by the listed origin-descriptors.  The three constant origin-descriptors, self, none, and *, denote the following sets of URLs:

• "self" denotes the set of URLs that share the same scheme and (fully qualified) host name as the current web page.
• "none" denotes the empty set of URLs.
• "*" denotes the set of all URLs.

Instead of a constant, the an origin-descriptor can contain a non-constant origin-descriptor such as the following:

example.com
*.example.org
https://example.net
http://*.foo.example.com

If the descriptor lacks a scheme, then the scheme defaults to the same scheme as the current web page.  If the descriptor contains a *, then the star matches zero or more subdomains.  For example, *.example.org matches example.org, foo.example.org and bar.foo.example.org.  The origin-descriptor, then, denotes the set of all URLs with schemes and (fully qualified) host names that match the descriptor.  Notice that in all cases the origin-list ignores port numbers for simplicity.

A resource load is said to respect an origin-list if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list.

This section describes a number of directives that might appear in a CSP policy. If a directive appears more than once in a policy, each occurrence acts independently, which is usually redundant. All directives are case-insensitive.

• no-script
  Disables JavaScript and plug-ins for the current page.
• no-script-except <origin-list>
  Disables inline JavaScript for the current page, including inline script elements, inline event handlers, and JavaScript URL.  The current page can load external scripts and plug-ins only if those loads respect the origin list.
• no-plug-ins
  Disables plug-ins for the current page.
• no-frame-busting
  Child frames of the current page cannot navigate the current frame.
• no-mixed-content
  If the current page was retrieved from an HTTPS URL, the current page and all child frames cannot load non-HTTPS resources.
• no-document-cookie
  Disables the document.cookie JavaScript API for the current page.
• no-eval
  Disables the following JavaScript APIs: eval, the Function constructor, setTimeout (if the first argument is a string), and setInterval (if the first argument is a string).
• no-cookies-for-images
  Disables cookies when loading images for the current page.
• no-cookies-for-scripts
  Disables cookies when loading scripts for the current page.  (TODO: What is the use case here?)
• no-http-auth-prompts
  Disables HTTP authentication prompts for requests generated by the current page and all of its child frames.
• no-javascript-urls
  Disables processing of JavaScript URLs for the current page, including JavaScript URLs typed into the browser's location bar by the user.
• no-frames-except <origin-list>
  Prevents the current page from loading frames that do not respect the origin list.
• no-frame-ancestors-except <origin-list>
  Prevents the current page from being display inside of a frame unless all the frame's ancestors in the frame hierarchy are from origins contained in the origin-list.
• no-outgoing-referrer
  Removes the referrer from outgoing requests from the current page. Documents loaded from the current page will have an empty document.referrer property.
• no-outgoing-opener
  Frames opened by the current page will have their window.opener property set to null.
• no-form-action-except <origin-list>
  Prevents the current page from submitting a form unless the request generated by the form respects the origin list.
• no-style-except <origin-list>
  Disables inline style for the current page, including the style attribute. The current page can load external style sheets only if those loads respect the origin list.
• no-password-manager
  Disables the password manager (both recording and recalling passwords) for the current page.
• no-form-autofill
  Disable form autofill (both recording and recalling form values) for the current page.

TODO(abarth): Write me!

• The no-script directives should block script hiding in CSS as well as sneaky data URLs.