Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Page macro: CSP header directives - duplicate source info #11185

Merged
merged 4 commits into from
Feb 1, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -32,18 +32,18 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} **`base-uri`** directive rest

## Syntax

One or more*sources* can be allowed for the base-uri policy:
One or more *sources* can be allowed for the base-uri policy:

```
```http
Content-Security-Policy: base-uri <source>;
Content-Security-Policy: base-uri <source> <source>;
```

### Sources

While this directive uses the same arguments as other CSP directives, some of them don’t make sense for \`\<base>\`, such as the keywords `'unsafe-inline'` and `'strict-dynamic'`
This directive uses most of the same source values for arguments as other CSP directives: [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
Note however that some of the values don't make sense for `base-uri`, such as the keywords `'unsafe-inline'` and `'strict-dynamic'`.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know it already said this, but as a reader I don't like docs that just say "some of... such as". It leave me thinking, which other ones are there? I don't think it should block this PR, but maybe a follow-up issue to list everything that does not apply?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wbamberg This text comes from the original version. Yes I agree, but I don't know the exceptions, and it is unlikely to be high priority. I'll add an issue once this merges so "someone" can find out.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cheers. Thanks for the help. Tracking issue in #12574


## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,24 +43,26 @@ network errors by the user agent.

## Syntax

One or more sources can be allowed for the child-src policy:
One or more sources can be allowed for the `child-src` policy:

```
```http
Content-Security-Policy: child-src <source>;
Content-Security-Policy: child-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: child-src https://example.com/
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,22 +52,24 @@ loaded using script interfaces. The APIs that are restricted are:

One or more sources can be allowed for the connect-src policy:

```
```http
Content-Security-Policy: connect-src <source>;
Content-Security-Policy: connect-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: connect-src https://example.com/
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,49 +58,9 @@ Content-Security-Policy: default-src <source> <source>;

### Sources

\<source> can be one of the following:
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

- `<host-source>`

- : Internet hosts by name or IP address, as well as an optional [URL scheme](/en-US/docs/Learn/Common_questions/What_is_a_URL) and/or port number. The site's address may include an optional leading wildcard (the asterisk character, `'*'`), and you may use a wildcard (again, `'*'`) as the port number, indicating that all legal ports are valid for the source.
Examples:

- `http://*.example.com`: Matches all attempts to load from any subdomain of example.com using the `http:` URL scheme.
- `mail.example.com:443`: Matches all attempts to access port 443 on mail.example.com.
- `https://store.example.com`: Matches all attempts to access store.example.com using `https:`.
- `*.example.com`: Matches all attempts to load from any subdomain of example.com using the current protocol.

- `<scheme-source>`

- : A scheme such as `http:` or `https:`. The colon is required. Unlike other values below, single quotes shouldn't be used. You can also specify data schemes (not recommended).

- `data:` Allows [`data:` URIs](/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs) to be used as a content source. _This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts._
- `mediastream:` Allows [`mediastream:` URIs](/en-US/docs/Web/API/Media_Streams_API) to be used as a content source.
- `blob:` Allows [`blob:` URIs](/en-US/docs/Web/API/Blob) to be used as a content source.
- `filesystem:` Allows [`filesystem:` URIs](/en-US/docs/Web/API/FileSystem) to be used as a content source.

- `'self'`
- : Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude `blob` and `filesystem` from source directives. Sites needing to allow these content types can specify them using the Data attribute.
- `'unsafe-eval'`
- : Allows the use of `eval()` and similar methods for creating code from strings. You must include the single quotes.
- `'unsafe-hashes'`
- : Allows enabling specific inline [event handlers](/en-US/docs/Web/Events/Event_handlers). If you only need to allow inline event handlers and not inline {{HTMLElement("script")}} elements or `javascript:` URLs, this is a safer method than using the `unsafe-inline` expression.
- `'unsafe-inline'`
- : Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, `javascript:` URLs, inline event handlers, and inline {{HTMLElement("style")}} elements. The single quotes are required.
- `'none'`
- : Refers to the empty set; that is, no URLs match. The single quotes are required.
- `'nonce-<base64-value>'`

- : An allow-list for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial. See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example. Specifying nonce makes a modern browser ignore `'unsafe-inline'` which could still be set for older browsers without nonce support.

> **Note:** The CSP `nonce` source can only be applied to _nonceable_ elements (e.g., as the {{HTMLElement("img")}} element has no `nonce` attribute, there is no way to associate it with this CSP source).

- `'<hash-algorithm>-<base64-value>'`
- : A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style. When generating the hash, don't include the \<script> or \<style> tags and note that capitalization and whitespace matter, including leading or trailing whitespace. See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example. In CSP 2.0, this is applied only to inline scripts. CSP 3.0 allows it in the case of `script-src` for external scripts.
- `'strict-dynamic'`
- : The `strict-dynamic` source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any allow-list or source expressions such as `'self'` or `'unsafe-inline'` are ignored. See [script-src](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#strict-dynamic) for an example.
- `'report-sample'`
- : Requires a sample of the violating code to be included in the violation report.
Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,22 +42,24 @@ valid sources for fonts loaded using {{cssxref("@font-face")}}.

One or more sources can be allowed for the `font-src` policy:

```
```http
Content-Security-Policy: font-src <source>;
Content-Security-Policy: font-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: font-src https://example.com/
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,14 +39,16 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`form-action`** direc

One or more sources can be set for the `form-action` policy:

```
```http
Content-Security-Policy: form-action <source>;
Content-Security-Policy: form-action <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,22 +45,24 @@ browsing contexts loading using elements such as {{HTMLElement("frame")}} and

One or more sources can be allowed for the `frame-src` policy:

```
```http
Content-Security-Policy: frame-src <source>;
Content-Security-Policy: frame-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: frame-src https://example.com/
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,7 @@ browser-compat: http.headers.csp.Content-Security-Policy.img-src
---
{{HTTPSidebar}}

The HTTP {{HTTPHeader("Content-Security-Policy")}}
**`img-src`** directive specifies valid sources of images and
favicons.
The HTTP {{HTTPHeader("Content-Security-Policy")}} **`img-src`** directive specifies valid sources of images and favicons.

<table class="properties">
<tbody>
Expand All @@ -43,22 +41,24 @@ favicons.

One or more sources can be allowed for the `img-src` policy:

```
```http
Content-Security-Policy: img-src <source>;
Content-Security-Policy: img-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: img-src https://example.com/
```

Expand Down
14 changes: 8 additions & 6 deletions files/en-us/web/http/headers/content-security-policy/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,11 @@ where `<policy-directive>` consists of:

### Fetch directives

Fetch directives control the locations from which certain resource types may be loaded.
{{Glossary("Fetch directive","Fetch directives")}} control the locations from which certain resource types may be loaded.

- {{CSP("child-src")}}

- : Defines the valid sources for [web
workers](/en-US/docs/Web/API/Web_Workers_API) and nested browsing contexts loaded using elements such as
- : Defines the valid sources for [web workers](/en-US/docs/Web/API/Web_Workers_API) and nested browsing contexts loaded using elements such as
{{HTMLElement("frame")}} and {{HTMLElement("iframe")}}.

> **Warning:** Instead of **`child-src`**,
Expand Down Expand Up @@ -193,16 +192,19 @@ Reporting directives control the reporting process of CSP violations. See also t

## Values

An overview of the allowed values are listed below.
For detailed reference see [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) and the documentation for individual directives.

### Keyword values

- `none`
- : Won't allow loading of any resources.
- `self`
- : Only allow resources from the current origin.
- `strict-dynamic` {{experimental_inline}}
- : TBD
- : The trust granted to a script in the page due to an accompanying nonce or hash is extended to the scripts it loads.
- `report-sample` {{experimental_inline}}
- : TBD
- : Require a sample of the violating code to be included in the violation report.

### Unsafe keyword values

Expand All @@ -211,7 +213,7 @@ Reporting directives control the reporting process of CSP violations. See also t
- `unsafe-eval`
- : Allow use of dynamic code evaluation such as {{jsxref("Global_Objects/eval", "eval")}}, {{domxref("Window.setImmediate", "setImmediate")}}{{non-standard_inline}}, and `window.execScript` {{non-standard_inline}}.
- `unsafe-hashes` {{experimental_inline}}
- : TBD
- : Allows enabling specific inline event handlers.
- `unsafe-allow-redirects` {{experimental_inline}}
- : TBD

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,22 +44,24 @@ to the resource.

One or more sources can be allowed for the `manifest-src` policy:

```
```http
Content-Security-Policy: manifest-src <source>;
Content-Security-Policy: manifest-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: manifest-src https://example.com/
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,22 +43,24 @@ media using the {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements.

One or more sources can be allowed for the `media-src` policy:

```
```http
Content-Security-Policy: media-src <source>;
Content-Security-Policy: media-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: media-src https://example.com/
```

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,14 +46,16 @@ on what this document is allowed to navigate to.

One or more sources can be set for the `navigate-to` policy:

```
```http
Content-Security-Policy: navigate-to <source>;
Content-Security-Policy: navigate-to <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,24 +51,26 @@ To set allowed types for {{HTMLElement("object")}}, {{HTMLElement("embed")}}, an

## Syntax

One or more sources can be allowed for the object-src policy:
One or more sources can be allowed for the `object-src` policy:

```
```http
Content-Security-Policy: object-src <source>;
Content-Security-Policy: object-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: object-src https://example.com/
```

Expand Down
Loading