Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update CSP source expression reference #36792

Merged
merged 11 commits into from
Nov 19, 2024

Conversation

wbamberg
Copy link
Collaborator

@wbamberg wbamberg commented Nov 14, 2024

This PR implements the proposal in https://github.com/orgs/mdn/discussions/756.

It adds a section to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy that documents all the source expression values, and links to the relevant bits of this section from the fetch directive pages.

For the new section (https://pr36792.content.dev.mdn.mozit.cloud/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#source_expression_syntax) I wasn't sure how to order values. I don't think alphabetical is a good idea.

Commits:

  • b40201e
    • Add a section on fallbacks
    • Add a section documenting all source expression values, that can be referenced by fetch directive pages
    • Remove existing "Values" section as this is all covered by the new section
  • e6e58cd
    • List source expression values for directives that just have the basic 3 types.
  • d9bf136
    • List source expression values for default-src, script-src*, and style-src*
  • 7ff0de2
    • List source expression values for fenced-frame-src. I haven't changed what it actually says although I don't really understand it. But I can't find any docs for this directive and it isn't in the CSP spec, so I'm not really able to sort it out.
  • e4ee4d0
  • d5132f2
    • Delete the old "source values" doc and update broken links.

Fixes #36168.

@github-actions github-actions bot added Content:HTTP HTTP docs size/m [PR only] 51-500 LoC changed labels Nov 14, 2024
Copy link
Contributor

github-actions bot commented Nov 14, 2024

Preview URLs (22 pages)

(comment last updated: 2024-11-19 00:20:09)

@github-actions github-actions bot added the Content:WebExt WebExtensions docs label Nov 15, 2024
@wbamberg wbamberg marked this pull request as ready for review November 15, 2024 05:40
@wbamberg wbamberg requested review from a team as code owners November 15, 2024 05:40
@wbamberg wbamberg requested review from willdurand, hamishwillee and sideshowbarker and removed request for a team November 15, 2024 05:40
@@ -146,11 +150,10 @@ Reporting directives control the destination URL for CSP violation reports in `C
### Other directives

- {{CSP("require-trusted-types-for")}} {{experimental_inline}}
- : Enforces [Trusted Types](https://w3c.github.io/trusted-types/dist/spec/) at the DOM XSS injection sinks.
- : Enforces [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) at the DOM XSS injection sinks.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI updated links here to MDN docs.


See [Nonces](/en-US/docs/Web/HTTP/CSP#nonces) in the CSP guide for more usage information.

> [!NOTE] Nonce source expressions are only applicable to {{htmlelement("script")}} and {{htmlelement("style")}} elements.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we forward link to strict dynamic?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would say that's really getting out of "reference" and into "usage".

Copy link
Collaborator

@hamishwillee hamishwillee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few minor questions/suggestions. Approving so you can merge if you want to ignore those.

I was going to note the fact that you lose a bit of context when you go from a particular directive to find out what the directive is - i..e you're in a different part of the sidebar, but it's easy enough to go back, and after you've read this a couple of times you'll appreciate that the directive docs are succinct because you'll know what the listed source expressions there mean.

We could consider listing the directives to which each source applies in the corresponding source expression.

Anyway, I like it a lot. Way better than before. A good compromise.

@wbamberg
Copy link
Collaborator Author

OK I think I addressed all these except one which I argued with. If you are still happy we can merge this!

@hamishwillee
Copy link
Collaborator

Very happy. Another clear improvement. Cheers

@hamishwillee hamishwillee merged commit 6368e2b into mdn:main Nov 19, 2024
8 checks passed
wbamberg added a commit to wbamberg/content that referenced this pull request Nov 27, 2024
* origin/xss-guide: (284 commits)
  Add information on default entryPoint property values (mdn#36633)
  Bump husky from 9.1.6 to 9.1.7 (mdn#36863)
  fix(performance): Typo '50ms seconds' (mdn#36861)
  Add spec_url & add note for bcd for `<frequency>` and `<frequency-percentage>` (mdn#36848)
  addresses 36583: summary icon styles (mdn#36691)
  Remove "simple" part 3: change to "basic"  (mdn#36762)
  the default option of a select (mdn#36658)
  docs(css): Add support for `<string>` in `syntax` descriptor of @Property at-rule (mdn#36655)
  Fix parameter syntax for `Navigation.updateCurrentEntry()` (mdn#36852)
  Update CSP source expression reference (mdn#36792)
  chore(http): Refresh headers docs (d-k) (mdn#36075)
  chore(http): Refresh headers r-s (mdn#36590)
  Updated index.md (mdn#36845)
  fix : wrong method name (mdn#36843)
  Remove all redirects to other locales (mdn#36811)
  fix typos (mdn#36837)
  docs: update Accept-Charset status (mdn#36822)
  updateSelection: make more intuitive (mdn#36834)
  updateText: Remove false information (mdn#36832)
  DOMRect instance properties (mdn#36704)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Content:HTTP HTTP docs Content:WebExt WebExtensions docs size/m [PR only] 51-500 LoC changed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CSP: Document http->https, and wss being allowed in 'self'
3 participants