ghopp
/
server_playground
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Another abandoned server code base... this is kind of an ancestor of taskrambler.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
166 Commits
1 Branch
0 Tags
51 MiB
 
 
 
 
 
 
Tree: 328ab65185
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '328ab65185'
${ noResults }
server_playground/doc/www.w3.org/TR/2011/WD-CSP-20111129/index.html

1624 lines
79 KiB
Raw Blame History

<!DOCTYPE html PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN' 'http://www.w3.org/TR/html4/loose.dtd'>
<html lang="en" dir="ltr">
<head>
<title>Content Security Policy</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<!--
=== NOTA BENE ===
For the three scripts below, if your spec resides on dev.w3 you can check them
out in the same tree and use relative links so that they'll work offline,
-->
<style type="text/css">
/*****************************************************************
* ReSpec CSS
* Robin Berjon (robin at berjon dot com)
* v0.05 - 2009-07-31
*****************************************************************/
/* --- INLINES --- */
em.rfc2119 {
text-transform: lowercase;
font-variant: small-caps;
font-style: normal;
color: #900;
}
h1 acronym, h2 acronym, h3 acronym, h4 acronym, h5 acronym, h6 acronym, a acronym,
h1 abbr, h2 abbr, h3 abbr, h4 abbr, h5 abbr, h6 abbr, a abbr {
border: none;
}
dfn {
font-weight: bold;
}
a.internalDFN {
color: inherit;
border-bottom: 1px solid #99c;
text-decoration: none;
}
a.externalDFN {
color: inherit;
border-bottom: 1px dotted #ccc;
text-decoration: none;
}
a.bibref {
text-decoration: none;
}
code {
color: #ff4500;
}
/* --- WEB IDL --- */
pre.idl {
border-top: 1px solid #90b8de;
border-bottom: 1px solid #90b8de;
padding: 1em;
line-height: 120%;
}
pre.idl::before {
content: "WebIDL";
display: block;
width: 150px;
background: #90b8de;
color: #fff;
font-family: initial;
padding: 3px;
font-weight: bold;
margin: -1em 0 1em -1em;
}
.idlType {
color: #ff4500;
font-weight: bold;
text-decoration: none;
}
/*.idlModule*/
/*.idlModuleID*/
/*.idlInterface*/
.idlInterfaceID, .idlDictionaryID {
font-weight: bold;
color: #005a9c;
}
.idlSuperclass {
font-style: italic;
color: #005a9c;
}
/*.idlAttribute*/
.idlAttrType, .idlFieldType, .idlMemberType {
color: #005a9c;
}
.idlAttrName, .idlFieldName, .idlMemberName {
color: #ff4500;
}
.idlAttrName a, .idlFieldName a, .idlMemberName a {
color: #ff4500;
border-bottom: 1px dotted #ff4500;
text-decoration: none;
}
/*.idlMethod*/
.idlMethType {
color: #005a9c;
}
.idlMethName {
color: #ff4500;
}
.idlMethName a {
color: #ff4500;
border-bottom: 1px dotted #ff4500;
text-decoration: none;
}
/*.idlParam*/
.idlParamType {
color: #005a9c;
}
.idlParamName {
font-style: italic;
}
.extAttr {
color: #666;
}
/*.idlConst*/
.idlConstType {
color: #005a9c;
}
.idlConstName {
color: #ff4500;
}
.idlConstName a {
color: #ff4500;
border-bottom: 1px dotted #ff4500;
text-decoration: none;
}
/*.idlException*/
.idlExceptionID {
font-weight: bold;
color: #c00;
}
.idlTypedefID, .idlTypedefType {
color: #005a9c;
}
.idlRaises, .idlRaises a.idlType, .idlRaises a.idlType code, .excName a, .excName a code {
color: #c00;
font-weight: normal;
}
.excName a {
font-family: monospace;
}
.idlRaises a.idlType, .excName a.idlType {
border-bottom: 1px dotted #c00;
}
.excGetSetTrue, .excGetSetFalse, .prmNullTrue, .prmNullFalse, .prmOptTrue, .prmOptFalse {
width: 45px;
text-align: center;
}
.excGetSetTrue, .prmNullTrue, .prmOptTrue { color: #0c0; }
.excGetSetFalse, .prmNullFalse, .prmOptFalse { color: #c00; }
.idlImplements a {
font-weight: bold;
}
dl.attributes, dl.methods, dl.constants, dl.fields, dl.dictionary-members {
margin-left: 2em;
}
.attributes dt, .methods dt, .constants dt, .fields dt, .dictionary-members dt {
font-weight: normal;
}
.attributes dt code, .methods dt code, .constants dt code, .fields dt code, .dictionary-members dt code {
font-weight: bold;
color: #000;
font-family: monospace;
}
.attributes dt code, .fields dt code, .dictionary-members dt code {
background: #ffffd2;
}
.attributes dt .idlAttrType code, .fields dt .idlFieldType code, .dictionary-members dt .idlMemberType code {
color: #005a9c;
background: transparent;
font-family: inherit;
font-weight: normal;
font-style: italic;
}
.methods dt code {
background: #d9e6f8;
}
.constants dt code {
background: #ddffd2;
}
.attributes dd, .methods dd, .constants dd, .fields dd, .dictionary-members dd {
margin-bottom: 1em;
}
table.parameters, table.exceptions {
border-spacing: 0;
border-collapse: collapse;
margin: 0.5em 0;
width: 100%;
}
table.parameters { border-bottom: 1px solid #90b8de; }
table.exceptions { border-bottom: 1px solid #deb890; }
.parameters th, .exceptions th {
color: #fff;
padding: 3px 5px;
text-align: left;
font-family: initial;
font-weight: normal;
text-shadow: #666 1px 1px 0;
}
.parameters th { background: #90b8de; }
.exceptions th { background: #deb890; }
.parameters td, .exceptions td {
padding: 3px 10px;
border-top: 1px solid #ddd;
vertical-align: top;
}
.parameters tr:first-child td, .exceptions tr:first-child td {
border-top: none;
}
.parameters td.prmName, .exceptions td.excName, .exceptions td.excCodeName {
width: 100px;
}
.parameters td.prmType {
width: 120px;
}
table.exceptions table {
border-spacing: 0;
border-collapse: collapse;
width: 100%;
}
/* --- TOC --- */
.toc a {
text-decoration: none;
}
a .secno {
color: #000;
}
/* --- TABLE --- */
table.simple {
border-spacing: 0;
border-collapse: collapse;
border-bottom: 3px solid #005a9c;
}
.simple th {
background: #005a9c;
color: #fff;
padding: 3px 5px;
text-align: left;
}
.simple th[scope="row"] {
background: inherit;
color: inherit;
border-top: 1px solid #ddd;
}
.simple td {
padding: 3px 10px;
border-top: 1px solid #ddd;
}
.simple tr:nth-child(even) {
background: #f0f6ff;
}
/* --- DL --- */
.section dd > p:first-child {
margin-top: 0;
}
.section dd > p:last-child {
margin-bottom: 0;
}
.section dd {
margin-bottom: 1em;
}
.section dl.attrs dd, .section dl.eldef dd {
margin-bottom: 0;
}
/* --- EXAMPLES --- */
pre.example {
border-top: 1px solid #ff4500;
border-bottom: 1px solid #ff4500;
padding: 1em;
margin-top: 1em;
}
pre.example::before {
content: "Example";
display: block;
width: 150px;
background: #ff4500;
color: #fff;
font-family: initial;
padding: 3px;
font-weight: bold;
margin: -1em 0 1em -1em;
}
/* --- EDITORIAL NOTES --- */
.issue {
padding: 1em;
margin: 1em 0em 0em;
border: 1px solid #f00;
background: #ffc;
}
.issue::before {
content: "Issue";
display: block;
width: 150px;
margin: -1.5em 0 0.5em 0;
font-weight: bold;
border: 1px solid #f00;
background: #fff;
padding: 3px 1em;
}
.note {
margin: 1em 0em 0em;
padding: 1em;
border: 2px solid #cff6d9;
background: #e2fff0;
}
.note::before {
content: "Note";
display: block;
width: 150px;
margin: -1.5em 0 0.5em 0;
font-weight: bold;
border: 1px solid #cff6d9;
background: #fff;
padding: 3px 1em;
}
/* --- Best Practices --- */
div.practice {
border: solid #bebebe 1px;
margin: 2em 1em 1em 2em;
}
span.practicelab {
margin: 1.5em 0.5em 1em 1em;
font-weight: bold;
font-style: italic;
}
span.practicelab { background: #dfffff; }
span.practicelab {
position: relative;
padding: 0 0.5em;
top: -1.5em;
}
p.practicedesc {
margin: 1.5em 0.5em 1em 1em;
}
@media screen {
p.practicedesc {
position: relative;
top: -2em;
padding: 0;
margin: 1.5em 0.5em -1em 1em;
}
}
/* --- SYNTAX HIGHLIGHTING --- */
pre.sh_sourceCode {
background-color: white;
color: black;
font-style: normal;
font-weight: normal;
}
pre.sh_sourceCode .sh_keyword { color: #005a9c; font-weight: bold; } /* language keywords */
pre.sh_sourceCode .sh_type { color: #666; } /* basic types */
pre.sh_sourceCode .sh_usertype { color: teal; } /* user defined types */
pre.sh_sourceCode .sh_string { color: red; font-family: monospace; } /* strings and chars */
pre.sh_sourceCode .sh_regexp { color: orange; font-family: monospace; } /* regular expressions */
pre.sh_sourceCode .sh_specialchar { color: #ffc0cb; font-family: monospace; } /* e.g., \n, \t, \\ */
pre.sh_sourceCode .sh_comment { color: #A52A2A; font-style: italic; } /* comments */
pre.sh_sourceCode .sh_number { color: purple; } /* literal numbers */
pre.sh_sourceCode .sh_preproc { color: #00008B; font-weight: bold; } /* e.g., #include, import */
pre.sh_sourceCode .sh_symbol { color: blue; } /* e.g., *, + */
pre.sh_sourceCode .sh_function { color: black; font-weight: bold; } /* function calls and declarations */
pre.sh_sourceCode .sh_cbracket { color: red; } /* block brackets (e.g., {, }) */
pre.sh_sourceCode .sh_todo { font-weight: bold; background-color: #00FFFF; } /* TODO and FIXME */
/* Predefined variables and functions (for instance glsl) */
pre.sh_sourceCode .sh_predef_var { color: #00008B; }
pre.sh_sourceCode .sh_predef_func { color: #00008B; font-weight: bold; }
/* for OOP */
pre.sh_sourceCode .sh_classname { color: teal; }
/* line numbers (not yet implemented) */
pre.sh_sourceCode .sh_linenum { display: none; }
/* Internet related */
pre.sh_sourceCode .sh_url { color: blue; text-decoration: underline; font-family: monospace; }
/* for ChangeLog and Log files */
pre.sh_sourceCode .sh_date { color: blue; font-weight: bold; }
pre.sh_sourceCode .sh_time, pre.sh_sourceCode .sh_file { color: #00008B; font-weight: bold; }
pre.sh_sourceCode .sh_ip, pre.sh_sourceCode .sh_name { color: #006400; }
/* for Prolog, Perl... */
pre.sh_sourceCode .sh_variable { color: #006400; }
/* for LaTeX */
pre.sh_sourceCode .sh_italics { color: #006400; font-style: italic; }
pre.sh_sourceCode .sh_bold { color: #006400; font-weight: bold; }
pre.sh_sourceCode .sh_underline { color: #006400; text-decoration: underline; }
pre.sh_sourceCode .sh_fixed { color: green; font-family: monospace; }
pre.sh_sourceCode .sh_argument { color: #006400; }
pre.sh_sourceCode .sh_optionalargument { color: purple; }
pre.sh_sourceCode .sh_math { color: orange; }
pre.sh_sourceCode .sh_bibtex { color: blue; }
/* for diffs */
pre.sh_sourceCode .sh_oldfile { color: orange; }
pre.sh_sourceCode .sh_newfile { color: #006400; }
pre.sh_sourceCode .sh_difflines { color: blue; }
/* for css */
pre.sh_sourceCode .sh_selector { color: purple; }
pre.sh_sourceCode .sh_property { color: blue; }
pre.sh_sourceCode .sh_value { color: #006400; font-style: italic; }
/* other */
pre.sh_sourceCode .sh_section { color: black; font-weight: bold; }
pre.sh_sourceCode .sh_paren { color: red; }
pre.sh_sourceCode .sh_attribute { color: #006400; }
</style><link href="http://www.w3.org/StyleSheets/TR/W3C-WD" rel="stylesheet" type="text/css" charset="utf-8"></head>
<body style="display: inherit; "><div class="head"><p><a href="http://www.w3.org/"><img width="72" height="48" src="http://www.w3.org/Icons/w3c_home" alt="W3C"></a></p><h1 class="title" id="title">Content Security Policy</h1><h2 id="w3c-working-draft-29-november-2011">W3C Working Draft 29 November 2011</h2><dl><dt>This version:</dt><dd><a href="http://www.w3.org/TR/2011/WD-CSP-20111129/">http://www.w3.org/TR/2011/WD-CSP-20111129/</a></dd><dt>Latest published version:</dt><dd><a href="http://www.w3.org/TR/CSP/">http://www.w3.org/TR/CSP/</a></dd><dt>Latest editor's draft:</dt><dd><a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html">http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html</a></dd><dt>Editors:</dt><dd><a href="mailto:bsterne@mozilla.com">Brandon Sterne</a>, <a href="http://www.mozilla.com/">Mozilla Corporation</a></dd>
<dd><a href="mailto:w3c@adambarth.com">Adam Barth</a>, <a href="http://www.google.com/">Google, Inc.</a></dd>
</dl><p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2010-2011 <a href="http://www.w3.org/"><acronym title="World Wide Web Consortium">W3C</acronym></a><sup>®</sup> (<a href="http://www.csail.mit.edu/"><acronym title="Massachusetts Institute of Technology">MIT</acronym></a>, <a href="http://www.ercim.eu/"><acronym title="European Research Consortium for Informatics and Mathematics">ERCIM</acronym></a>, <a href="http://www.keio.ac.jp/">Keio</a>), All Rights Reserved. W3C <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply.</p><hr></div>
<div id="abstract" class="introductory section"><h2>Abstract</h2>
<p>This document defines a policy language used to declare a set of
content restrictions for a web resource, and a mechanism for
transmitting the policy from a server to a client where the policy is
enforced.</p>
</div><div id="sotd" class="introductory section"><h2>Status of This Document</h2><p><em>This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the <a href="http://www.w3.org/TR/">W3C technical reports index</a> at http://www.w3.org/TR/.</em></p>
<p>Although a FPWD, this document describes a proposal that has been
discussed by the broader community for approximately a year. There are experimental
implementations in Firefox and Chrome, using the header names
<code>X-Content-Security-Policy</code> and <code>X-WebKit-CSP</code>
respectively. Internet Explorer 10 Platform Preview also contains a
partial implementation, using the header name
X-Content-Security-Policy.</p>
<p>In addition to the documents in the W3C Web Application Security
working group, the work on this document is also informed by the work of
the <a href="http://tools.ietf.org/wg/websec/">IETF websec working
group</a>, particularly that working group's requirements document:
<a href="http://tools.ietf.org/id/draft-hodges-websec-framework-reqs">draft-hodges-websec-framework-reqs</a></p>
<p>This document was published by the <a href="http://www.w3.org/2011/webappsec/">Web Application Security Working Group</a> as a First Public Working Draft. This document is intended to become a W3C Recommendation. If you wish to make comments regarding this document, please send them to <a href="mailto:public-webappsec@w3.org">public-webappsec@w3.org</a> (<a href="mailto:public-webappsec-request@w3.org?subject=subscribe">subscribe</a>, <a href="http://lists.w3.org/Archives/Public/public-webappsec/">archives</a>). All feedback is welcome.</p><p>Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.</p><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent Policy</a>. W3C maintains a <a href="http://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a> must disclose the information in accordance with <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the W3C Patent Policy</a>.</p></div><div id="toc" class="section"><h2 class="introductory">Table of Contents</h2><ul class="toc"><li class="tocline"><a href="#introduction" class="tocxref"><span class="secno">1. </span>Introduction</a></li><li class="tocline"><a href="#conformance" class="tocxref"><span class="secno">2. </span>Conformance</a><ul class="toc"><li class="tocline"><a href="#terminology" class="tocxref"><span class="secno">2.1 </span>Terminology</a></li></ul></li><li class="tocline"><a href="#framework" class="tocxref"><span class="secno">3. </span>Framework</a><ul class="toc"><li class="tocline"><a href="#policy-delivery" class="tocxref"><span class="secno">3.1 </span>Policy Delivery</a><ul class="toc"><li class="tocline"><a href="#content-security-policy-header-field" class="tocxref"><span class="secno">3.1.1 </span><code>Content-Security-Policy</code> Header Field</a></li><li class="tocline"><a href="#content-security-policy-report-only-header-field" class="tocxref"><span class="secno">3.1.2 </span><code>Content-Security-Policy-Report-Only</code> Header Field</a></li><li class="tocline"><a href="#html-meta-element" class="tocxref"><span class="secno">3.1.3 </span>HTML <code>meta</code> Element</a></li></ul></li><li class="tocline"><a href="#syntax" class="tocxref"><span class="secno">3.2 </span>Syntax</a><ul class="toc"><li class="tocline"><a href="#policies" class="tocxref"><span class="secno">3.2.1 </span>Policies</a></li><li class="tocline"><a href="#source-list" class="tocxref"><span class="secno">3.2.2 </span>Source List</a></li></ul></li><li class="tocline"><a href="#processing-model" class="tocxref"><span class="secno">3.3 </span>Processing Model</a></li></ul></li><li class="tocline"><a href="#directives" class="tocxref"><span class="secno">4. </span>Directives</a><ul class="toc"><li class="tocline"><a href="#default-src" class="tocxref"><span class="secno">4.1 </span><code>default-src</code></a></li><li class="tocline"><a href="#script-src" class="tocxref"><span class="secno">4.2 </span><code>script-src</code></a></li><li class="tocline"><a href="#object-src" class="tocxref"><span class="secno">4.3 </span><code>object-src</code></a></li><li class="tocline"><a href="#style-src" class="tocxref"><span class="secno">4.4 </span><code>style-src</code></a></li><li class="tocline"><a href="#img-src" class="tocxref"><span class="secno">4.5 </span><code>img-src</code></a></li><li class="tocline"><a href="#media-src" class="tocxref"><span class="secno">4.6 </span><code>media-src</code></a></li><li class="tocline"><a href="#frame-src" class="tocxref"><span class="secno">4.7 </span><code>frame-src</code></a></li><li class="tocline"><a href="#font-src" class="tocxref"><span class="secno">4.8 </span><code>font-src</code></a></li><li class="tocline"><a href="#connect-src" class="tocxref"><span class="secno">4.9 </span><code>connect-src</code></a></li><li class="tocline"><a href="#sandbox" class="tocxref"><span class="secno">4.10 </span><code>sandbox</code></a></li><li class="tocline"><a href="#report-uri" class="tocxref"><span class="secno">4.11 </span><code>report-uri</code></a></li><li class="tocline"><a href="#policy-uri" class="tocxref"><span class="secno">4.12 </span><code>policy-uri</code></a></li></ul></li><li class="tocline"><a href="#examples" class="tocxref"><span class="secno">5. </span>Examples</a><ul class="toc"><li class="tocline"><a href="#sample-policy-definitions" class="tocxref"><span class="secno">5.1 </span>Sample Policy Definitions</a></li><li class="tocline"><a href="#sample-violation-report" class="tocxref"><span class="secno">5.2 </span>Sample Violation Report</a></li></ul></li><li class="tocline"><a href="#references" class="tocxref"><span class="secno">A. </span>References</a><ul class="toc"><li class="tocline"><a href="#normative-references" class="tocxref"><span class="secno">A.1 </span>Normative references</a></li><li class="tocline"><a href="#informative-references" class="tocxref"><span class="secno">A.2 </span>Informative references</a></li></ul></li></ul></div>
<div class="informative section" id="introduction">
<!--OddPage--><h2><span class="secno">1. </span>Introduction</h2><p><em>This section is non-normative.</em></p>
<p>This document defines Content Security Policy, a mechanism web
applications can use to mitigate the broad class of content injection
vulnerabilities, such as cross-site scripting (XSS). Content Security
Policy is a declarative policy that lets the authors (or server
administrators) of a web application restrict from where the application
can load resources.</p>
<p>To mitigate XSS, for example, a web application can restrict itself
to loading scripts only from known, trusted URIs, making it difficult
for an attacker who can inject content into the web application to
inject malicious script.</p>
<p>Content Security Policy (CSP) is not intended as a first line of
defense against content injection vulnerabilities. Instead, CSP is best
used as defense-in-depth, to reduce the harm caused by content injection
attacks.</p>
<p>There is often a non-trivial amount of work required to apply CSP to
an existing web application. To reap the greatest benefit, authors will
need to move all inline script and style out-of-line, for example into
external scripts, because the user agent cannot determine whether an
inline script was injected by an attacker.</p>
<p>To take advantage of CSP, a web application needs to opt into using
CSP by supplying a Content-Security-Policy HTTP header or an appropriate
HTML <code>meta</code> element. Such policies apply the current document
only. To supply a policy for an entire site, the server need to supply a
policy along with each resource representation.</p>
</div>
<div id="conformance" class="section"><!--OddPage--><h2><span class="secno">2. </span>Conformance</h2><p>As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.</p>
<p>The key words <em class="rfc2119" title="must">must</em>, <em class="rfc2119" title="must not">must not</em>, <em class="rfc2119" title="required">required</em>, <em class="rfc2119" title="should">should</em>, <em class="rfc2119" title="should not">should not</em>, <em class="rfc2119" title="recommended">recommended</em>, <em class="rfc2119" title="may">may</em>, and <em class="rfc2119" title="optional">optional</em> in this specification are to be interpreted as described in [<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">RFC2119</a></cite>].</p>
<p>Requirements phrased in the imperative as part of algorithms (such as
"strip any leading space characters" or "return false and abort these
steps") are to be interpreted with the meaning of the key word ("<em class="rfc2119" title="must">must</em>",
"<em class="rfc2119" title="should">should</em>", "<em class="rfc2119" title="may">may</em>", etc) used in introducing the algorithm.</p>
<p>A conformant user-agent is one that implements all the requirements
listed in this specification that are applicable to user-agents.</p>
<p>A conformant server is one that implements all the requirements
listed in this specification that are applicable to servers.</p>
<div id="terminology" class="section">
<h3><span class="secno">2.1 </span>Terminology</h3>
<p>This section defines several terms used throughout the document.</p>
<p>The term <dfn id="dfn-security-policy">security policy</dfn>, or
simply <dfn id="dfn-policy">policy</dfn>, for the purposes of this
specification refers to either:
</p><ol>
<li>a set of security preferences for restricting the behavior of
content within a given document, or</li>
<li>a fragment of text that codifies these preferences.</li>
</ol>
<p></p>
<p>The security policies defined by this document are applied by a
user-agent on a <em>per-resource representation basis</em>.
Specifically, when a user agent receives a policy along with the
representation of a given resource, that policy applies to <em>that
resource representation only</em>. That resource representation is
often referred to in this document as the <dfn id="dfn-protected-document">protected
document</dfn>.
</p><p>A server transmits its security policy for a particular resource as
a collection of <dfn id="dfn-directives">directives</dfn>, such as <code>default-src
'self'</code>, each of which controls a specific set of privileges for
a document rendered by a user-agent. More details are provided in the
<a href="#directives">directives</a> section.</p>
<p>A directive consists of a <dfn id="dfn-directive-name">directive name</dfn>, which
indicates the privileges controlled by the directive, and a
<dfn id="dfn-directive-value">directive value</dfn>, which specifies the restrictions the
policy imposes on those privileges.</p>
<p>Fetching resources requires <dfn id="resolve">resolving</dfn>
and <dfn id="parse-url">parsing</dfn> URLs. The algorithms
for <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#resolving-urls">resolving
a URL</a>
and <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#parse-a-url">parsing
a URL</a> are defined in the HTML5 standard [<cite><a class="bibref" rel="biblioentry" href="#bib-HTML5">HTML5</a></cite>].</p>
<p>The term <dfn id="dfn-origin">origin</dfn> is defined in the Origin specification.
[<em><a href="http://tools.ietf.org/html/draft-ietf-websec-origin">ORIGIN</a></em>]</p>
<p>The term <dfn id="dfn-uri">URI</dfn> is defined in the URI specification. [<cite><a class="bibref" rel="biblioentry" href="#bib-URI">URI</a></cite>]</p>
<p>The <code>&lt;script&gt;</code>, <code>&lt;object&gt;</code>, <code>&lt;embed&gt;</code>,
<code>&lt;img&gt;</code>, <code>&lt;video&gt;</code>, <code>&lt;audio&gt;</code>,
<code>&lt;link&gt;</code>, <code>&lt;frame&gt;</code> and <code>&lt;iframe&gt;</code>
elements are defined in the HTML5 standard. [<cite><a class="bibref" rel="biblioentry" href="#bib-HTML5">HTML5</a></cite>].</p>
<p>The <code>&lt;applet&gt;</code> element is defined in the HTML 4.01 standard. [<cite><a class="bibref" rel="biblioentry" href="#bib-HTML401">HTML401</a></cite>].</p>
<p>The <code>@font-face</code> CSS rule is defined in the CSS Fonts Module Level 3 standard.
[<cite><a class="bibref" rel="biblioentry" href="#bib-CSS3FONT">CSS3FONT</a></cite>]</p>
<p>The <code>XMLHttpRequest</code> object is defined in the <code>XMLHttpRequest</code>
standard. [<cite><a class="bibref" rel="biblioentry" href="#bib-XMLHTTPREQUEST">XMLHTTPREQUEST</a></cite>]</p>
<p>The <code>WebSocket</code> object is defined in the <code>WebSocket</code>
standard. [<em><a href="http://dev.w3.org/html5/websockets/">WEBSOCKET</a></em>].</p>
<p>The <code>EventSource</code> object is defined in the <code>EventSource</code>
standard. [<em><a href="http://dev.w3.org/html5/eventsource/">EVENTSOURCE</a></em>].</p>
<p>The Augmented Backus-Naur Form (ABNF) notation used in this
document is specified in RFC 5234. [<cite><a class="bibref" rel="biblioentry" href="#bib-ABNF">ABNF</a></cite>]</p>
<p>The following core rules are included by reference, as defined in
[<em><a href="http://tools.ietf.org/html/rfc5234#appendix-B.1">ABNF Appendix B.1</a></em>]:
<code>ALPHA</code> (letters), <code>DIGIT</code> (decimal
0-9), <code>WSP</code> (white space) and <code>VCHAR</code> (printing
characters).</p>
</div>
</div>
<div id="framework" class="section">
<!--OddPage--><h2><span class="secno">3. </span>Framework</h2>
<p>This section defines the general framework for content security
policies, including the delivery mechanisms and general syntax for
policies. The next section contains the details of the specific
directives introduced in this specification.</p>
<div id="policy-delivery" class="section">
<h3><span class="secno">3.1 </span>Policy Delivery</h3>
<p>The policy can be delivered from the server to the client via an HTTP response header
or an HTML <code>meta</code> element.</p>
<p>Of the two delivery mechanisms, servers <em class="rfc2119" title="should">should</em> use the HTTP
response header mechanism whenever possible because, when using the
<code>meta</code> element mechanism, there is a period of time between
when the user agent begins to process the document and when the user
agent encounters the <code>meta</code> element when the document is
not protected by the policy.</p>
<div id="content-security-policy-header-field" class="section">
<h4><span class="secno">3.1.1 </span><code>Content-Security-Policy</code> Header Field</h4>
<p>The <code>Content-Security-Policy</code> header field is the
preferred mechanism for delivering a CSP policy.</p>
<p>A server <em class="rfc2119" title="may">may</em> supply one or more CSP policies in HTTP response
header fields named <code>Content-Security-Policy</code> along with
the protected document.</p>
<p>Upon receiving an HTTP response containing at least one
<code>Content-Security-Policy</code> header field, the user agent
<em class="rfc2119" title="must">must</em> <a href="#enforce-the-combination">enforce the combination</a>
of all the policies contained in these header fields.</p>
</div>
<div id="content-security-policy-report-only-header-field" class="section">
<h4><span class="secno">3.1.2 </span><code>Content-Security-Policy-Report-Only</code> Header Field</h4>
<p>The <code>Content-Security-Policy-Report-Only</code> header field
lets server experiment with CSP by monitoring (rather than
enforcing) a policy. This feature lets server operators develop
their security policy iteratively. They can deploy a report-only
policy based on their best estimate of how their site behaves. If
their site violates this policy, instead of breaking the site, the
user agent will send violation reports to a URI specified in the
policy. Once a site has confidence that the policy is appropriate,
they can promote the report-only policy to normal blocking mode.</p>
<p>A server <em class="rfc2119" title="may">may</em> supply one or more CSP policies in HTTP response
header fields named <code>Content-Security-Policy-Report-Only</code>
along with the protected document.</p>
<p>If a server supplies at least one
<code>Content-Security-Policy-Report-Only</code> header field in an
HTTP response, the server <em class="rfc2119" title="must not">must not</em> supply any
<code>Content-Security-Policy</code> header fields.</p>
<p>Upon receiving an HTTP response containing at least one
<code>Content-Security-Policy-Report-Only</code> header field, the
user agent <em class="rfc2119" title="must">must</em> <a href="#monitor-the-combination">monitor the
combination</a> of all the policies contained in these header
fields.</p>
</div>
<div id="html-meta-element" class="section">
<h4><span class="secno">3.1.3 </span>HTML <code>meta</code> Element</h4>
<p>The server <em class="rfc2119" title="may">may</em> supply a CSP policy in an HTML <code>meta</code>
element with an <code>http-equiv</code> attribute that is a case
insensitive match for either <code>Content-Security-Policy</code> or
<code>Content-Security-Policy-Report-Only</code>.</p>
<p>Add the following entries to the <a href="http://www.w3.org/TR/html5/semantics.html#pragma-directives">pragma
directives</a> for the <code>meta</code> element:</p>
<dl>
<dt>Content security policy (<code>http-equiv="content-security-policy"</code>)</dt>
<dd>
<ol>
<li>If the document already has a <var>csp-policy</var>, abort
these steps.</li>
<li>If the <code>meta</code> element lacks a
<code>content</code> attribute, abort these steps.</li>
<li><a href="#enforce">Enforce</a> the CSP policy contained in
the <code>content</code> attribute of the <code>meta</code>
element.</li>
</ol>
</dd>
<dt>Content security policy, report only (<code>http-equiv="content-security-policy-report-only"</code>)</dt>
<dd>
<ol>
<li>If the document already has a <var>csp-policy</var>, abort
these steps.</li>
<li>If the <code>meta</code> element lacks a
<code>content</code> attribute, abort these steps.</li>
<li><a href="#monitor">Monitor</a> the CSP policy contained in
the <code>content</code> attribute of the <code>meta</code>
element.</li>
</ol>
</dd>
</dl>
</div>
</div>
<div id="syntax" class="section">
<h3><span class="secno">3.2 </span>Syntax</h3>
<div id="policies" class="section">
<h4><span class="secno">3.2.1 </span>Policies</h4>
<p>A CSP <dfn id="dfn-policy-1">policy</dfn> consists of a U+003B SEMICOLON
(<code>;</code>) delimited list of directives:</p>
<pre>policy = directive-list
directive-list = [ directive *( ";" [ directive ] ) ]
</pre>
<p>Each <dfn id="dfn-directive">directive</dfn> consists of a <var>directive-name</var>
and (optionally) a <var>directive-value</var>:</p>
<pre>directive = *WSP [ directive-name [ WSP directive-value ] ]
directive-name = 1*( ALPHA / DIGIT / "-" )
directive-value = *( WSP / &lt;VCHAR except ";"&gt; )
</pre>
<p>To <dfn id="parse-a-csp-policy">parse a CSP policy</dfn>
<var>policy</var>, the user agent <em class="rfc2119" title="must">must</em> use an algorithm equivalent to
the following:</p>
<ol>
<li>Let the <var>set of directives</var> be the empty set.</li>
<li>For each token returned by <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#strictly-split-a-string">strictly
splitting</a> the string <var>policy</var> on the character U+003B
SEMICOLON (<code>;</code>):
<ol>
<li><a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#skip-whitespace">Skip whitespace</a>.</li>
<li><a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#collect-a-sequence-of-characters">Collect
a sequence of characters</a> that are not
<a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#space-character">space characters</a>. The
collected characters are the <var>directive name</var>.</li>
<li>If <var>position</var> doesn't point past the end of the
token, skip ahead one character (which must be a <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#space-character">space
character</a>).</li>
<li>The remaining characters in <var>token</var> (if any) are
the <var>directive value</var>.</li>
<li>If the <var>set of directives</var> already contains a
directive with name <var>directive name</var>, ignore this
instance of the directive and continue to the next token.</li>
<li>Add a <var>directive</var> to the <var>set of
directives</var> with name <var>directive name</var> and value
<var>directive value</var>.</li>
</ol>
</li>
<li>Return the <var>set of directives</var>.
</li></ol>
</div>
<div id="source-list" class="section">
<h4><span class="secno">3.2.2 </span>Source List</h4>
<p>Many CSP directives use a value consisting of a <dfn id="dfn-source-list">source
list</dfn>.</p>
<p>Each <dfn id="dfn-source-expression">source expression</dfn> in the source list represents a
location from which content of the specified type can be retrieved.
For example, the source expression <code>'self'</code> represents
the set of URIs which are in the same origin as the protected
document and the source expression <code>'unsafe-inline'</code>
represents content supplied inline in the document itself.</p>
<pre>source-list = *WSP [ source-expression *( 1*WSP source-expression ) *WSP ]
/ *WSP "'none'" *WSP
source-expression = scheme-source / host-source / keyword-source
scheme-source = scheme ":"
host-source = ( [ scheme "://" ] host [ port ] )
keyword-source = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"
scheme = &lt;scheme&gt; production from RFC 3986
host = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
host-char = ALPHA / DIGIT / "-"
port = ":" ( 1*DIGIT / "*" )
</pre>
<p>To <dfn id="parse-a-source-list">parse a source list</dfn>
<var>source list</var>, the user agent <em class="rfc2119" title="must">must</em> use an algorithm
equivalent to the following:</p>
<ol>
<li>If <var>source list</var> (with <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#strip-leading-and-trailing-whitespace">leading
and trailing whitespace stripped</a>) is a case insensitive match
for the string <code>'none'</code> (including the quotation
marks), return the empty set.</li>
<li>Let the <var>set of source expressions</var> be the empty set.</li>
<li>For each token returned by <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#split-a-string-on-spaces">splitting
<var>source list</var> on spaces</a>, if the token matches the
grammar for <code>source-expression</code>, add the token to the
<var>set of source expressions</var>.</li>
<li>Return the <var>set of source expressions</var>.</li>
</ol>
<p>To check whether a URI <dfn id="matches-a-source-expression">matches a source expression</dfn>,
the user agent <em class="rfc2119" title="must">must</em> use an algorithm equivalent to the
following:</p>
<ol>
<li>If the source expression a single U+002A ASTERISK character
(<code>*</code>), then return <em>does match</em>.</li>
<li>If the source expression matches the grammar for
<code>scheme-source</code>, then the URI matches the source
expression of the URI's scheme is a case-insensitive match for the
source expression's <code>scheme</code>.</li>
<li>Otherwise, if the source expression matches the grammar for
<code>host-source</code>:
<ol>
<li>If the URI does not contain a host, then return <em>does
not match</em>.</li>
<li>Let <var>scheme</var>, <var>host</var>, and
<var>port</var> be the scheme, host, and port of the URI,
respectively. If the URI does not have a port, then let
<var>port</var> be the default port for
<var>scheme</var>.</li>
<li>If the source expression has a <code>scheme</code> that is
not a case insensitive match for <var>scheme</var>, then
return <em>does not match</em>.</li>
<li>If <var>scheme</var> is not a case insensitive match for
the scheme of the protected document's URI, then return
<em>does not match</em>.<br>
<em>FIXME: Should we allow HTTPS when the document's scheme is
HTTP?</em></li>
<li>If the first character of the source expression's
<code>host</code> is an U+002A ASTERISK character
(<code>*</code>) and the remaining characters, including the
leading U+002E FULL STOP character (<code>.</code>), are not a
case insensitive match for the rightmost characters of
<var>host</var>, then return <em>does not match</em>.</li>
<li>If <var>host</var> is not a case insensitive match for the
source expression's <code>host</code>, then return <em>does
not match</em>.</li>
<li>If the source expression does not contain a
<code>port</code> and <var>port</var> is not the default port
for <var>scheme</var>, then return <em>does not
match</em>.</li>
<li>If the source expression does contain a <code>port</code>
that (a) does <em>not</em> contain an U+002A ASTERISK
character (<code>*</code>) and (b) does <em>not</em> represent
the same number as <var>port</var>, then return <em>does not
match</em>.</li>
<li>Return <em>does match</em>.</li>
</ol>
</li><li>Otherwise, if the source expression is a case insensitive
match for <code>'self'</code> (including the quotation marks),
then return the URI matches the source expression if the URI has
the same scheme, host, and port as the document's URI.</li>
<li>Otherwise, the URI does not match the source expression.</li>
</ol>
<p>A URI <dfn id="matches-a-source-list">matches a source
list</dfn>, if, and only if, the URI <a href="#matches-a-source-expression">matches at least one source
expression</a> in the set of source expressions obtained by <a href="#parse-a-source-list">parsing the source list</a>. Notice that
no URIs match an empty set of source expressions, such as the set
obtained by parsing the source list <code>'none'</code>.</p>
</div>
</div>
<div id="processing-model" class="section">
<h3><span class="secno">3.3 </span>Processing Model</h3>
<p>To <dfn id="enforce">enforce</dfn> a CSP policy, the user agent <em class="rfc2119" title="must">must</em>
<a href="#parse-a-csp-policy">parse the policy</a> and enforce each of
the directives contained in the policy, where the specific
requirements for enforcing each directive are defined separately for
each directive (See <a href="#sec-directives">Directives</a>,
below).</p>
<p>Generally speaking, enforcing a directive prevent the protected
document from performing certain actions, such as loading scripts from
URIs other than those indicated in a source list. These restrictions
make it more difficult for an attacker to abuse an injection
vulnerability in the document because the attacker will be unable to
usurp the document's privileges that have been restricted in this
way.</p>
<p>Enforcing a CSP policy <em class="rfc2119" title="should not">should not</em> interfere with the operation of
user-supplied scripts such as third-party user-agent add-ons and
JavaScript bookmarklets.</p>
<p>To <dfn id="monitor">monitor</dfn> a CSP policy, the user agent <em class="rfc2119" title="must">must</em>
<a href="#parse-a-csp-policy">parse the policy</a> and monitor each of
the directives contained in the policy, where the specific
requirements for monitoring each directive are defined separately for
each directive (See <a href="#sec-directives">Directives</a>,
below).</p>
<p>Generally speaking, monitoring a directive does not prevent the
protected document from undertaking any actions. Instead, any actions
that would have been prevented by the directive are instead reported
to the developer of the web application. Monitoring a CSP policy is
most useful for testing whether enforcing the policy will break the
web application.</p>
<p>If the user agent monitors or enforces a CSP policy that does not
contain any directives, the user agent <em class="rfc2119" title="should">should</em> report a warning message
in the developer console.</p>
<p>If the user agent monitors or enforces a CSP policy that contains
an unrecognized directive, the user agent <em class="rfc2119" title="should">should</em> report a warning
message in the developer console indicating the name of the
unrecognized directive.</p>
<p>To <dfn id="enforce-the-combination">enforce the combination</dfn>
of one or more policies, the user agent <em class="rfc2119" title="must">must</em> enforce each policy. For
example, if an action is prevented by at least one of the policies,
then the action will be prevented by the combination of the
policies.</p>
<p>To <dfn id="monitor-the-combination">monitor the combination</dfn>
of one or more policies, the user agent <em class="rfc2119" title="must">must</em> monitor each each
policy.</p>
</div>
</div>
<div id="directives" class="section">
<!--OddPage--><h2 id="sec-directives"><span class="secno">4. </span>Directives</h2>
<p>This section describes the content security policy directives
introduced in this specification.</p>
<p>In order to protect against Cross-site Scripting (XSS), authors
<em class="rfc2119" title="should">should</em> include
</p><ul>
<li>both the <code>script-src</code> and <code>object-src</code>
directives, or</li>
<li>include a <code>default-src</code> directive, which covers both
scripts and plug-ins.</li>
</ul>
<p>In either case, authors <em class="rfc2119" title="should not">should not</em> include
<code>'unsafe-inline'</code> in their CSP policies if they wish to
protect themselves against XSS.</p>
<div id="default-src" class="section">
<h3><span class="secno">4.1 </span><code>default-src</code></h3>
<p>The <code>default-src</code> directive sets a default source list
for a number of directives. The syntax for the name and value of the
directive are described by the following ABNF grammar:</p>
<pre>directive-name = "default-src"
directive-value = source-list
</pre>
<p>Let the <var>default sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a
source list</a>.</p>
<p>To enforce the <code>default-src</code> directive, the user agent
<em class="rfc2119" title="must">must</em> enforce the following directives:</p>
<ul>
<li>script-src</li>
<li>object-src</li>
<li>style-src</li>
<li>img-src</li>
<li>media-src</li>
<li>frame-src</li>
<li>font-src</li>
<li>connect-src</li>
</ul>
<p>If not specified explicitly in the policy, the directives listed
above will use the <var>default sources</var>.</p>
</div>
<div id="script-src" class="section">
<h3><span class="secno">4.2 </span><code>script-src</code></h3>
<p>The <code>script-src</code> directive restricts which scripts the
protected document can execute. The directive also controls other
resources, such as XSLT stylesheets, which can cause the user agent to
execute script. The syntax for the name and value of the directive are
described by the following ABNF grammar:</p>
<pre>directive-name = "script-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>script-src</code>, let the
<var>allowed script sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed script sources</var> be the
<var>default sources</var></p>
<p>If <code>'unsafe-inline'</code> is not in <var>allowed script
sources</var>:</p>
<ul>
<li>Whenever the user agent would execute an inline script (either
from a <code>script</code> element or from an inline event handler),
instead the user agent <em class="rfc2119" title="must not">must not</em> execute script.</li>
<li>Whenever the user agent would execute script contained in a
<code>javascript</code> URI, instead the user agent <em class="rfc2119" title="must not">must not</em> execute
the script. (Note: The user agent <em class="rfc2119" title="should">should</em> execute script contained in
"bookmarklets" even when enforcing this restriction.)</li>
</ul>
<p>If <code>'unsafe-eval'</code> is not in <var>allowed script
sources</var>:</p>
<ul>
<li>Instead of evaluating their arguments, both operator
<code>eval</code> and function <code>eval</code> <em class="rfc2119" title="must">must</em> throw a
security exception.</li>
<li>When called as a constructor, the function <code>Function</code>
<em class="rfc2119" title="must">must</em> throw a security exception.</li>
<li>When called with a first argument that is non-callable (e.g.,
not a function), the <code>setTimeout</code> function <em class="rfc2119" title="must">must</em> return
zero without creating a timer.</li>
<li>When called with a first argument that is non-callable (e.g.,
not a function), the <code>setInterval</code> function <em class="rfc2119" title="must">must</em> return
zero without creating a timer.</li>
</ul>
<p>The term <dfn id="dfn-callable">callable</dfn> refers to an object whose interface
has one or more <dfn id="dfn-callers">callers</dfn> as defined in the <a href="http://www.w3.org/TR/2010/WD-WebIDL-20101021/#idl-callers">Web
IDL</a> specification [<cite><a class="bibref" rel="biblioentry" href="#bib-WEBIDL">WEBIDL</a></cite>].</p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed script
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting a script, such as when processing the
<code>src</code> attribute of a <code>script</code> element or when
processing the <code>Worker</code> or <code>SharedWorker</code>
constructors.</li>
<li>Requesting an Extensible Stylesheet Language Transformations
(XSLT), such as when processing the
<code>&lt;?xml-stylesheet?&gt;</code> processing directive in an XML
document, the <code>href</code> attributes on
<code>&lt;xsl:include&gt;</code> element, or the <code>href</code>
attributes on <code>&lt;xsl:import&gt;</code> element.</li>
</ul>
</div>
<div id="object-src" class="section">
<h3><span class="secno">4.3 </span><code>object-src</code></h3>
<p>The <code>object-src</code> directive restricts from where the
protected document can load plugins. The syntax for the name and value
of the directive are described by the following ABNF grammar:</p>
<pre>directive-name = "object-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>object-src</code>, let the
<var>allowed object sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed object sources</var> be the
<var>default sources</var></p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed object
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting data for a plugin, such as when processing the
<code>data</code> attribute of an <code>object</code> element, the
<code>src</code> attribute of an <code>embed</code> elements, or the
<code>code</code> or <code>archive</code> attributes of an
<code>applet</code> element.</li>
</ul>
<p>Whenever the user agent would load a plug-in without an associated
URI (e.g., because the <code>object</code> element lacked a
<code>data</code> attribute), if the protected document's URI does not
<a href="#matches-a-source-list">match the <var>allowed object
sources</var></a>, the user agent <em class="rfc2119" title="must not">must not</em> load the plug-in.</p>
</div>
<div id="style-src" class="section">
<h3><span class="secno">4.4 </span><code>style-src</code></h3>
<p>The <code>style-src</code> directive restricts which styles the
user applies to the protected document. The syntax for the name and
value of the directive are described by the following ABNF
grammar:</p>
<pre>directive-name = "style-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>style-src</code>, let the
<var>allowed style sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed style sources</var> be the
<var>default sources</var></p>
<p>If <code>'unsafe-inline'</code> is not in <var>allowed style
sources</var>:</p>
<ul>
<li>Whenever the user agent would apply style from a
<code>style</code> element, instead the user agent <code><em class="rfc2119" title="must">must</em></code>
ignore the style.</li>
<li>Whenever the user agent would apply style from a
<code>style</code> attribute, instead the user agent
<code><em class="rfc2119" title="must">must</em></code> ignore the style.</li>
</ul>
<p>Note: These restrictions on inline do not prevent the user agent
from applying style from an external stylesheet (e.g., found via
<code>&lt;link rel="stylesheet"&gt;</code>). The user agent is also
not prevented from applying style from CSSOM.</p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed style
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting external stylesheets, such as when processing the
<code>href</code> attribute of a <code>link</code> element with a
<code>rel</code> attribute containing the token
<code>stylesheet</code> or when processing the <code>@import</code>
directive in a stylesheet.</li>
</ul>
<p>Note: The <code>style-src</code> directive does not restrict the
use of XSLT. XSLT is restricted by the <code>script-src</code>
directive because the security consequences of including an untrusted
XSLT stylesheet are similar to those incurred by including an
untrusted script.</p>
</div>
<div id="img-src" class="section">
<h3><span class="secno">4.5 </span><code>img-src</code></h3>
<p>The <code>img-src</code> directive restricts from where the
protected document can load images. The syntax for the name and value
of the directive are described by the following ABNF grammar:</p>
<pre>directive-name = "img-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>img-src</code>, let the
<var>allowed image sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed image sources</var> be the
<var>default sources</var></p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed image
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting data for an image, such as when processing the
<code>src</code> attribute of an <code>img</code> elements,
the <code>url()</code> or <code>image()</code> values on any CSS
property that is capable of loading an image [<em><a href="http://www.w3.org/TR/css3-images/">CSS3-Images</a></em>], or
the <code>href</code> attribute of a <code>link</code> element with
an image-related <code>rel</code> attribute, such as
<code>icon</code>.</li>
</ul>
<p class="issue">Should the user agent fire the error event when one of these loads fails?</p>
</div>
<div id="media-src" class="section">
<h3><span class="secno">4.6 </span><code>media-src</code></h3>
<p>The <code>media-src</code> directive restricts from where the
protected document can load video and audio. The syntax for the name
and value of the directive are described by the following ABNF
grammar:</p>
<pre>directive-name = "media-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>media-src</code>, let the
<var>allowed media sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed media sources</var> be the
<var>default sources</var></p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed media
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting data for a video or audio clip, such as when
processing the <code>src</code> attribute of a <code>video</code>
or <code>audio</code> elements.</li>
</ul>
</div>
<div id="frame-src" class="section">
<h3><span class="secno">4.7 </span><code>frame-src</code></h3>
<p>The <code>frame-src</code> directive restricts from where the
protected document can embed frames. The syntax for the name
and value of the directive are described by the following ABNF
grammar:</p>
<pre>directive-name = "frame-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>frame-src</code>, let the
<var>allowed frame sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed frame sources</var> be the
<var>default sources</var></p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed frame
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting data for display in a frame, such as when processing
the <code>src</code> attribute of an <code>iframe</code> or
<code>frame</code> element.</li>
<li>Navigating a nested browsing context within the protected
document.</li>
</ul>
<p class="issue">How does this work for the <code>object</code>
element? We don't know whether the request is going to lead to a
plug-in or a frame until we get the response back and can look at the
MIME type.</p>
</div>
<div id="font-src" class="section">
<h3><span class="secno">4.8 </span><code>font-src</code></h3>
<p>The <code>font-src</code> directive restricts from where the
protected document can load fonts. The syntax for the name and value
of the directive are described by the following ABNF grammar:</p>
<pre>directive-name = "font-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>font-src</code>, let the
<var>allowed font sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed font sources</var> be the
<var>default sources</var></p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed font
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting data for display in a font, such as when processing
the <code>@font-face</code> CSS rule. <em>TODO: Citation needed.</em></li>
</ul>
</div>
<div id="connect-src" class="section">
<h3><span class="secno">4.9 </span><code>connect-src</code></h3>
<p>The <code>connect-src</code> directive restricts which URIs the
protected document can load using DOM APIs. The syntax for the name
and value of the directive are described by the following ABNF
grammar:</p>
<pre>directive-name = "connect-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>connect-src</code>, let
the <var>allowed connection targets</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed connection targets</var> be
the <var>default sources</var></p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed font
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Processing the <a href="http://www.w3.org/TR/XMLHttpRequest/#the-open-method"><code>open()</code>
method</a> of an <code>XMLHttpRequest</code> object.</li>
<li>Processing the <a href="http://dev.w3.org/html5/websockets/#websocket"><code>WebSocket</code>
constructor</a>.</li>
<li>Processing the <a href="http://dev.w3.org/html5/eventsource/#eventsource"><code>EventSource</code>
constructor</a>.</li>
</ul>
</div>
<div id="sandbox" class="section">
<h3><span class="secno">4.10 </span><code>sandbox</code></h3>
<p class="issue">A future version of this document might include a
<code>sandbox</code> directive for controlling the HTML5 sandbox
flags.</p>
</div>
<div id="report-uri" class="section">
<h3><span class="secno">4.11 </span><code>report-uri</code></h3>
<p>The <code>report-uri</code> directive specifies a URI to which the
user agent sends reports about policy violation. The syntax for the
name and value of the directive are described by the following ABNF
grammar:</p>
<pre>directive-name = "report-uri"
directive-value = uri-reference *( 1*WSP uri-reference )
uri-reference = &lt;URI-reference from RFC 3986&gt;
</pre>
<p>Let the <var>set of report URIs</var> be the value of the
<code>report-uri</code> directive, each resolved relative to the
protected document's URI.</p>
<p>To <dfn id="send-a-violation-report">send a violation report</dfn>,
the user agent <em class="rfc2119" title="must">must</em> use an algorithm equivalent to the following:</p>
<ol>
<li>Prepare a dictionary <var>violation dictionary</var> with the
following keys and values:
<dl>
<dt>request</dt>
<dd>HTTP request line of the protected resource whose policy was
violated including method, URI and HTTP version</dd>
<dt>request-headers</dt>
<dd>HTTP request headers sent with the request for the protected
resource whose policy was violated</dd>
<dt>blocked-uri</dt>
<dd>URI of the resource that was prevented from loading due to
the policy violation</dd>
<dt>violated-directive</dt>
<dd>The policy directive that was violated</dd>
<dt>original-policy</dt>
<dd>The original policy as received by the user-agent. If the
policy was received via more than one Content Security Policy
response header, this field <em class="rfc2119" title="must">must</em> contain a comma separated list
of original policies</dd>
</dl>
<p class="issue">We might need to change some of these keys
because they can leak sensitive information.</p>
</li>
<li>If the origin of the blocked-uri is not the same as the
document's origin, then replace the blocked-uri with the ASCII
serialization of the blocked-uri's origin.</li>
<li>Let the <var>violation report</var> be the JSON stringification
of the <var>violation dictionary</var>.</li>
<li>For each <var>report URI</var> in the <var>set of report URIs</var>:
<ol>
<li>If the <var>report URI</var> has a different scheme than the
URI of the protected document, then ignore this <var>report
URI</var> and continue to the next iteration of the loop.</li>
<li>If the <var>report URI</var> has a different port than the
URI of the protected document, then ignore this <var>report
URI</var> and continue to the next iteration of the loop.</li>
<li>If the <var>report URI</var>'s host does not share the same
<em><a href="http://publicsuffix.org/">public suffix</a> +1 DNS
label</em> as the URI of the protected document, then ignore
this <var>report URI</var> and continue to the next iteration of
the loop.
<p>Examples of public suffixes include <code>.com</code>,
<code>.net</code> and <code>.co.uk</code>. Examples of
<em>"public suffix +1 DNS label"</em> include
<code>example.com</code>, <code>example.net</code> and
<code>example.co.uk</code>. Therefore a protected document whose
host is <code>www.example.com</code> could have a
<code>report-uri</code> hosted on
<code>reports.example.com</code> but <b>not</b>
<code>reports.example.net</code>.</p></li>
<li>Fetch the <var>report URI</var> from origin of the protected
document, with the synchronous flag <em>not</em> set, using HTTP
method <code>POST</code>, with a <code>Content-Type</code>
header field of <code>application/json</code> with an entity
body consisting of the <var>violation report</var>. The user
agent <em class="rfc2119" title="must not">must not</em> follow redirects when fetching this resource.
(Note: The user agent ignores the fetched resource.)</li>
</ol>
</li>
</ol>
</div>
<div id="policy-uri" class="section">
<h3><span class="secno">4.12 </span><code>policy-uri</code></h3>
<p>The <code>policy-uri</code> directive specifies a URI from which
the user agent can retrieve the actual policy. The syntax for the name
and value of the directive are described by the following ABNF
grammar:</p>
<pre>directive-name = "policy-uri"
directive-value = &lt;URI-reference from RFC 3986&gt;
</pre>
<p class="issue">The <code>policy-uri</code> directive might be
removed from this document.</p>
<p>Authors <em class="rfc2119" title="must not">must not</em> specify policies that contain both a
<code>policy-uri</code> directive and another directive.</p>
<p>If the user agent would enforce a policy containing both the
<code>policy-uri</code> directive and another directive, instead the
user agent <em class="rfc2119" title="must">must</em> enforce the policy <code>default-src
'none'</code>.</p>
<p>When processing the <code>policy-uri</code> directive, the user
agent <em class="rfc2119" title="must">must</em> run an algorithm equivalent to the following:</p>
<ul>
<li>Let <var>request URI</var> be the URI that results from
resolving the value of the <code>policy-uri</code> directive
relative to the URI of the protected document.</li>
<li>If <var>request URI</var> is not from the same origin as the
protected document, abort these steps and enforce the policy
<code>default-src 'none'</code>.
</li><li>Fetch the <var>request URI</var> from origin of the protected
document, with the synchronous flag set, using HTTP method
<code>GET</code>.</li>
<li>If the fetch returned a status code other than <code>200</code>
or if the request encountered an HTTP redirect, abort these steps
and enforce the policy <code>default-src 'none'</code>.</li>
<li>If the fetched resource lacks a <code>Content-Type</code> header
field or if the <code>Content-Type</code> header field is not a case
insensitive match for <code>text/x-content-security-policy</code>,
abort these steps and enforce the policy <code>default-src
'none'</code>.</li>
<li>Let the <var>fetched policy</var> be the result of <a href="#parse-a-csp-policy">parsing the fetched resource as a CSP
policy</a>.</li>
<li>If the <var>fetched policy</var> contains a
<code>policy-uri</code> directive, abort these steps and enforce the
policy <code>default-src 'none'</code>.</li>
<li><a href="#enforce">Enforce</a> the <var>fetched
policy</var>.</li>
</ul>
</div>
</div>
<div id="examples" class="section">
<!--OddPage--><h2><span class="secno">5. </span>Examples</h2>
<div class="informative section" id="sample-policy-definitions">
<h3><span class="secno">5.1 </span>Sample Policy Definitions</h3><p><em>This section is non-normative.</em></p>
<p>This section provides some sample use cases and accompanying security policies.</p>
<p><strong>Example 1:</strong> A server wishes to load resources only
form its own origin:</p>
<pre>Content-Security-Policy: default-src 'self'</pre>
<p><strong>Example 2:</strong> An auction site wishes to load images
from any URI, plug-in content from a list of trusted media providers
(including a content distribution network), and scripts only from a
server under its control hosting sanitized ECMAScript:</p>
<pre>Content-Security-Policy: default-src 'self'; img-src *;
object-src media1.example.com media2.example.com *.cdn.example.com;
script-src trustedscripts.example.com</pre>
<p><strong>Example 3:</strong> A site operations group wishes to globally deny all
third-party scripts in the site, and a particular project team wishes to also disallow
third-party media in their section of the site. Site operations sends the first header
while the project team sends the second header, and the user-agent takes the combination of
the two headers to form the complete interpreted policy:</p>
<pre>Content-Security-Policy: default-src *; script-src 'self'
Content-Security-Policy: default-src *; script-src 'self'; media-src 'self'</pre>
<p><strong>Example 4:</strong> Online banking site wishes to ensure that all of the content
in its pages is loaded over TLS to prevent attackers from eavesdropping on insecure content
requests:</p>
<pre>Content-Security-Policy: default-src https:</pre>
</div>
<div class="informative section" id="sample-violation-report">
<h3><span class="secno">5.2 </span>Sample Violation Report</h3><p><em>This section is non-normative.</em></p>
<p>This section contains an example violation report the user agent
might sent to a server when the protected document violations a sample
policy.</p>
<p>In the following example, a document from
<code>http://example.org/page.html</code> was rendered with the
following CSP policy:</p>
<pre>default-src 'self'; report-uri http://example.org/csp-report.cgi</pre>
<p>The document loaded an image from
<code>http://evil.example.com/image.png</code>, violating the
policy.</p>
<pre>{
"csp-report": {
"request": "GET http://example.org/page.html HTTP/1.1",
"request-headers": "Host: example.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b12pre) Gecko/20110222 Firefox/4.0b12pre
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cache-Control: max-age=0",
"blocked-uri": "http://evil.example.com/image.png",
"violated-directive": "default-src http://example.org"
}
}</pre>
<p>In the above sample report the <code>violated-directive</code>
field was sent in the way it was interpreted by the user-agent. The
directive was made explicit by replacing the keyword
<code>'self'</code> with the explicit host name of the protected
resource. This is recommended behavior for user-agents as it reduces
ambiguity, making policy violations easier to trace by server
admins.</p>
<p class="issue">Should we add this as a requirement when preparing
reports?</p>
</div>
</div>
<div id="references" class="appendix section"><!--OddPage--><h2><span class="secno">A. </span>References</h2><div id="normative-references" class="section"><h3><span class="secno">A.1 </span>Normative references</h3><dl class="bibliography"><dt id="bib-ABNF">[ABNF]</dt><dd>D. Crocker and P. Overell. <a href="http://www.ietf.org/rfc/rfc5234.txt"><cite>Augmented BNF for Syntax Specifications: ABNF.</cite></a> January 2008. Internet RFC 5234. URL: <a href="http://www.ietf.org/rfc/rfc5234.txt">http://www.ietf.org/rfc/rfc5234.txt</a>
</dd><dt id="bib-CSS3FONT">[CSS3FONT]</dt><dd>Michel Suignard; Chris Lilley. <a href="http://www.w3.org/TR/2002/WD-css3-fonts-20020802"><cite>CSS3 module: Fonts.</cite></a> 2 August 2002. W3C Working Draft. (Work in progress.) URL: <a href="http://www.w3.org/TR/2002/WD-css3-fonts-20020802">http://www.w3.org/TR/2002/WD-css3-fonts-20020802</a>
</dd><dt id="bib-HTML401">[HTML401]</dt><dd>David Raggett; Ian Jacobs; Arnaud Le Hors. <a href="http://www.w3.org/TR/1999/REC-html401-19991224"><cite>HTML 4.01 Specification.</cite></a> 24 December 1999. W3C Recommendation. URL: <a href="http://www.w3.org/TR/1999/REC-html401-19991224">http://www.w3.org/TR/1999/REC-html401-19991224</a>
</dd>
<dt id="bib-HTML5">[HTML5]</dt><dd>Ian Hickson; David Hyatt. <a
href="http://www.w3.org/TR/html5"><cite>HTML5.</cite></a> 25 May
2011. W3C Last Call Working Draft. (Work in progress.) URL: <a
href="http://www.w3.org/TR/html5">http://www.w3.org/TR/html5</a><br>
This draft refers to an updated version of section <a
href="http://dev.w3.org/html5/spec/common-microsyntaxes.html">2.5
Common microsyntaxes</a> that is, at time of this publication, only
contained in the <a
href="http://dev.w3.org/html5/spec/Overview.html">HTML5 Editor's
Draft</a>. </dd>
<dt id="bib-RFC2119">[RFC2119]</dt><dd>S. Bradner. <a href="http://www.ietf.org/rfc/rfc2119.txt"><cite>Key words for use in RFCs to Indicate Requirement Levels.</cite></a> March 1997. Internet RFC 2119. URL: <a href="http://www.ietf.org/rfc/rfc2119.txt">http://www.ietf.org/rfc/rfc2119.txt</a>
</dd><dt id="bib-URI">[URI]</dt><dd>T. Berners-Lee; R. Fielding; L. Masinter. <a href="http://www.ietf.org/rfc/rfc3986.txt"><cite>Uniform Resource Identifiers (URI): generic syntax.</cite></a> January 2005. Internet RFC 3986. URL: <a href="http://www.ietf.org/rfc/rfc3986.txt">http://www.ietf.org/rfc/rfc3986.txt</a>
</dd><dt id="bib-WEBIDL">[WEBIDL]</dt><dd>Cameron McCormack. <a href="http://www.w3.org/TR/2008/WD-WebIDL-20081219"><cite>Web IDL.</cite></a> 19 December 2008. W3C Working Draft. (Work in progress.) URL: <a href="http://www.w3.org/TR/2008/WD-WebIDL-20081219">http://www.w3.org/TR/2008/WD-WebIDL-20081219</a>
</dd><dt id="bib-XMLHTTPREQUEST">[XMLHTTPREQUEST]</dt><dd>Anne van Kesteren. <a href="http://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415"><cite>The XMLHttpRequest Object.</cite></a> 15 April 2008. W3C Working Draft. (Work in progress.) URL: <a href="http://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415">http://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415</a>
</dd></dl></div><div id="informative-references" class="section"><h3><span class="secno">A.2 </span>Informative references</h3><p>No informative references.</p></div></div></body></html>