Skip to content

Commit

Permalink
Correct CSP source values (mdn#35947)
Browse files Browse the repository at this point in the history
* Correct headers syntax descriptions

* Correct headers syntax descriptions, the rest

* Update some links

* Update form-action

* Reformat fetch directive syntax

* Give a clue about what source expressions are like

* Mention 'none' in source values page

* clarify
  • Loading branch information
wbamberg authored Oct 4, 2024
1 parent e1d2d6a commit be48127
Show file tree
Hide file tree
Showing 22 changed files with 211 additions and 193 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ In Manifest V2, a source for a script directive is considered secure if it meets
- Remote sources must not use wildcards for any domains in the [public suffix list](https://publicsuffix.org/list/) (so `*.co.uk` and `*.blogspot.com` are not allowed, although `*.foo.blogspot.com` is permitted).
- All sources must specify a host.
- The only permitted schemes for sources are `blob:`, `filesystem:`, `moz-extension:`, `https:`, and `wss:`.
- The only permitted [keywords](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src#sources) are: `'none'`, `'self'`, `'unsafe-eval'`, and `'wasm-unsafe-eval'`.
- The only permitted [keywords](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) are: `'none'`, `'self'`, `'unsafe-eval'`, and `'wasm-unsafe-eval'`.

## object-src directive

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,16 +28,24 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} **`base-uri`** directive rest

## Syntax

One or more _sources_ can be allowed for the base-uri policy:

```http
Content-Security-Policy: base-uri <source>;
Content-Security-Policy: base-uri <source> <source>;
Content-Security-Policy: base-uri 'none';
Content-Security-Policy: base-uri <source-expression-list>;
```

### Sources
This directive may have one of the following values:

- `'none'`
- : No base URI may be set using a `<base>` element. The single quotes are mandatory.
- `<source-expression-list>`

- : A space-separated list of _source expression_ values. A `<base>` element may set a base URI if its value matches any of the given source expressions.

Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `base-uri`:

This directive uses the same [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) syntax for arguments as other CSP directives. However, only values that match URLs make sense for `base-uri`, including `<host-source>`, `<scheme-source>`, `'self'`, and `'none'`.
- `<host-source>`
- `<scheme-source>`
- the keyword value `'self'`.

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,18 +35,20 @@ network errors by the user agent.

## Syntax

One or more sources can be allowed for the `child-src` policy:

```http
Content-Security-Policy: child-src <source>;
Content-Security-Policy: child-src <source> <source>;
Content-Security-Policy: child-src 'none';
Content-Security-Policy: child-src <source-expression-list>;
```

### Sources
This directive may have one of the following values:

- `'none'`
- : No resources of this type may be loaded. The single quotes are mandatory.
- `<source-expression-list>`

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
- : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions.

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ browser-compat: http.headers.Content-Security-Policy.connect-src

The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP)
**`connect-src`** directive restricts the URLs which can be
loaded using script interfaces. The APIs that are restricted are:
loaded using script interfaces. The following APIs are controlled by this directive:

- {{HTMLElement("a")}} [`ping`](/en-US/docs/Web/HTML/Element/a#ping),
- {{domxref("Window/fetch", "fetch()")}},
- {{domxref("XMLHttpRequest")}},
- {{domxref("WebSocket")}},
- {{domxref("EventSource")}}, and
- {{domxref("Navigator.sendBeacon()")}}.
- The [`ping`](/en-US/docs/Web/HTML/Element/a#ping) attribute in {{htmlelement("a")}} elements
- {{domxref("Window/fetch", "fetch()")}}
- {{domxref("XMLHttpRequest")}}
- {{domxref("WebSocket")}}
- {{domxref("EventSource")}}
- {{domxref("Navigator.sendBeacon()")}}

> **Note:** `connect-src 'self'` does not resolve to websocket
> schemes in all browsers, more info in this [issue](https://github.com/w3c/webappsec-csp/issues/7).
Expand All @@ -43,18 +43,20 @@ loaded using script interfaces. The APIs that are restricted are:

## Syntax

One or more sources can be allowed for the connect-src policy:

```http
Content-Security-Policy: connect-src <source>;
Content-Security-Policy: connect-src <source> <source>;
Content-Security-Policy: connect-src 'none';
Content-Security-Policy: connect-src <source-expression-list>;
```

### Sources
This directive may have one of the following values:

- `'none'`
- : No resources of this type may be loaded. The single quotes are mandatory.
- `<source-expression-list>`

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
- : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions.

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,18 +41,20 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`default-src`** direc

## Syntax

One or more sources can be allowed for the `default-src` policy:

```http
Content-Security-Policy: default-src <source>;
Content-Security-Policy: default-src <source> <source>;
Content-Security-Policy: default-src 'none';
Content-Security-Policy: default-src <source-expression-list>;
```

### Sources
This directive may have one of the following values:

- `'none'`
- : No resources may be loaded. The single quotes are mandatory.
- `<source-expression-list>`

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
- : A space-separated list of _source expression_ values. Resources may be loaded if they match any of the given source expressions.

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,18 +33,20 @@ valid sources for fonts loaded using {{cssxref("@font-face")}}.

## Syntax

One or more sources can be allowed for the `font-src` policy:

```http
Content-Security-Policy: font-src <source>;
Content-Security-Policy: font-src <source> <source>;
Content-Security-Policy: font-src 'none';
Content-Security-Policy: font-src <source-expression-list>;
```

### Sources
This directive may have one of the following values:

- `'none'`
- : No resources of this type may be loaded. The single quotes are mandatory.
- `<source-expression-list>`

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
- : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions.

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,18 +31,24 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`form-action`** direc

## Syntax

One or more sources can be set for the `form-action` policy:

```http
Content-Security-Policy: form-action <source>;
Content-Security-Policy: form-action <source> <source>;
Content-Security-Policy: form-action 'none';
Content-Security-Policy: form-action <source-expression-list>;
```

### Sources
This directive may have one of the following values:

- `'none'`
- : No form submissions may be made. The single quotes are mandatory.
- `<source-expression-list>`

- : A space-separated list of _source expression_ values. Form submissions may be made to URLs that match any of the given source expressions.

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `form-action`:

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
- `<host-source>`
- `<scheme-source>`
- the keyword value `'self'`.

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,18 +38,20 @@ browsing contexts loading using elements such as {{HTMLElement("frame")}} and

## Syntax

One or more sources can be allowed for the `frame-src` policy:

```http
Content-Security-Policy: frame-src <source>;
Content-Security-Policy: frame-src <source> <source>;
Content-Security-Policy: frame-src 'none';
Content-Security-Policy: frame-src <source-expression-list>;
```

### Sources
This directive may have one of the following values:

- `'none'`
- : No resources of this type may be loaded. The single quotes are mandatory.
- `<source-expression-list>`

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
- : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions.

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,18 +31,20 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} **`img-src`** directive speci

## Syntax

One or more sources can be allowed for the `img-src` policy:

```http
Content-Security-Policy: img-src <source>;
Content-Security-Policy: img-src <source> <source>;
Content-Security-Policy: img-src 'none';
Content-Security-Policy: img-src <source-expression-list>;
```

### Sources
This directive may have one of the following values:

- `'none'`
- : No resources of this type may be loaded. The single quotes are mandatory.
- `<source-expression-list>`

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
- : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions.

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ Reporting directives control the destination URL for CSP violation reports in `C
## Values
An overview of the allowed values are listed below.
For detailed reference see [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) and the documentation for individual directives.
For detailed reference see [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources) and the documentation for individual directives.
### Keyword values
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,18 +34,20 @@ to the resource.

## Syntax

One or more sources can be allowed for the `manifest-src` policy:

```http
Content-Security-Policy: manifest-src <source>;
Content-Security-Policy: manifest-src <source> <source>;
Content-Security-Policy: manifest-src 'none';
Content-Security-Policy: manifest-src <source-expression-list>;
```

### Sources
This directive may have one of the following values:

- `'none'`
- : No resources of this type may be loaded. The single quotes are mandatory.
- `<source-expression-list>`

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
- : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions.

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,18 +33,20 @@ media using the {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements.

## Syntax

One or more sources can be allowed for the `media-src` policy:

```http
Content-Security-Policy: media-src <source>;
Content-Security-Policy: media-src <source> <source>;
Content-Security-Policy: media-src 'none';
Content-Security-Policy: media-src <source-expression-list>;
```

### Sources
This directive may have one of the following values:

- `'none'`
- : No resources of this type may be loaded. The single quotes are mandatory.
- `<source-expression-list>`

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
- : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions.

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,18 +40,20 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}}

## Syntax

One or more sources can be allowed for the `object-src` policy:

```http
Content-Security-Policy: object-src <source>;
Content-Security-Policy: object-src <source> <source>;
Content-Security-Policy: object-src 'none';
Content-Security-Policy: object-src <source-expression-list>;
```

### Sources
This directive may have one of the following values:

- `'none'`
- : No resources of this type may be loaded. The single quotes are mandatory.
- `<source-expression-list>`

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
- : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions.

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,18 +36,20 @@ be prefetched or prerendered.

## Syntax

One or more sources can be allowed for the `prefetch-src` policy:

```http
Content-Security-Policy: prefetch-src <source>;
Content-Security-Policy: prefetch-src <source> <source>;
Content-Security-Policy: prefetch-src 'none';
Content-Security-Policy: prefetch-src <source-expression-list>;
```

### Sources
This directive may have one of the following values:

- `'none'`
- : No resources of this type may be loaded. The single quotes are mandatory.
- `<source-expression-list>`

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
- : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions.

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Example

Expand Down
Loading

0 comments on commit be48127

Please sign in to comment.