diff --git a/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md b/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md index 04b5a7f7716ac45..ea17687c2c766f3 100644 --- a/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md +++ b/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md @@ -65,7 +65,7 @@ In Manifest V2, a source for a script directive is considered secure if it meets - Remote sources must not use wildcards for any domains in the [public suffix list](https://publicsuffix.org/list/) (so `*.co.uk` and `*.blogspot.com` are not allowed, although `*.foo.blogspot.com` is permitted). - All sources must specify a host. - The only permitted schemes for sources are `blob:`, `filesystem:`, `moz-extension:`, `https:`, and `wss:`. -- The only permitted [keywords](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src#sources) are: `'none'`, `'self'`, `'unsafe-eval'`, and `'wasm-unsafe-eval'`. +- The only permitted [keywords](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) are: `'none'`, `'self'`, `'unsafe-eval'`, and `'wasm-unsafe-eval'`. ## object-src directive diff --git a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md index 9f8d49f0cc45307..4ed60863edfd126 100644 --- a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md +++ b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md @@ -28,16 +28,24 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} **`base-uri`** directive rest ## Syntax -One or more _sources_ can be allowed for the base-uri policy: - ```http -Content-Security-Policy: base-uri ; -Content-Security-Policy: base-uri ; +Content-Security-Policy: base-uri 'none'; +Content-Security-Policy: base-uri ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No base URI may be set using a `` element. The single quotes are mandatory. +- `` + + - : A space-separated list of _source expression_ values. A `` element may set a base URI if its value matches any of the given source expressions. + + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `base-uri`: -This directive uses the same [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) syntax for arguments as other CSP directives. However, only values that match URLs make sense for `base-uri`, including ``, ``, `'self'`, and `'none'`. + - `` + - `` + - the keyword value `'self'`. ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/child-src/index.md b/files/en-us/web/http/headers/content-security-policy/child-src/index.md index cf3aa4c68c2b5ac..447a5c6640071cc 100644 --- a/files/en-us/web/http/headers/content-security-policy/child-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/child-src/index.md @@ -35,18 +35,20 @@ network errors by the user agent. ## Syntax -One or more sources can be allowed for the `child-src` policy: - ```http -Content-Security-Policy: child-src ; -Content-Security-Policy: child-src ; +Content-Security-Policy: child-src 'none'; +Content-Security-Policy: child-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/connect-src/index.md b/files/en-us/web/http/headers/content-security-policy/connect-src/index.md index 490b20280ed6620..fee392fdafeb62f 100644 --- a/files/en-us/web/http/headers/content-security-policy/connect-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/connect-src/index.md @@ -9,14 +9,14 @@ browser-compat: http.headers.Content-Security-Policy.connect-src The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`connect-src`** directive restricts the URLs which can be -loaded using script interfaces. The APIs that are restricted are: +loaded using script interfaces. The following APIs are controlled by this directive: -- {{HTMLElement("a")}} [`ping`](/en-US/docs/Web/HTML/Element/a#ping), -- {{domxref("Window/fetch", "fetch()")}}, -- {{domxref("XMLHttpRequest")}}, -- {{domxref("WebSocket")}}, -- {{domxref("EventSource")}}, and -- {{domxref("Navigator.sendBeacon()")}}. +- The [`ping`](/en-US/docs/Web/HTML/Element/a#ping) attribute in {{htmlelement("a")}} elements +- {{domxref("Window/fetch", "fetch()")}} +- {{domxref("XMLHttpRequest")}} +- {{domxref("WebSocket")}} +- {{domxref("EventSource")}} +- {{domxref("Navigator.sendBeacon()")}} > **Note:** `connect-src 'self'` does not resolve to websocket > schemes in all browsers, more info in this [issue](https://github.com/w3c/webappsec-csp/issues/7). @@ -43,18 +43,20 @@ loaded using script interfaces. The APIs that are restricted are: ## Syntax -One or more sources can be allowed for the connect-src policy: - ```http -Content-Security-Policy: connect-src ; -Content-Security-Policy: connect-src ; +Content-Security-Policy: connect-src 'none'; +Content-Security-Policy: connect-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/default-src/index.md b/files/en-us/web/http/headers/content-security-policy/default-src/index.md index 904148b03c194e2..611d782fa9cf09d 100644 --- a/files/en-us/web/http/headers/content-security-policy/default-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/default-src/index.md @@ -41,18 +41,20 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`default-src`** direc ## Syntax -One or more sources can be allowed for the `default-src` policy: - ```http -Content-Security-Policy: default-src ; -Content-Security-Policy: default-src ; +Content-Security-Policy: default-src 'none'; +Content-Security-Policy: default-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/font-src/index.md b/files/en-us/web/http/headers/content-security-policy/font-src/index.md index 003da75983b93db..9cd7ea7d0e3e208 100644 --- a/files/en-us/web/http/headers/content-security-policy/font-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/font-src/index.md @@ -33,18 +33,20 @@ valid sources for fonts loaded using {{cssxref("@font-face")}}. ## Syntax -One or more sources can be allowed for the `font-src` policy: - ```http -Content-Security-Policy: font-src ; -Content-Security-Policy: font-src ; +Content-Security-Policy: font-src 'none'; +Content-Security-Policy: font-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/form-action/index.md b/files/en-us/web/http/headers/content-security-policy/form-action/index.md index 569c38ff3660174..053c4024e0398ef 100644 --- a/files/en-us/web/http/headers/content-security-policy/form-action/index.md +++ b/files/en-us/web/http/headers/content-security-policy/form-action/index.md @@ -31,18 +31,24 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`form-action`** direc ## Syntax -One or more sources can be set for the `form-action` policy: - ```http -Content-Security-Policy: form-action ; -Content-Security-Policy: form-action ; +Content-Security-Policy: form-action 'none'; +Content-Security-Policy: form-action ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No form submissions may be made. The single quotes are mandatory. +- `` + + - : A space-separated list of _source expression_ values. Form submissions may be made to URLs that match any of the given source expressions. -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `form-action`: -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + - `` + - `` + - the keyword value `'self'`. ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/frame-src/index.md b/files/en-us/web/http/headers/content-security-policy/frame-src/index.md index b7ee20794ec3dec..1e8fa9b6a800751 100644 --- a/files/en-us/web/http/headers/content-security-policy/frame-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/frame-src/index.md @@ -38,18 +38,20 @@ browsing contexts loading using elements such as {{HTMLElement("frame")}} and ## Syntax -One or more sources can be allowed for the `frame-src` policy: - ```http -Content-Security-Policy: frame-src ; -Content-Security-Policy: frame-src ; +Content-Security-Policy: frame-src 'none'; +Content-Security-Policy: frame-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/img-src/index.md b/files/en-us/web/http/headers/content-security-policy/img-src/index.md index 7865c59b4bbc7f2..42e6437d95ec196 100644 --- a/files/en-us/web/http/headers/content-security-policy/img-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/img-src/index.md @@ -31,18 +31,20 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} **`img-src`** directive speci ## Syntax -One or more sources can be allowed for the `img-src` policy: - ```http -Content-Security-Policy: img-src ; -Content-Security-Policy: img-src ; +Content-Security-Policy: img-src 'none'; +Content-Security-Policy: img-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/index.md b/files/en-us/web/http/headers/content-security-policy/index.md index 017e9d58a1a5d31..7cd06db251a332b 100644 --- a/files/en-us/web/http/headers/content-security-policy/index.md +++ b/files/en-us/web/http/headers/content-security-policy/index.md @@ -170,7 +170,7 @@ Reporting directives control the destination URL for CSP violation reports in `C ## Values An overview of the allowed values are listed below. -For detailed reference see [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) and the documentation for individual directives. +For detailed reference see [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources) and the documentation for individual directives. ### Keyword values diff --git a/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md b/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md index 8c7d36511cb53dd..72af54796138b92 100644 --- a/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md @@ -34,18 +34,20 @@ to the resource. ## Syntax -One or more sources can be allowed for the `manifest-src` policy: - ```http -Content-Security-Policy: manifest-src ; -Content-Security-Policy: manifest-src ; +Content-Security-Policy: manifest-src 'none'; +Content-Security-Policy: manifest-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/media-src/index.md b/files/en-us/web/http/headers/content-security-policy/media-src/index.md index 77a8a810482766e..0284b6a7572b682 100644 --- a/files/en-us/web/http/headers/content-security-policy/media-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/media-src/index.md @@ -33,18 +33,20 @@ media using the {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements. ## Syntax -One or more sources can be allowed for the `media-src` policy: - ```http -Content-Security-Policy: media-src ; -Content-Security-Policy: media-src ; +Content-Security-Policy: media-src 'none'; +Content-Security-Policy: media-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/object-src/index.md b/files/en-us/web/http/headers/content-security-policy/object-src/index.md index 7cbec9a06abc998..cde774a2726a58c 100644 --- a/files/en-us/web/http/headers/content-security-policy/object-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/object-src/index.md @@ -40,18 +40,20 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} ## Syntax -One or more sources can be allowed for the `object-src` policy: - ```http -Content-Security-Policy: object-src ; -Content-Security-Policy: object-src ; +Content-Security-Policy: object-src 'none'; +Content-Security-Policy: object-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md b/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md index 5c1021c1fb40fe9..4645a99d4682025 100644 --- a/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md @@ -36,18 +36,20 @@ be prefetched or prerendered. ## Syntax -One or more sources can be allowed for the `prefetch-src` policy: - ```http -Content-Security-Policy: prefetch-src ; -Content-Security-Policy: prefetch-src ; +Content-Security-Policy: prefetch-src 'none'; +Content-Security-Policy: prefetch-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Example diff --git a/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md b/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md index 5483e0867beafd7..e4a8022319eda8e 100644 --- a/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md +++ b/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md @@ -35,13 +35,21 @@ It does not apply to other JavaScript sources that can trigger script execution, ## Syntax -One or more sources can be allowed for the `script-src-attr` policy: - ```http -Content-Security-Policy: script-src-attr ; -Content-Security-Policy: script-src-attr ; +Content-Security-Policy: script-src-attr 'none'; +Content-Security-Policy: script-src-attr ; ``` +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` + + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + `script-src-attr` can be used in conjunction with {{CSP("script-src")}}, and will override that directive for checks on inline handlers: ```http @@ -49,12 +57,6 @@ Content-Security-Policy: script-src ; Content-Security-Policy: script-src-attr ; ``` -### Sources - -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). - -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation case diff --git a/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md b/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md index f36573ebb0f7467..21a411157bb4b08 100644 --- a/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md +++ b/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md @@ -35,13 +35,21 @@ It does not apply to other JavaScript sources that can trigger script execution, ## Syntax -One or more sources can be allowed for the `script-src-elem` policy: - ```http -Content-Security-Policy: script-src-elem ; -Content-Security-Policy: script-src-elem ; +Content-Security-Policy: script-src-elem 'none'; +Content-Security-Policy: script-src-elem ; ``` +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` + + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + `script-src-elem` can be used in conjunction with {{CSP("script-src")}}: ```http @@ -49,12 +57,6 @@ Content-Security-Policy: script-src ; Content-Security-Policy: script-src-elem ; ``` -### Sources - -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). - -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation case diff --git a/files/en-us/web/http/headers/content-security-policy/script-src/index.md b/files/en-us/web/http/headers/content-security-policy/script-src/index.md index 6ab5dd782daa439..9a4d1675dba9d91 100644 --- a/files/en-us/web/http/headers/content-security-policy/script-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/script-src/index.md @@ -31,18 +31,20 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`script-src`** direct ## Syntax -One or more sources can be allowed for the `script-src` policy: - ```http -Content-Security-Policy: script-src ; -Content-Security-Policy: script-src ; +Content-Security-Policy: script-src 'none'; +Content-Security-Policy: script-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/sources/index.md b/files/en-us/web/http/headers/content-security-policy/sources/index.md index 8debb1d4dfe551f..718568028210b53 100644 --- a/files/en-us/web/http/headers/content-security-policy/sources/index.md +++ b/files/en-us/web/http/headers/content-security-policy/sources/index.md @@ -7,8 +7,15 @@ spec-urls: https://w3c.github.io/webappsec-csp/#framework-directive-source-list {{HTTPSidebar}} -HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) header directives that specify a `` from which resources may be loaded can use any one of the values listed below. -Relevant directives include the {{Glossary("fetch directive", "fetch directives")}}, along with others [listed below](#relevant_directives). +HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) [fetch directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives) may take as a value a space-separated list of _source expressions_. Each source expression can be any of the values listed below. + +As well as fetch directives, some other CSP directives may take as a value a space-separated list of source expressions, each of which may be a subset of the values listed below, namely: one of ``, ``, or the keyword `'self'`. These other directives are: + +- {{CSP("base-uri")}} +- {{CSP("form-action")}} +- {{CSP("frame-ancestors")}} + +Directives that accept a list of source expressions may instead be given the single value `'none'`, indicating that no resources of the given type may be loaded (or, in the case of non-fetch directives, that the associated feature is not allowed). ## Sources @@ -64,12 +71,9 @@ Relevant directives include the {{Glossary("fetch directive", "fetch directives" - `'unsafe-inline'` - : Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, [`javascript:` URLs](/en-US/docs/Web/URI/Schemes/javascript), inline event handlers, and inline {{HTMLElement("style")}} elements. The single quotes are required. -- `'none'` - - : Refers to the empty set; that is, no URLs match. - The single quotes are required. - `'nonce-'` - - : An allowlist for specific inline scripts using a cryptographic nonce (number used once). + - : An allowlist for specific scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial. See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example. @@ -96,37 +100,3 @@ Relevant directives include the {{Glossary("fetch directive", "fetch directives" ## Specifications {{Specifications}} - -## Relevant directives - -Directives for which the above sources apply include: - -- {{Glossary("fetch directive", "Fetch directives")}}: - - - {{CSP("default-src")}} - - {{CSP("child-src")}} - - {{CSP("connect-src")}} - - {{CSP("font-src")}} - - {{CSP("frame-src")}} - - {{CSP("img-src")}} - - {{CSP("manifest-src")}} - - {{CSP("media-src")}} - - {{CSP("object-src")}} - - {{CSP("prefetch-src")}} - - {{CSP("script-src")}} - - {{CSP("script-src-elem")}} - - {{CSP("script-src-attr")}} - - {{CSP("style-src")}} - - {{CSP("style-src-elem")}} - - {{CSP("style-src-attr")}} - - {{CSP("worker-src")}} - -- {{Glossary("Document directive", "Document directives")}}: - - - {{CSP("base-uri")}} - - {{CSP("sandbox")}} - -- {{Glossary("Navigation directive", "Navigation directives")}}: - - - {{CSP("form-action")}} - - {{CSP("frame-ancestors")}} diff --git a/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md b/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md index cbccae9bafb8c7a..1aa6165afa0d101 100644 --- a/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md +++ b/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md @@ -36,13 +36,21 @@ These are set using {{CSP("style-src-elem")}} (and valid sources for all styles ## Syntax -One or more sources can be allowed for the `style-src-attr` policy: - ```http -Content-Security-Policy: style-src-attr ; -Content-Security-Policy: style-src-attr ; +Content-Security-Policy: style-src-attr 'none'; +Content-Security-Policy: style-src-attr ; ``` +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` + + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + `style-src-attr` can be used in conjunction with {{CSP("style-src")}}: ```http @@ -50,12 +58,6 @@ Content-Security-Policy: style-src ; Content-Security-Policy: style-src-attr ; ``` -### Sources - -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). - -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases diff --git a/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md b/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md index 44e0e8302556f72..0538d75a361b782 100644 --- a/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md +++ b/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md @@ -35,13 +35,21 @@ The directive does not set valid sources for inline style attributes; these are ## Syntax -One or more sources can be allowed for the `style-src-elem` policy: - ```http -Content-Security-Policy: style-src-elem ; -Content-Security-Policy: style-src-elem ; +Content-Security-Policy: style-src-elem 'none'; +Content-Security-Policy: style-src-elem ; ``` +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` + + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. + + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). + `style-src-elem` can be used in conjunction with {{CSP("style-src")}}: ```http @@ -49,12 +57,6 @@ Content-Security-Policy: style-src ; Content-Security-Policy: style-src-elem ; ``` -### Sources - -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). - -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases diff --git a/files/en-us/web/http/headers/content-security-policy/style-src/index.md b/files/en-us/web/http/headers/content-security-policy/style-src/index.md index 7a8ce96758f07ad..d044c4b58e27cb6 100644 --- a/files/en-us/web/http/headers/content-security-policy/style-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/style-src/index.md @@ -31,18 +31,20 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`style-src`** directi ## Syntax -One or more sources can be allowed for the `style-src` policy: - ```http -Content-Security-Policy: style-src ; -Content-Security-Policy: style-src ; +Content-Security-Policy: style-src 'none'; +Content-Security-Policy: style-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/worker-src/index.md b/files/en-us/web/http/headers/content-security-policy/worker-src/index.md index c17e54c02775704..df3aa70b3cd0451 100644 --- a/files/en-us/web/http/headers/content-security-policy/worker-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/worker-src/index.md @@ -39,18 +39,20 @@ scripts. ## Syntax -One or more sources can be allowed for the `worker-src` policy: - ```http -Content-Security-Policy: worker-src ; -Content-Security-Policy: worker-src ; +Content-Security-Policy: worker-src 'none'; +Content-Security-Policy: worker-src ; ``` -### Sources +This directive may have one of the following values: + +- `'none'` + - : No resources of this type may be loaded. The single quotes are mandatory. +- `` -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). + - : A space-separated list of _source expression_ values. Resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). + Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples