Content Security Policy: Difference between revisions

From Web Security
Abarth (talk | contribs)
Mnot (talk | contribs)
 
(19 intermediate revisions by 5 users not shown)
Line 3: Line 3:
* Current [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html editor's draft]
* Current [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html editor's draft]
* [http://www.w3.org/Security/wiki/Use_Cases_for_Content_Security_Policies Use Cases]
* [http://www.w3.org/Security/wiki/Use_Cases_for_Content_Security_Policies Use Cases]
* [http://www.w3.org/Security/wiki/Test_Assertions_For_Content_Security_Policy Test Assertions]


== Directives ==
== Directives ==
Line 10: Line 11:
===Version 1.0===
===Version 1.0===


These directives are currently slated for inclusion in CSP 1.0.
These directives are included in CSP 1.0.


* default-src
* default-src
Line 22: Line 23:
* connect-src
* connect-src
* report-uri
* report-uri
* policy-uri (Might be removed; see [http://www.w3.org/2011/webappsec/track/issues/7 ISSUE-7])
* sandbox (optional)


===Proposals for Version 1.1===
===Proposals for Version 1.1===


This directives have been proposed for inclusion in CSP 1.1.
These directives have been proposed for inclusion in CSP 1.1:


* sandbox (Might get moved to 1.0; see [http://www.w3.org/2011/webappsec/track/issues/6 ISSUE-6])
* <meta> tag [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#html-meta-element--experimental strawman spec]
* script-nonce
* More granular source expressions (file-level paths) [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#path-matching strawman spec]
* allow-modification (Allows modification of the CSP policy while the page is running.  See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0008.html)
* A script interface for reading policy details: [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-interfaces--experimental strawman spec]
* no-external-navigation (See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0016.html)
* form-action (Restricts URLs that can be used as actions for forms) [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#form-action--experimental strawman spec]
* no-mixed-content (A simplified directive for blocking mixed content; also includes all child frames.)
* script-nonce [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental strawman spec]
* A DOM API for reading the policy? Maybe just a bit about whether eval is turned on? Proposal: https://mikewest.org/2012/05/content-security-policy-feature-detection
* plugin-types (Provides a whitelist of MIME types for plugins that can be instantiated on this page) [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#plugin-types--experimental strawman spec]
* A way to engage the policy after loading some content (perhaps code that uses eval)? Perhaps a DOM API? The <meta> tag?  Maybe only has the first child of the head?
* reflected-xss (Folds X-XSS-Protection into CSP) [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#reflected-xss--experimental strawman spec]
* frame-ancestor or frame-options
* Using script-sample from Mozilla's original implementation in CSP reports (useful for false positive detection, provide signatures of payloads for WAFs, and generally more informative)
* script-hash [contains a list of the digests of loadable scripts.]
* Some sort of DOM event (perhaps 'scriptpolicyviolation' triggered on 'document')
* no-user-js (Protect against self-xss)
* Restriction on cookie scope - [http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0021.html strawman spec]
* Restrict script to sources with specific content-types.
* form-action (Restricts the URIs that can be used as actions for forms)
* plugin-types (Provides a whitelist of MIME types for plugins that can be instantiated on this page)
* An option to allow seamless with parent?


===Experimental===
===Experimental===
Line 50: Line 47:
If you're experimenting with a directive, please feel encouraged to list the directive here and link to a description.  Listing your directive here is not a guantee that other folks won't appropriate its name for another purpose, but it certainly can help avoid that problem.
If you're experimenting with a directive, please feel encouraged to list the directive here and link to a description.  Listing your directive here is not a guantee that other folks won't appropriate its name for another purpose, but it certainly can help avoid that problem.


* allow-modification (Allows modification of the CSP policy while the page is running.  See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0008.html)
* no-external-navigation (See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0016.html)
* no-mixed-content (A simplified directive for blocking mixed content; also includes all child frames.)
* script-hash [contains a list of the digests of loadable scripts.]
* no-user-js (Protect against self-xss)
* Option to restrict script-src (or all directives?) to sources with specific content-types.
* An option to allow seamless with parent?
* jsonp-src and jsonp-sink
* referrer (see http://wiki.whatwg.org/wiki/Meta_referrer )
* policy-uri
* [https://wiki.mozilla.org/Security/CSP/Strawman This wiki page] contains a bunch of brainstorming that might lead to useful directive ideas
* [https://wiki.mozilla.org/Security/CSP/Strawman This wiki page] contains a bunch of brainstorming that might lead to useful directive ideas



Latest revision as of 23:26, 30 September 2013

Content Security Policy

Directives

A Content-Security-Policy consists of a number of directives. This section lists the maturity level of the directives the working group is currently aware of.

Version 1.0

These directives are included in CSP 1.0.

  • default-src
  • script-src
  • object-src
  • img-src
  • media-src
  • style-src
  • frame-src
  • font-src
  • connect-src
  • report-uri
  • sandbox (optional)

Proposals for Version 1.1

These directives have been proposed for inclusion in CSP 1.1:

  • <meta> tag strawman spec
  • More granular source expressions (file-level paths) strawman spec
  • A script interface for reading policy details: strawman spec
  • form-action (Restricts URLs that can be used as actions for forms) strawman spec
  • script-nonce strawman spec
  • plugin-types (Provides a whitelist of MIME types for plugins that can be instantiated on this page) strawman spec
  • reflected-xss (Folds X-XSS-Protection into CSP) strawman spec
  • Using script-sample from Mozilla's original implementation in CSP reports (useful for false positive detection, provide signatures of payloads for WAFs, and generally more informative)
  • Some sort of DOM event (perhaps 'scriptpolicyviolation' triggered on 'document')
  • Restriction on cookie scope - strawman spec

Experimental

Various folks are experimenting with these directives. If one of more of them prove useful, you can propose including them in a version of CSP by sending an email to public-webappsec. Historically, discussion of CSP has taken place at public-web-security and cross-posting is encouraged.

If you're experimenting with a directive, please feel encouraged to list the directive here and link to a description. Listing your directive here is not a guantee that other folks won't appropriate its name for another purpose, but it certainly can help avoid that problem.

Implementations