Content Security Policy

From Web Security

Content Security Policy

Directives

A Content-Security-Policy consists of a number of directives. This section lists the maturity level of the directives the working group is currently aware of.

Version 1.0

These directives are included in CSP 1.0.

  • default-src
  • script-src
  • object-src
  • img-src
  • media-src
  • style-src
  • frame-src
  • font-src
  • connect-src
  • report-uri
  • sandbox (optional)

Proposals for Version 1.1

These directives have been proposed for inclusion in CSP 1.1:

  • <meta> tag strawman spec
  • More granular source expressions (file-level paths) strawman spec
  • A script interface for reading policy details: strawman spec
  • form-action (Restricts URLs that can be used as actions for forms) strawman spec
  • script-nonce strawman spec
  • plugin-types (Provides a whitelist of MIME types for plugins that can be instantiated on this page) strawman spec
  • reflected-xss (Folds X-XSS-Protection into CSP) strawman spec
  • Using script-sample from Mozilla's original implementation in CSP reports (useful for false positive detection, provide signatures of payloads for WAFs, and generally more informative)
  • Some sort of DOM event (perhaps 'scriptpolicyviolation' triggered on 'document')
  • Restriction on cookie scope - strawman spec

Experimental

Various folks are experimenting with these directives. If one of more of them prove useful, you can propose including them in a version of CSP by sending an email to public-webappsec. Historically, discussion of CSP has taken place at public-web-security and cross-posting is encouraged.

If you're experimenting with a directive, please feel encouraged to list the directive here and link to a description. Listing your directive here is not a guantee that other folks won't appropriate its name for another purpose, but it certainly can help avoid that problem.

Implementations