From Web Security

Contents 1 Content Security Policy 1.1 Directives 1.1.1 Version 1.0 1.1.2 Proposals for Version 1.1 1.1.3 Experimental 1.2 Implementations

Content Security Policy

• Current editor's draft
• Use Cases
• Test Assertions

Directives

A Content-Security-Policy consists of a number of directives. This section lists the maturity level of the directives the working group is currently aware of.

Version 1.0

These directives are included in CSP 1.0.

• default-src
• script-src
• object-src
• img-src
• media-src
• style-src
• frame-src
• font-src
• connect-src
• report-uri
• sandbox (optional)

Proposals for Version 1.1

These directives have been proposed for inclusion in CSP 1.1:

• <meta> tag strawman spec
• More granular source expressions (file-level paths) strawman spec
• A script interface for reading policy details: strawman spec
• form-action (Restricts URLs that can be used as actions for forms) strawman spec
• script-nonce strawman spec
• plugin-types (Provides a whitelist of MIME types for plugins that can be instantiated on this page) strawman spec
• reflected-xss (Folds X-XSS-Protection into CSP) strawman spec
• Using script-sample from Mozilla's original implementation in CSP reports (useful for false positive detection, provide signatures of payloads for WAFs, and generally more informative)
• Some sort of DOM event (perhaps 'scriptpolicyviolation' triggered on 'document')

Experimental

Various folks are experimenting with these directives. If one of more of them prove useful, you can propose including them in a version of CSP by sending an email to public-webappsec. Historically, discussion of CSP has taken place at public-web-security and cross-posting is encouraged.

If you're experimenting with a directive, please feel encouraged to list the directive here and link to a description. Listing your directive here is not a guantee that other folks won't appropriate its name for another purpose, but it certainly can help avoid that problem.

• allow-modification (Allows modification of the CSP policy while the page is running. See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0008.html)
• no-external-navigation (See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0016.html)
• no-mixed-content (A simplified directive for blocking mixed content; also includes all child frames.)
• script-hash [contains a list of the digests of loadable scripts.]
• no-user-js (Protect against self-xss)
• Option to restrict script-src (or all directives?) to sources with specific content-types.
• An option to allow seamless with parent?
• jsonp-src and jsonp-sink
• referrer (see http://wiki.whatwg.org/wiki/Meta_referrer )
• policy-uri
• This wiki page contains a bunch of brainstorming that might lead to useful directive ideas

Implementations

• WebKit implementation is now (roughly) feature-complete; by Adam Barth 11-May-2011
• Firefox implementation is also (roughly) feature-complete
• Internet Explorer 10 Platform Preview has a partial implementation