From Web Security

Contents 1 Content Security Policy 1.1 Directives 1.1.1 Version 1.0 1.1.2 Proposals for Version 1.1 1.1.3 Experimental 1.2 Implementations

Content Security Policy

• Current editor's draft
• Use Cases

Directives

A Content-Security-Policy consists of a number of directives. This section lists the maturity level of the directives the working group is currently aware of.

Version 1.0

These directives are currently slated for inclusion in CSP 1.0.

• default-src
• script-src
• object-src
• img-src
• media-src
• style-src
• frame-src
• font-src
• connect-src
• report-uri

Proposals for Version 1.1

This directives have been proposed for inclusion in CSP 1.1.

• sandbox (Might get moved to 1.0; see ISSUE-6)
• A DOM API for reading the policy? Maybe just a bit about whether eval is turned on? Proposal: https://mikewest.org/2012/05/content-security-policy-feature-detection
• script-nonce
• frame-ancestor and/or frame-options (should coordinate with the IETF websec working group)
• form-action (Restricts the URIs that can be used as actions for forms)
• plugin-types (Provides a whitelist of MIME types for plugins that can be instantiated on this page)
• More granular source like (e.g., by directory)
• <meta> tag

Experimental

Various folks are experimenting with these directives. If one of more of them prove useful, you can propose including them in a version of CSP by sending an email to public-webappsec. Historically, discussion of CSP has taken place at public-web-security and cross-posting is encouraged.

If you're experimenting with a directive, please feel encouraged to list the directive here and link to a description. Listing your directive here is not a guantee that other folks won't appropriate its name for another purpose, but it certainly can help avoid that problem.

• allow-modification (Allows modification of the CSP policy while the page is running. See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0008.html)
• no-external-navigation (See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0016.html)
• no-mixed-content (A simplified directive for blocking mixed content; also includes all child frames.)
• script-hash [contains a list of the digests of loadable scripts.]
• no-user-js (Protect against self-xss)
• Option to restrict script-src (or all directives?) to sources with specific content-types.
• An option to allow seamless with parent?
• jsonp-src and jsonp-sink
• referrer (see http://wiki.whatwg.org/wiki/Meta_referrer )
• policy-uri
• This wiki page contains a bunch of brainstorming that might lead to useful directive ideas

Implementations

• WebKit implementation is now (roughly) feature-complete; by Adam Barth 11-May-2011
• Firefox implementation is also (roughly) feature-complete
• Internet Explorer 10 Platform Preview has a partial implementation