Content Security Policy
Contents
Content Security Policy
- Current editor's draft
- Use Cases
- Test Assertions
Directives
A Content-Security-Policy consists of a number of directives. This section lists the maturity level of the directives the working group is currently aware of.
Version 1.0
These directives are included in CSP 1.0.
- default-src
- script-src
- object-src
- img-src
- media-src
- style-src
- frame-src
- font-src
- connect-src
- report-uri
- sandbox (optional)
Proposals for Version 1.1
These directives have been proposed for inclusion in CSP 1.1:
- <meta> tag strawman spec
- More granular source expressions (file-level paths) strawman spec
- A script interface for reading policy details: strawman spec
- form-action (Restricts URLs that can be used as actions for forms) strawman spec
- script-nonce strawman spec
- plugin-types (Provides a whitelist of MIME types for plugins that can be instantiated on this page) strawman spec
- reflected-xss (Folds X-XSS-Protection into CSP) strawman spec
- Using script-sample from Mozilla's original implementation in CSP reports (useful for false positive detection, provide signatures of payloads for WAFs, and generally more informative)
- Some sort of DOM event (perhaps 'scriptpolicyviolation' triggered on 'document')
- Restriction on cookie scope - strawman spec
Experimental
Various folks are experimenting with these directives. If one of more of them prove useful, you can propose including them in a version of CSP by sending an email to public-webappsec. Historically, discussion of CSP has taken place at public-web-security and cross-posting is encouraged.
If you're experimenting with a directive, please feel encouraged to list the directive here and link to a description. Listing your directive here is not a guantee that other folks won't appropriate its name for another purpose, but it certainly can help avoid that problem.
- allow-modification (Allows modification of the CSP policy while the page is running. See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0008.html)
- no-external-navigation (See http://lists.w3.org/Archives/Public/public-webappsec/2011Dec/0016.html)
- no-mixed-content (A simplified directive for blocking mixed content; also includes all child frames.)
- script-hash [contains a list of the digests of loadable scripts.]
- no-user-js (Protect against self-xss)
- Option to restrict script-src (or all directives?) to sources with specific content-types.
- An option to allow seamless with parent?
- jsonp-src and jsonp-sink
- referrer (see http://wiki.whatwg.org/wiki/Meta_referrer )
- policy-uri
- This wiki page contains a bunch of brainstorming that might lead to useful directive ideas
Implementations
- WebKit implementation is now (roughly) feature-complete; by Adam Barth 11-May-2011
- Firefox implementation is also (roughly) feature-complete
- Internet Explorer 10 Platform Preview has a partial implementation