Copyright © 2011-2013 W3C® (MIT, ERCIM, Keio, Beihang), All Rights Reserved. W3C liability, trademark and document use rules apply.
This document defines a policy language used to declare a set of content restrictions for a web resource, and a mechanism for transmitting the policy from a server to a client where the policy is enforced.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
This document describes an evolution of the Content-Security-Policy 1.0 specification. Version 1.1 is backwards compatible with 1.0 and adds support for a number of new directives that web sites can use to ease deployment of Content-Security-Policy and to improve security.
In addition to the documents in the W3C Web Application Security working group, the work on this document is also informed by the work of the IETF websec working group, particularly that working group's requirements document: draft-hodges-websec-framework-reqs.
This document was published by the Web Application Security Working Group as a Working Draft. This document is intended to become a W3C Recommendation. If you wish to make comments regarding this document, please send them to public-webappsec@w3.org (subscribe, archives). All feedback is welcome.
Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
This section is non-normative.
This document defines Content Security Policy, a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application inform the client about the sources from which the application expects to load resources.
To mitigate XSS attacks, for example, a web application can declare that it only expects to load script from specific, trusted sources. This declaration allows the client to detect and block malicious scripts injected into the application by an attacker.
Content Security Policy (CSP) is not intended as a first line of defense against content injection vulnerabilities. Instead, CSP is best used as defense-in-depth, to reduce the harm caused by content injection attacks.
There is often a non-trivial amount of work required to apply CSP to an existing web application. To reap the greatest benefit, authors will need to move all inline script and style out-of-line, for example into external scripts, because the user agent cannot determine whether an inline script was injected by an attacker.
To take advantage of CSP, a web application opts into using CSP by
supplying a Content-Security-Policy
HTTP header. Such
policies apply to the current resource representation only. To supply a
policy for an entire site, the server needs to supply a policy with each
resource representation.
As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.
The key words must, must not, required, should, should not, recommended, may, and optional in this specification are to be interpreted as described in [RFC2119].
Requirements phrased in the imperative as part of algorithms (such as "strip any leading space characters" or "return false and abort these steps") are to be interpreted with the meaning of the key word ("must", "should", "may", etc) used in introducing the algorithm.
A conformant user agent must implement all the requirements listed in this specification that are applicable to user-agents.
A conformant server must implement all the requirements listed in this specification that are applicable to servers.
This section defines several terms used throughout the document.
The term security policy, or simply policy, for the purposes of this specification refers to either:
The security policies defined by this document are applied by a user agent on a per-resource representation basis. Specifically, when a user agent receives a policy along with the representation of a given resource, that policy applies to that resource representation only. This document often refers to that resource representation as the protected resource.
A server transmits its security policy for a particular protected
resource as a collection of directives, such as
default-src 'self'
, each of which declares a specific set
of restrictions for that resource as instantiated by the user agent.
More details are provided in the directives
section.
A directive consists of a directive name, which indicates the privileges controlled by the directive, and a directive value, which specifies the restrictions the policy imposes on those privileges.
The term origin is defined in the Origin specification. [RFC6454]
The term globally unique identifier is defined in section 4 of the Origin specification. [RFC6454]
The term URI is defined in the URI specification. [URI]
The term resource representation is defined in the HTTP 1.1 specification. [HTTP11]
The term JSON object is defined in the JSON specification. [RFC4627]
The <script>
, <object>
, <embed>
,
<img>
, <video>
, <audio>
,
<source>
, <track>
,
<link>
, <applet>
, <frame>
and <iframe>
elements are defined in the HTML5 specification. [HTML5]
A plugin is defined in the HTML5 specification. [HTML5]
The @font-face
Cascading Style Sheets (CSS) rule is defined in the
CSS Fonts Module Level 3 specification. [CSS3FONT]
The XMLHttpRequest
object is defined in the XMLHttpRequest
specification. [XMLHTTPREQUEST]
The WebSocket
object is defined in the WebSocket
specification. [WEBSOCKETS]
The EventSource
object is defined in the EventSource
specification. [EVENTSOURCE]
The Augmented Backus-Naur Form (ABNF) notation used in this document is specified in RFC 5234. [ABNF]
This document also uses the ABNF extension "#rule" as defined in HTTP 1.1. [HTTP11]
The following core rules are included by reference, as defined in
[ABNF Appendix B.1]:
ALPHA
(letters), DIGIT
(decimal
0-9), WSP
(white space) and VCHAR
(printing
characters).
This section defines the general framework for content security policies, including the delivery mechanisms and general syntax for policies. The next section contains the details of the specific directives introduced in this specification.
The server delivers the policy to the user agent via an HTTP response header.
Content-Security-Policy
Header FieldThe Content-Security-Policy
header field is the
preferred mechanism for delivering a CSP policy.
"Content-Security-Policy:" 1#policy
A server may send more than one HTTP header field named
Content-Security-Policy
with a given resource
representation.
A server may send different Content-Security-Policy
header field values with different representations of the same
resource or with different resources.
Upon receiving an HTTP response containing at least one
Content-Security-Policy
header field, the user agent
must enforce each of the policies contained
in each such header field.
Content-Security-Policy-Report-Only
Header FieldThe Content-Security-Policy-Report-Only
header field
lets servers experiment with policies by monitoring (rather than
enforcing) a policy.
"Content-Security-Policy-Report-Only:" 1#policy
For example, a server operators might wish to develop their
security policy iteratively. The operators can deploy a report-only
policy based on their best estimate of how their site behaves. If
their site violates this policy, instead of breaking the site, the
user agent will send violation reports to a URI specified in the
policy. Once a site has confidence that the policy is appropriate,
they start enforcing the policy using the
Content-Security-Policy
header field.
A server may send more than one HTTP header field named
Content-Security-Policy-Report-Only
with a given
resource representation.
A server may send different
Content-Security-Policy-Report-Only
header field values
with different representations of the same resource or with different
resources.
Upon receiving an HTTP response containing at least one
Content-Security-Policy-Report-Only
header field, the
user agent must monitor each of the policies
contained in each such header field.
meta
Element (Experimental)The server may supply a CSP policy in an HTML meta
element with an http-equiv
attribute that is a case
insensitive match for either Content-Security-Policy
or
Content-Security-Policy-Report-Only
.
Add the following entries to the pragma
directives for the meta
element:
http-equiv="content-security-policy"
)meta
element lacks a
content
attribute, abort these steps.content
attribute of the meta
element.http-equiv="content-security-policy-report-only"
)meta
element lacks a
content
attribute, abort these steps.content
attribute of the meta
element.As a consequence of these requirements, a policy supplied in an
HTTP header field takes precedence over policies supplied in
meta
elements. Similarly, the above requirements entail
that the first meta
element containing a policy takes
precedence over policies supplied in subsequent meta
elements.
TODO: Turn the bullets below into actual spec text.
meta
element needs to be
in document's head. This requirement makes it harder for folks to
inject CSP policies into vulnerable documents.report-uri
directive in CSP policies
obtained from meta
elements. This requirement
mitigates one attack that might result from an injected policy.
It also provides a carrot for supplying the policy in an HTTP
header, which is better for security.meta
element as early as possible in their document to reduce the risk
of an attacker injecting another policy in front.meta
elements that get
inserted after the document's readyState reaches "interactive".
This requirement further mitigates the risk of the
meta
element being injected. (Is this requirement
still useful in light of the above mitigations?)This section is non-normative.
The above sections note that when multiple policies are present,
each must be enforced or reported, according to its type. An example
will help clarify how that ought to work in practice. The behavior of
an XMLHttpRequest
might seem unclear given a site
that, for whatever reason, delivered the following HTTP headers:
Content-Security-Policy: default-src 'self' http://example.com http://example.net; connect-src 'none'; Content-Security-Policy: connect-src http://example.com/; script-src http://example.com/
Is a connection to example.com
allowed or not? The
short answer is that the connection is not allowed. Enforcing both
policies means that a potential connection would have to pass through
both unscathed. Even though the second policy would allow this
connection, the first policy contains connect-src 'none'
,
so its enforcement blocks the connection. The impact is that adding
additional policies to the list of policies to enforce can only
further restrict the capabilities of the protected resource.
To demonstrate that further, consider a script tag on this page.
The first policy would lock scripts down to 'self'
,
http://example.com
and http://example.net
via the default-src
directive. The second, however, would
only allow script from http://example.com/
. Script will
only load if it meets both policy's criteria: in this case, the only
origin that can match is http://example.com
, as both
policies allow it.
A CSP policy consists of a U+003B SEMICOLON
(;
) delimited list of directives:
policy = [ directive *( ";" [ directive ] ) ]
Each directive consists of a directive-name and (optionally) a directive-value:
directive = *WSP [ directive-name [ WSP directive-value ] ] directive-name = 1*( ALPHA / DIGIT / "-" ) directive-value = *( WSP / <VCHAR except ";" and ","> )
To parse a CSP policy policy, the user agent must use an algorithm equivalent to the following:
;
):
Many CSP directives use a value consisting of a source list.
Each source expression in the source list represents a
location from which content of the specified type can be retrieved.
For example, the source expression 'self'
represents
the set of URIs which are in the same origin as the protected
resource and the source expression 'unsafe-inline'
represents content supplied inline in the resource itself.
source-list = *WSP [ source-expression *( 1*WSP source-expression ) *WSP ] / *WSP "'none'" *WSP source-expression = scheme-source / host-source / keyword-source / nonce-source scheme-source = scheme ":" host-source = [ scheme "://" ] host [ port ] [ path ] keyword-source = "'self'" / "'unsafe-inline'" / "'unsafe-eval'" nonce-source = "'nonce-" nonce-value "'" nonce-value = *( ALPHA / DIGIT ) scheme = <scheme production from RFC 3986, section 3.1> host = "*" / [ "*." ] 1*host-char *( "." 1*host-char ) host-char = ALPHA / DIGIT / "-" path = <path production from RFC 3986, section 3.3> port = ":" ( 1*DIGIT / "*" )
If the policy contains a nonce-source
expression, the
server must generate a fresh value for the nonce-value
directive at random and independently each time it transmits a policy.
This requirement ensures that the nonce-value
is difficult
for an attacker to predict.
To parse a source list source list, the user agent must use an algorithm equivalent to the following:
'none'
(including the quotation
marks), return the empty set.source-expression
, add the token to the
set of source expressions.Note that characters like U+003B SEMICOLON (;
) and
U+002C COMMA (,
) cannot appear in source expressions
directly: if you'd like to include these characters in a source
expression, they must be percent encoded
as %3B
and %2C
respectively.
To check whether a URI matches a source expression, the user agent must use an algorithm equivalent to the following:
*
), then return does match.scheme-source
:
scheme
, return does
match.host-source
:
/
).scheme
that is
not a case insensitive match for uri-scheme, then
return does not match.HTTP
, and
uri-scheme is not a case
insensitive match for either HTTP
or
HTTPS
HTTP
, and uri-scheme is
not a case insensitive match
for the scheme of the protected resource's URI.host
is an U+002A ASTERISK character
(*
) and the remaining characters, including the
leading U+002E FULL STOP character (.
), are not a
case insensitive match for the rightmost characters of
uri-host, then return does not match.host
, then return
does not match.port
and uri-port is not the default
port for uri-scheme, then return does not
match.port
,
then return does not match if
port
does not contain
an U+002A ASTERISK character (*
), andport
does not
represent the same number as uri-port.path
, then:
path
's percent-encoded characters./
), and
decoded-path is not a prefix of
uri-path, then return does not
match./
),
and decoded-path is not an exact match for
uri-path then return does not
match.'self'
(including the quotation marks),
then:
blob
scheme, for instance.A URI matches a source
list, if, and only if, the URI matches at least one source
expression in the set of source expressions obtained by parsing the source list. Notice that
no URIs match an empty set of source expressions, such as the set
obtained by parsing the source list 'none'
.
This section is non-normative.
The rules for matching source expressions that contain paths are simpler than they look: paths that end with the '/' character match all files in a directory and its subdirectories. Paths that do not end with the '/' character match only one specific file. A few examples should make this clear:
example.com
has no path,
and therefore matches any file served from that host.example.com/scripts/
matches any file in the scripts
directory of
example.com
, and any of its subdirectories. For
example, both https://example.com/scripts/file.js
and https://example.com/scripts/js/file.js
would
match.example.com/scripts/file.js
matches only the file
named file.js
in the scripts
directory
of example.com
.example.com/js
matches only the file named js
. In particular, note
that it would not match files inside a directory named
js
. Files like example.com/js/file.js
would be matched only if the source expression ended with a
trailing "/", as in example.com/js/
.Note that query strings have no impact on matching: the source
expression example.com/file?key=value
matches all of
https://example.com/file
,
https://example.com/file?key=value
,
https://example.com/file?key=notvalue
, and
https://example.com/file?notkey=notvalue
.
An element has a valid nonce for a set of source expressions
if the value of the nonce
attribute of the element after stripping
leading and trailing whitespace is a case-sensitive match for the
nonce-value
component of at least one nonce-source
expression in the set of source expressions.
The experimental
plugin-types
directive uses a value consisting of a media type list.
Each media type in the media type list represents a specific type of resource that can be retrieved and used to instantiate a plugin in the protected resource.
media-type-list = media-type *( 1*WSP media-type ) media-type = <type from RFC 2045> "/" <subtype from RFC 2045>
To parse a media type list media type list, the user agent must use an algorithm equivalent to the following:
media-type
, add the token to the
set of media types. Otherwise ignore the token.A media type matches a media type list if, and only if, the media type is a case-insensitive match for at least one token in the set of media types obtained by parsing the media type list.
To strip uri
for reporting, the user agent
must use an algorithm equivalent to the following:
data
, blob
, or file
), then
abort these steps, and return the ASCII serialization of uri's scheme.To generate a violation report object, the user agent must use an algorithm equivalent to the following:
default-src
directive.default-src
directive
in the case of violations caused by falling back to the
default sources when enforcing
a directive.script-src
directive), the user agent may add the
following keys and values to violation:
source-file
on which
the violation occurred.source-file
on which
the violation occurred.To send violation reports, the user agent must use an algorithm equivalent to the following:
csp-report
, whose value is the result of
generating a violation report object.POST
, with
a Content-Type
header field of application/json
with an entity body consisting of report body. If the origin of
report URI is not the same as the origin of the protected
resource, the block cookies flag must also be set. The
user agent must not follow redirects when fetching this
resource. (Note: The user agent ignores the fetched resource.)To report a violation, the user agent must:
Document
, andTo enforce a CSP policy, the user agent must parse the policy and enforce each of the directives contained in the policy, where the specific requirements for enforcing each directive are defined separately for each directive (See Directives, below).
Generally speaking, enforcing a directive prevents the protected resource from performing certain actions, such as loading scripts from URIs other than those indicated in a source list. These restrictions make it more difficult for an attacker to abuse an injection vulnerability in the resource because the attacker will be unable to usurp the resource's privileges that have been restricted in this way.
Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets.
To monitor a CSP policy, the user agent must parse the policy and monitor each of the directives contained in the policy.
Monitoring a directive does not prevent the protected resource from undertaking any actions. Instead, any actions that would have been prevented by the directives are instead reported to the developer of the web application. Monitoring a CSP policy is useful for testing whether enforcing the policy will cause the web application to malfunction.
A server may cause user agents to monitor one policy while enforcing
another policy by returning both Content-Security-Policy
and Content-Security-Policy-Report-Only
header fields.
For example, if a server operator is using one policy but wishes to
experiment with a stricter policy, the server operator can monitor
the stricter policy while enforcing the original policy. Once the
server operator is satisfied that the stricter policy does not break
the web application, the server operator can start enforcing the
stricter policy.
If the user agent monitors or enforces a CSP policy that does not contain any directives, the user agent should report a warning message in the developer console.
If the user agent monitors or enforces a CSP policy that contains an unrecognized directive, the user agent should report a warning message in the developer console indicating the name of the unrecognized directive.
Whenever a user agent runs a worker: [WEBWORKERS]
Whenever a user agent creates a an
iframe
srcdoc
document in a browsing
context nested in the protected resource, if the user agent is
enforcing any CSP policies for the protected resource, the user agent
must enforce those CSP policies on the
iframe
srcdoc
document as well.
Whenever a user agent creates a an
iframe
srcdoc
document in a browsing
context nested in the protected resource, if the user agent is
monitoring any CSP policies for the protected resource, the user agent
must monitor those CSP policies on the
iframe
srcdoc
document as well.
SecurityPolicyViolationEvent
Events[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
interface SecurityPolicyViolationEvent : Event {
readonly attribute DOMString documentURI;
readonly attribute DOMString referrer;
readonly attribute DOMString blockedURI;
readonly attribute DOMString violatedDirective;
readonly attribute DOMString effectiveDirective;
readonly attribute DOMString originalPolicy;
readonly attribute DOMString sourceFile;
readonly attribute long lineNumber;
readonly attribute long columnNumber;
};
blockedURI
of type DOMString, readonlyblocked-uri
property of violation reports for a description of this property.columnNumber
of type long, readonlycolumn-number
property of violation reports for a description of this property.documentURI
of type DOMString, readonlydocument-uri
property of violation reports for a description of this property.effectiveDirective
of type DOMString, readonlyeffective-directive
property of violation reports for a description of this property.lineNumber
of type long, readonlyline-number
property of violation reports for a description of this property.originalPolicy
of type DOMString, readonlyoriginal-policy
property of violation reports for a description of this property.referrer
of type DOMString, readonlyreferrer
property of violation reports for a description of this property.sourceFile
of type DOMString, readonlysource-file
property of violation reports for a description of this property.violatedDirective
of type DOMString, readonlyviolated-directive
property of violation reports for a description of this property.dictionary SecurityPolicyViolationEventInit : EventInit {
DOMString documentURI;
DOMString referrer;
DOMString blockedURI;
DOMString violatedDirective;
DOMString effectiveDirective;
DOMString originalPolicy;
DOMString sourceFile;
long lineNumber;
long columnNumber;
};
SecurityPolicyViolationEventInit
MembersblockedURI
of type DOMStringblocked-uri
property of violation reports for a description of this property.columnNumber
of type longline-number
property of violation reports for a description of this property.documentURI
of type DOMStringdocument-uri
property of violation reports for a description of this property.effectiveDirective
of type DOMStringeffective-directive
property of violation reports for a description of this property.lineNumber
of type longline-number
property of violation reports for a description of this property.originalPolicy
of type DOMStringoriginal-policy
property of violation reports for a description of this property.referrer
of type DOMStringreferrer
property of violation reports for a description of this property.sourceFile
of type DOMStringsource-file
property of violation reports for a description of this property.violatedDirective
of type DOMStringviolated-directive
property of violation reports for a description of this property.SecurityPolicyViolationEvent
interfaceTo fire a violation event, the user agent must use an algorithm equivalent to the following:
securitypolicyviolation
using the SecurityPolicyViolationEvent
interface
with the following initializations:
blockedURI
must be initialized to the value of report object's blocked-uri
key.documentURI
must be initialized to the value of report object's document-uri
key.effectiveDirective
must be initialized to the value of report object's effective-directive
key.originalPolicy
must be initialized to the value of report object's original-policy
key.referrer
must be initialized to the value of report object's referrer
key.violatedDirective
must be initialized to the value of report object's violated-directive
key.sourceFile
must be initialized to the value of report object's source-file
key.lineNumber
must be initialized to the value of report object's line-number
key.columnNumber
must be initialized to the value of report object's column-number
key.The task source for the queued task is the DOM manipulation task source.
partial interface Document {
readonly attribute SecurityPolicy
securityPolicy;
attribute EventHandler onsecuritypolicyviolation;
};
onsecuritypolicyviolation
of type EventHandlersecuritypolicyviolation
events.securityPolicy
of type SecurityPolicy
, readonlyLet the active CSP policies be the set of CSP policies the user agent is currently enforcing for the associated document.
interface SecurityPolicy {
readonly attribute bool allowsEval;
readonly attribute bool allowsInlineScript;
readonly attribute bool allowsInlineStyle;
readonly attribute bool isActive;
};
allowsEval
of type bool, readonlyand
of whether
the source expression 'unsafe-eval'
is present in the
allowed script sources
of each of the active CSP
policies.allowsInlineScript
of type bool, readonlyand
of whether
the source expression 'unsafe-inline'
is present in the
allowed script sources
of each of the active CSP
policies.allowsInlineStyle
of type bool, readonlyand
of whether
the source expression 'unsafe-inline'
is present in the
allowed style sources
of each of the active CSP
policies.isActive
of type bool, readonlytrue
if the set of
active CSP policies is
non-empty, and false
otherwise.This section is non-normative.
The script interface described here serves as a feature detection API that developers can use in order to make intelligent decisions about code that executes on a page based on the page's active policy. This is especially important for developers of libraries or frameworks which are meant to be used on a variety of sites in unknown contexts.
A few use-cases follow for illustration:
Does the user agent support CSP?
var isCSPSupported = "securityPolicy" in document;
Is a policy active on the current page? If
not, perhaps one should be injected via the
(experimental)
meta
element.
var isCSPActive = document.securityPolicy.isActive;
Can I use new Function();
or
eval()
? Some libraries use these dangerous
methods for performance optimizations. If they are unavailable,
the library could gracefully fall back to a less performant (but
safer) mechanism.
var isEvalAvailable = document.securityPolicy.allowsEval;
This section describes the content security policy directives introduced in this specification.
In order to protect against Cross-Site Scripting (XSS), web application authors should include
script-src
and object-src
directives, ordefault-src
directive, which covers both
scripts and plugins.In either case, authors should not include either
'unsafe-inline'
or data:
as valid sources in
their policies. Both enable XSS attacks by allowing code to be included
directly in the document itself; they are best avoided completely.
connect-src
The connect-src
directive restricts which URIs the
protected resource can load using script interfaces. The syntax for
the name and value of the directive are described by the following ABNF
grammar:
directive-name = "connect-src" directive-value = source-list
The term allowed connection targets refers to the result of
parsing the connect-src
directive's value as a source list if the policy contains an
explicit connect-src
, or otherwise to the
default sources.
Whenever the user agent fetches a URI (including when following redirects) in the course of one of the following activities, if the URI does not match the allowed connection targets, the user agent must act as if it had received an empty HTTP 400 response and report a violation:
open()
method of an XMLHttpRequest
object.WebSocket
constructor.EventSource
constructor.This section is non-normative.
JavaScript offers a few mechanisms that directly connect to an
external server to send or receive information.
EventSource
maintains an open HTTP connection to a server
in order to receive push notifications, WebSockets
open a bidirectional communication channel between your browser and a
server, and XMLHttpRequest
makes arbitrary HTTP requests
on your behalf. These are powerful APIs that enable useful
functionality, but also provide tempting avenues for data
exfiltration.
The connect-src
directive allows you to ensure that
these sorts of connections are only opened to origins you trust.
Sending a policy that defines a list of source expressions for this
directive is straightforward. For example, to limit connections to
only example.com
, send the following header:
Content-Security-Policy: connect-src example.com
All of the following will fail with the preceeding directive in place:
new WebSocket("wss://evil.com/");
(new XMLHttpRequest()).open("GET", "https://evil.com/", true);
new EventSource("https://evil.com");
default-src
The default-src
directive sets a default source list
for a number of directives. The syntax for the name and value of the
directive are described by the following ABNF grammar:
directive-name = "default-src" directive-value = source-list
Let the default sources be the result of parsing the default-src
directive's value as a source list.
To enforce the default-src
directive, the user agent
must enforce the following directives:
If not specified explicitly in the policy, the directives listed above will use the default sources.
This section is non-normative.
default-src
, as the name implies, serves as a default
source list which the other source list-style directives will use as
a fallback if they're not otherwise explicitly set. That is, consider
the following policy declaration:
Content-Security-Policy: default-src 'self'
Under this policy, fonts, frames, images, media, objects, scripts, and styles will all only load from the same origin as the protected resource, and connections will only be made to the same origin. Adding a more specific declaration to the policy would completely override the default source list for that resource type.
Content-Security-Policy: default-src 'self'; script-src example.com
Under this new policy, fonts, frames, and etc. continue to be load
from the same origin, but scripts will only load from
example.com
. There's no inheritance; the
script-src
directive sets the allowed sources of script,
and the default list is not used for that resource type.
Given this behavior, one good way of building a policy for a site
would be to begin with a default-src
of
'none'
, and to build up a policy from there that contains
only those resource types which are actually in use for the page you'd
like to protect. If you don't use webfonts, for instance, there's no
reason to specify a source list for font-src
; specifying
only those resource types a page uses ensures that the possible attack
surface for that page remains as small as possible.
font-src
The font-src
directive restricts from where the
protected resource can load fonts. The syntax for the name and value
of the directive are described by the following ABNF grammar:
directive-name = "font-src" directive-value = source-list
The term allowed font sources refers to the result of
parsing the font-src
directive's value as a source list if the policy contains an
explicit font-src
, or otherwise to the
default sources.
Whenever the user agent fetches a URI (including when following redirects) in the course of one of the following activities, if the URI does not match the allowed font sources, the user agent must act as if it had received an empty HTTP 400 response and report a violation:
@font-face
Cascading Style Sheets (CSS) rule.frame-src
The frame-src
directive restricts from where the
protected resource can embed frames. The syntax for the name
and value of the directive are described by the following ABNF
grammar:
directive-name = "frame-src" directive-value = source-list
The term allowed frame sources refers to the result of
parsing the frame-src
directive's value as a source list if the policy contains an
explicit frame-src
, or otherwise to the
default sources.
Whenever the user agent fetches a URI (including when following redirects) in the course of one of the following activities, if the URI does not match the allowed frame sources, the user agent must act as if it had received an empty HTTP 400 response and report a violation:
iframe
or
a frame
element.img-src
The img-src
directive restricts from where the
protected resource can load images. The syntax for the name and value
of the directive are described by the following ABNF grammar:
directive-name = "img-src" directive-value = source-list
The term allowed image sources refers to the result of
parsing the img-src
directive's value as a source list if the policy contains an
explicit img-src
, or otherwise to the
default sources.
Whenever the user agent fetches a URI (including when following redirects) in the course of one of the following activities, if the URI does not match the allowed image sources, the user agent must act as if it had received an empty HTTP 400 response and report a violation:
src
attribute of an img
elements,
the url()
or image()
values on any
Cascading Style Sheets (CSS)
property that is capable of loading an image [CSS3-Images], or
the href
attribute of a link
element with
an image-related rel
attribute, such as
icon
.media-src
The media-src
directive restricts from where the
protected resource can load video and audio. The syntax for the name
and value of the directive are described by the following ABNF
grammar:
directive-name = "media-src" directive-value = source-list
The term allowed media sources refers to the result of
parsing the media-src
directive's value as a source list if the policy contains an
explicit media-src
, or otherwise to the
default sources.
Whenever the user agent fetches a URI (including when following redirects) in the course of one of the following activities, if the URI does not match the allowed media sources, the user agent must act as if it had received an empty HTTP 400 response:
src
attribute of a video
,
audio
, source
, or track
elements.object-src
The object-src
directive restricts from where the
protected resource can load plugins. The syntax for the name and value
of the directive are described by the following ABNF grammar:
directive-name = "object-src" directive-value = source-list
The term allowed object sources refers to the result of
parsing the object-src
directive's value as a source list if the policy contains an
explicit object-src
, or otherwise to the
default sources.
Whenever the user agent fetches a URI (including when following redirects) in the course of one of the following activities, if the URI does not match the allowed object sources, the user agent must act as if it had received an empty HTTP 400 response and report a violation:
data
attribute of an object
element, the
src
attribute of an embed
elements, or the
code
or archive
attributes of an
applet
element.object
or an
embed
element.It is not required that the consumer of the element's data be a
plugin in order for the object-src
directive to be
enforced. Data for any object
, embed
,
or applet
element must match the allowed object sources in order
to be fetched. This is true even when the
element data is semantically equivalent to content which would otherwise
be restricted by one of the other directives,
such as an object
element with a text/html
MIME type.
Whenever the user agent would load a plugin without an associated
URI (e.g., because the object
element lacked a
data
attribute), if the protected resource's URI does not
match the
allowed object sources, the
user agent must not load the plugin.
report-uri
The report-uri
directive specifies a URI to which the
user agent sends reports about policy violation. The syntax for the
name and value of the directive are described by the following ABNF
grammar:
directive-name = "report-uri" directive-value = uri-reference *( 1*WSP uri-reference ) uri-reference = <URI-reference from RFC 3986>
The set of report URIs is the value of the
report-uri
directive, each resolved relative to the
protected resource's URI.
The process of sending violation reports to the URIs specified in this directive's value is defined in this document's Reporting section
sandbox
The sandbox
directive specifies an HTML sandbox policy
that the user agent applies to the protected resource. The syntax for
the name and value of the directive are described by the following
ABNF grammar:
directive-name = "sandbox" directive-value = token *( 1*WSP token ) token = <token from RFC 2616>
When enforcing the sandbox
directive, the user agent
must parse
the sandboxing directive using the directive-value
as the input and protected resource's
forced sandboxing flag set
as the output. [HTML5]
This section is non-normative.
HTML5 defines a
sandbox
attribute
for iframe
elements, intended to allow web authors to
reduce the risk of including potentially untrusted content by imposing
restrictions on that content's abilities. When the attribute is set,
the content is forced into a unique origin, prevented from submitting
forms, running script, creating or navigating other browsing contexts,
and prevented from running plugins. These restrictions can be loosened
by setting certain flags as the attribute's value.
The sandbox
directive allows any resource, framed or
not, to ask for the same sorts of restrictions to be applied to
itself.
For example, a message board or email system might provide
downloads of arbitrary attachments provided by other users. Attacks
that rely on tricking a client into rendering one of these attachments
could be mitigated by requesting that resources only be rendered in a
very restrictive sandbox. Sending the sandbox
directive
with an empty value establishes such an environment:
Content-Security-Policy: sandbox
More trusted resources might be allowed to run in an environment
with fewer restrictions by adding allow-*
flags to the
directive's value. For example, you can allow a page that you trust
to run script, while ensuring that it isn't treated as same-origin
with the rest of your site. This can be accomplished by sending the
sandbox
directive with the allow-scripts
flag:
Content-Security-Policy: sandbox allow-scripts
The set of flags available to the CSP directive should match those
available to the iframe
attribute. Currently, those
include:
allow-forms
allow-same-origin
allow-scripts
, andallow-top-navigation
Note as well that, like the rest of Content Security Policy, the
sandbox
directive is meant as a defense-in-depth. Web
authors would be well-served to use it in addition to
standard sniffing-mitigation and privilege-reduction techniques.
script-src
The script-src
directive restricts which scripts the
protected resource can execute. The directive also controls other
resources, such as XSLT style sheets [XSLT], which can cause the
user agent to execute script. The syntax for the name and value of
the directive are described by the following ABNF grammar:
directive-name = "script-src" directive-value = source-list
The term allowed script sources refers to the result of
parsing the script-src
directive's value as a source list if the policy contains an
explicit script-src
, or otherwise to the
default sources.
If 'unsafe-inline'
is not in
allowed script sources:
script
element that lacks
a valid nonce for the
allowed script sources,
instead the user agent must not execute script, and must
report a violation.javascript
URI, instead the user agent must not execute
the script, and must report a violation.
(The user agent should ignore this step when processing script
contained in "bookmarklets").If 'unsafe-eval'
is not in
allowed script sources:
eval
and function eval
must throw a security exception. [ECMA-262]Function
must throw a security exception. [ECMA-262]setTimeout
function must return zero without creating a timer.setInterval
function must return zero without creating a timer.The term callable refers to an object whose interface has one or more callers as defined in the Web IDL specification [WEBIDL].
Whenever the user agent fetches a URI (including when following redirects) in the course of one of the following activities, if the URI does not match the allowed script sources, the user agent must act as if it had received an empty HTTP 400 response and report a violation:
src
attribute
of a script
element that lacks
a valid nonce for the
allowed script sources.Worker
or SharedWorker
constructors.href
attribute of a link
element with a rel
attribute containing the token
import
.<?xml-stylesheet?>
processing directive in an XML
document [XML11], the href
attributes on
<xsl:include>
element, or the href
attributes on <xsl:import>
element.This section is non-normative.
The script-src
directive lets developers specify exactly
which script elements on a page were intentionally included
for execution. Ideally, developers would avoid inline script entirely
and whitelist scripts by URL. However, in some cases, removing inline
scripts can be difficult or impossible. For those cases, developers can
whitelist scripts using a randomly generated nonce.
Usage is straightforward. For each request, the server
generates a unique value at random, and includes it in the
Content-Security-Policy
header:
Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'nonce-$RANDOM'
This same value is then applied as a nonce
attribute
to each script
element that ought to be executed. For example,
if the server generated the random value Nc3n83cnSAd3wc3Sasdfn939hc3
,
the server would send the following policy:
Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3'
Script elements can then execute either because their src
URLs are whitelisted or because they have an appropriate nonce:
<script> alert("Blocked because the policy doesn't have 'unsafe-inline'.") </script> <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa"> alert("Still blocked because nonce is wrong.") </script> <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3"> alert("Allowed because nonce is valid.") </script> <script src="https://example.com/allowed-because-of-src.js"></script> <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa" src="https://elsewhere.com/blocked-because-nonce-is-wrong.js"></script> <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3" src="https://elsewhere.com/allowed-because-nonce-is-valid.js"></script>
Note that the nonce's value is not a hash or signature that verifies the contents of the script resources. It's quite simply a random string that informs the user agent which scripts were intentionally included in the page.
Script elements with the proper nonce execute, regardless of whether they're inline or external. Script elements without the proper nonce don't execute unless their URLs are whitelisted. Even if an attacker is able to inject markup into the protected resource, the attack will be blocked by the attacker's inability to guess the random value.
style-src
The style-src
directive restricts which styles the
user applies to the protected resource. The syntax for the name and
value of the directive are described by the following ABNF
grammar:
directive-name = "style-src" directive-value = source-list
The term allowed style sources refers to the result of
parsing the style-src
directive's value as a source list if the policy contains an
explicit style-src
, or otherwise to the
default sources.
If 'unsafe-inline'
is not in
allowed style sources:
style
element that lacks
a valid nonce for the
allowed style sources,
instead the user agent must
ignore the style,
and must report a
violation.style
attribute, instead the user agent
must
ignore the style,
and must report a
violation.Note: These restrictions on inline do not prevent the user agent
from applying style from an external stylesheet (e.g., found via
<link rel="stylesheet">
). The user agent is also
not prevented from applying style from Cascading Style Sheets Object
Model (CSSOM). [CSSOM]
Whenever the user agent fetches a URI (including when following redirects) in the course of one of the following activities, if the URI does not match the allowed style sources, the user agent must act as if it had received an empty HTTP 400 response and report a violation:
href
attribute of a link
element with a
rel
attribute containing the token
stylesheet
or when processing the @import
directive in a stylesheet.Note: The style-src
directive does not restrict the
use of XSLT. XSLT is restricted by the script-src
directive because the security consequences of including an untrusted
XSLT stylesheet are similar to those incurred by including an
untrusted script.
Note that the directives described in this section are strawmen, still subject to active discussion. Caveat implementor.
base-uri
The base-uri
directive restricts the URIs that can be
used to specify a document's base URL.
The syntax for the name and value of the directive are described by
the following ABNF grammar:
directive-name = "base-uri" directive-value = source-list
The term allowed base URIs refers to the result of
parsing the base-uri
directive's value as a source list.
Step 4 of the algorithm defined in HTML5 to obtain a document's base URL must be changed to:
form-action
The form-action
restricts which URIs can be used as the
action of HTML form
elements. The syntax for the name and
value of the directive are described by the following ABNF grammar:
directive-name = "form-action" directive-value = source-list
The term allowed form actions refers to the result of
parsing the form-action
directive's value as a source list.
Whenever the user agent fetches a URI (including when following redirects) in the course of one of the following activities, if the URI does not match the allowed form actions, the user agent must act as if it had received an empty HTTP 400 response and report a violation:
form
element.
Note that form-action
does not fall back to the default
source list when the directive is not defined. That is, a policy that
defines default-src 'none'
but not
form-action
will still allow form submissions to any
target.
plugin-types
The plugin-types
restricts the set of plugins that can
be invoked by the protected resource by limiting the types of resources
that can be embedded. The syntax for the name and value of the
directive are described by the following ABNF grammar:
directive-name = "plugin-types" directive-value = media-type-list
The term allowed plugin types refers to the result of
parsing the plugin-types
directive's value as a media type list
Whenever the user agent would instantiate a plugin
to handle resource while enforcing the
plugin-types
directive, the user agent must instead act as
though the plugin reported an error and
report a violation if any of
the following conditions hold:
object
or embed
element that does not
explicitly declare a MIME type
with a type
attribute.object
or embed
element, and the media
type declared in the element's type
attribute is not
a case-insensitive match for the resource's media
type.applet
element, and resource's media type
is not a case-insensitive match for
application/x-java-applet
.Note that in any of these cases, acting as though the plugin reported an error will cause the user agent to display the fallback content.
Whenever the user agent creates a plugin
document in a browsing context nested in the protected resource,
if the user agent is enforcing any plugin-types
directives for the protected resource, the user agent must enforce those plugin-types
directives on the plugin document as well.
Whenever the user agent creates a plugin
document in a browsing context nested in the protected resource,
if the user agent is monitoring any plugin-types
directives for the protected resource, the user agent must monitor those plugin-types
directives on the plugin document as well.
This section is non-normative.
The plugin-types
directive whitelists a certain set
of MIME types that can be embedded in a protected resource. For
example, a site might want to ensure that PDF content loads, but that
no other plugins can be instantiated. The following directive would
satisfy that requirement:
Content-Security-Policy: plugin-types application/pdf;
Resources embedded via an embed
or object
element delivered with an application/pdf
content type
would be rendered in the appropriate plugin; resources delivered with
some other content type would be blocked. Multiple types can be
specified, in any order. If the site decided to additionally allow
Flash at some point in the future, it could do so with the following
directive:
Content-Security-Policy: plugin-types application/pdf application/x-shockwave-flash;
Note that wildcards are not accepted in the
plugin-types
directive. Only the resource types
explicitly listed in the directive will be allowed.
This section is non-normative.
Enforcing the plugin-types
directive requires that
object
and embed
elements declare the
expected media type of the resource they include via the
type
attribute. If an author expects to load a PDF, she
could specify this as follows:
<object data="resource" type="application/pdf"></object>
If resource isn't actually a PDF file, it won't load. This prevents certain types of attacks that rely on serving content that unexpectedly invokes a plugin other than that which the author intended.
Note that resource will not load in this scenario even if its media type is otherwise whitelisted: resources will only load when their media type is whitelisted and matches the declared type in their containing element.
reflected-xss
The reflected-xss
directive instructs a user agent
to active or disactivate any heuristics used to filter or block
reflected cross-site scripting attacks. The syntax for the name and
value of the directive are described by the following ABNF grammar:
directive-name = "reflected-xss" directive-value = "allow" / "block" / "filter"
A user agent with support for XSS protection must enforce this directive as follows:
allow
, the user
agent must disable its active protections against reflected cross-site
scripting attacks for the protected resource.filter
, the user
agent must enable its active protections against reflected cross-site
scripting attacks for the protected resource. This might result in
filtering script that is believed to be reflected being filtered or
selectively blocking script execution.block
, the user
agent must stop rendering the protected resource upon detection of
reflected script, and instead act as though it received an empty
HTTP
400 response for the protected resource itself.If the user agent's active protections against reflected cross-site scripting attacks detect or prevent script execution, the user agent must report a violation.
X-XSS-Protection
This section is non-normative.
This directive is meant to subsume the functionality provided by
the propriatary X-XSS-Protection
HTTP header which is
supported by a number of user agents. Roughly speaking:
reflected-xss allow
is equivalent to
X-XSS-Protection: 0
reflected-xss filter
is equivalent to
X-XSS-Protection: 1
reflected-xss block
is equivalent to
X-XSS-Protection: 1; mode=block
This section is non-normative.
This section provides some sample use cases and accompanying security policies.
Example 1: A server wishes to load resources only form its own origin:
Content-Security-Policy: default-src 'self'
Example 2: An auction site wishes to load images from any URI, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from a server under its control hosting sanitized ECMAScript:
Content-Security-Policy: default-src 'self'; img-src *; object-src media1.example.com media2.example.com *.cdn.example.com; script-src trustedscripts.example.com
Example 3: Online banking site wishes to ensure that all of the content in its pages is loaded over TLS to prevent attackers from eavesdropping on insecure content requests:
Content-Security-Policy: default-src https: 'unsafe-inline' 'unsafe-eval'
This policy allows inline content (such as inline script
elements), use of
eval
, and loading resources over https
. Note: This policy does
not provide any protection from cross-site scripting vulnerabilities.
Example 4: A website that relies on inline
script
elements wishes to ensure that script is only
executed from its own origin, and those elements it intentionally
inserted inline:
Content-Security-Policy: script-src 'self' 'nonce-$RANDOM';
The inline script
elements would then only execute if
they contained a matching nonce
attribute:
<script nonce="$RANDOM">...</script>
This section is non-normative.
This section contains an example violation report the user agent might sent to a server when the protected resource violations a sample policy.
In the following example, the user agent rendered a representation
of the resource http://example.org/page.html
with the
following CSP policy:
default-src 'self'; report-uri http://example.org/csp-report.cgi
The protected resource loaded an image from
http://evil.example.com/image.png
, violating the
policy.
{ "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src 'self'", "effective-directive": "img-src", "original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi" } }
The style-src
directive restricts the locations from
which the protected resource can load styles. However, if the user agent uses a
lax CSS parsing algorithm, an attacker might be able to trick the user
agent into accepting malicious "style sheets" hosted by an otherwise
trustworthy origin.
These attacks are similar to the CSS cross-origin data leakage attack described by Chris Evans in 2009. User agents should defend against both attacks using the same mechanism: stricter CSS parsing rules for style sheets with improper MIME types.
The violation reporting mechanism in this document has been
designed to mitigate the risk that a malicious web site could use
violation reports to probe the behavior of other servers. For example,
consider a malicious web site that white lists https://example.com
as a source of images. If the malicious site attempts to load
https://example.com/login
as an image, and the
example.com
server redirects to an identity provider (e.g.,
idenityprovider.example.net
), CSP will block the request.
If violation reports contained the full blocked URI, the violation
report might contain sensitive information contained in the redirected URI,
such as session identifiers or purported identities. For this reason, the
user agent includes only the origin of the blocked URI.
The Content-Security-Policy
header is an end-to-end
header. It is processed and enforced at the client and, therefore,
should not be modified or removed by proxies or other intermediaries not
in the same administrative domain as the resource.
The originating administrative domain for a resource might wish to
apply a Content-Security-Policy
header outside of the
immediate context of an application. For example, a large organization
might have many resources and applications managed by different
individuals or teams but all subject to a uniform organizational
standard. In such situations, a Content-Security-Policy
header might be added or combined with an existing one at a network-edge
security gateway device or web application firewall. To enforce multiple
policies, the administrator should combine the policy into a single header.
An administrator might wish to use different combination algorithms
depending on his or her intended semantics.
One sensible policy combination algorithm is to start by allowing a default set of sources and then letting individual upstream resource owners expand the set of allowed sources by including additional origins. In this approach, the resultant policy is the union of all allowed origins in the input policies.
Another sensible policy combination algorithm is to intersect the given policies. This approach enforces that content comes from a certain whitelist of origins, for example, preventing developers from including third-party scripts or content in violation of organizational standards and practices. In this approach, the combination algorithm forms the combined policy by removing disallowed hosts from the policies supplied by upstream resource owners.
Interactions between the default-src
and other directives
should be given special consideration when combining policies. If none
of the policies contains a default-src
directive, adding new
src directives results in a more restrictive policy. However, if one or
more of the input policies contain a default-src
directive,
adding new src directives might result in a less restrictive policy, for
example, if the more specific directive contains a more permissive set of
allowed origins.
Using a more restrictive policy than the input policy authored by the resource owner might prevent the resource from rendering or operating as intended.
Note also that migration to HTTPS
from HTTP
may require updates to the policy in order to keep things running as
before. Source expressions like http://example.com
do
not match HTTPS
resources. For example,
administrators should carefully examine existing policies before rolling
out HTTP Strict Transport Security
headers for an application.
The permanent message header field registry (see [RFC3864]) should be updated with the following registrations:
Header field name: Content-Security-Policy
Applicable protocol: http
Status: standard
Author/Change controller: W3C
Specification document: this specification (See Content-Security-Policy
Header Field)
Header field name: Content-Security-Policy-Report-Only
Applicable protocol: http
Status: standard
Author/Change controller: W3C
Specification document: this specification (See Content-Security-Policy-Report-Only
Header Field)
No informative references.