index.html 79.1 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624
<!DOCTYPE html PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN' 'http://www.w3.org/TR/html4/loose.dtd'>
<html lang="en" dir="ltr">
<head>
    <title>Content Security Policy</title>
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
    <!--
      === NOTA BENE ===
      For the three scripts below, if your spec resides on dev.w3 you can check them
      out in the same tree and use relative links so that they'll work offline,
     -->
    
    
  <style type="text/css">
/*****************************************************************
 * ReSpec CSS
 * Robin Berjon (robin at berjon dot com)
 * v0.05 - 2009-07-31
 *****************************************************************/


/* --- INLINES --- */
em.rfc2119 { 
    text-transform:     lowercase;
    font-variant:       small-caps;
    font-style:         normal;
    color:              #900;
}

h1 acronym, h2 acronym, h3 acronym, h4 acronym, h5 acronym, h6 acronym, a acronym,
h1 abbr, h2 abbr, h3 abbr, h4 abbr, h5 abbr, h6 abbr, a abbr {
    border: none;
}

dfn {
    font-weight:    bold;
}

a.internalDFN {
    color:  inherit;
    border-bottom:  1px solid #99c;
    text-decoration:    none;
}

a.externalDFN {
    color:  inherit;
    border-bottom:  1px dotted #ccc;
    text-decoration:    none;
}

a.bibref {
    text-decoration:    none;
}

code {
    color:  #ff4500;
}


/* --- WEB IDL --- */
pre.idl {
    border-top: 1px solid #90b8de;
    border-bottom: 1px solid #90b8de;
    padding:    1em;
    line-height:    120%;
}

pre.idl::before {
    content:    "WebIDL";
    display:    block;
    width:      150px;
    background: #90b8de;
    color:  #fff;
    font-family:    initial;
    padding:    3px;
    font-weight:    bold;
    margin: -1em 0 1em -1em;
}

.idlType {
    color:  #ff4500;
    font-weight:    bold;
    text-decoration:    none;
}

/*.idlModule*/
/*.idlModuleID*/
/*.idlInterface*/
.idlInterfaceID, .idlDictionaryID {
    font-weight:    bold;
    color:  #005a9c;
}

.idlSuperclass {
    font-style: italic;
    color:  #005a9c;
}

/*.idlAttribute*/
.idlAttrType, .idlFieldType, .idlMemberType {
    color:  #005a9c;
}
.idlAttrName, .idlFieldName, .idlMemberName {
    color:  #ff4500;
}
.idlAttrName a, .idlFieldName a, .idlMemberName a {
    color:  #ff4500;
    border-bottom:  1px dotted #ff4500;
    text-decoration: none;
}

/*.idlMethod*/
.idlMethType {
    color:  #005a9c;
}
.idlMethName {
    color:  #ff4500;
}
.idlMethName a {
    color:  #ff4500;
    border-bottom:  1px dotted #ff4500;
    text-decoration: none;
}

/*.idlParam*/
.idlParamType {
    color:  #005a9c;
}
.idlParamName {
    font-style: italic;
}

.extAttr {
    color:  #666;
}

/*.idlConst*/
.idlConstType {
    color:  #005a9c;
}
.idlConstName {
    color:  #ff4500;
}
.idlConstName a {
    color:  #ff4500;
    border-bottom:  1px dotted #ff4500;
    text-decoration: none;
}

/*.idlException*/
.idlExceptionID {
    font-weight:    bold;
    color:  #c00;
}

.idlTypedefID, .idlTypedefType {
    color:  #005a9c;
}

.idlRaises, .idlRaises a.idlType, .idlRaises a.idlType code, .excName a, .excName a code {
    color:  #c00;
    font-weight:    normal;
}

.excName a {
    font-family:    monospace;
}

.idlRaises a.idlType, .excName a.idlType {
    border-bottom:  1px dotted #c00;
}

.excGetSetTrue, .excGetSetFalse, .prmNullTrue, .prmNullFalse, .prmOptTrue, .prmOptFalse {
    width:  45px;
    text-align: center;
}
.excGetSetTrue, .prmNullTrue, .prmOptTrue { color:  #0c0; }
.excGetSetFalse, .prmNullFalse, .prmOptFalse { color:  #c00; }

.idlImplements a {
    font-weight:    bold;
}

dl.attributes, dl.methods, dl.constants, dl.fields, dl.dictionary-members {
    margin-left:    2em;
}

.attributes dt, .methods dt, .constants dt, .fields dt, .dictionary-members dt {
    font-weight:    normal;
}

.attributes dt code, .methods dt code, .constants dt code, .fields dt code, .dictionary-members dt code {
    font-weight:    bold;
    color:  #000;
    font-family:    monospace;
}

.attributes dt code, .fields dt code, .dictionary-members dt code {
    background:  #ffffd2;
}

.attributes dt .idlAttrType code, .fields dt .idlFieldType code, .dictionary-members dt .idlMemberType code {
    color:  #005a9c;
    background:  transparent;
    font-family:    inherit;
    font-weight:    normal;
    font-style: italic;
}

.methods dt code {
    background:  #d9e6f8;
}

.constants dt code {
    background:  #ddffd2;
}

.attributes dd, .methods dd, .constants dd, .fields dd, .dictionary-members dd {
    margin-bottom:  1em;
}

table.parameters, table.exceptions {
    border-spacing: 0;
    border-collapse:    collapse;
    margin: 0.5em 0;
    width:  100%;
}
table.parameters { border-bottom:  1px solid #90b8de; }
table.exceptions { border-bottom:  1px solid #deb890; }

.parameters th, .exceptions th {
    color:  #fff;
    padding:    3px 5px;
    text-align: left;
    font-family:    initial;
    font-weight:    normal;
    text-shadow:    #666 1px 1px 0;
}
.parameters th { background: #90b8de; }
.exceptions th { background: #deb890; }

.parameters td, .exceptions td {
    padding:    3px 10px;
    border-top: 1px solid #ddd;
    vertical-align: top;
}

.parameters tr:first-child td, .exceptions tr:first-child td {
    border-top: none;
}

.parameters td.prmName, .exceptions td.excName, .exceptions td.excCodeName {
    width:  100px;
}

.parameters td.prmType {
    width:  120px;
}

table.exceptions table {
    border-spacing: 0;
    border-collapse:    collapse;
    width:  100%;
}

/* --- TOC --- */
.toc a {
    text-decoration:    none;
}

a .secno {
    color:  #000;
}

/* --- TABLE --- */
table.simple {
    border-spacing: 0;
    border-collapse:    collapse;
    border-bottom:  3px solid #005a9c;
}

.simple th {
    background: #005a9c;
    color:  #fff;
    padding:    3px 5px;
    text-align: left;
}

.simple th[scope="row"] {
    background: inherit;
    color:  inherit;
    border-top: 1px solid #ddd;
}

.simple td {
    padding:    3px 10px;
    border-top: 1px solid #ddd;
}

.simple tr:nth-child(even) {
    background: #f0f6ff;
}

/* --- DL --- */
.section dd > p:first-child {
    margin-top: 0;
}

.section dd > p:last-child {
    margin-bottom: 0;
}

.section dd {
    margin-bottom:  1em;
}

.section dl.attrs dd, .section dl.eldef dd {
    margin-bottom:  0;
}

/* --- EXAMPLES --- */
pre.example {
    border-top: 1px solid #ff4500;
    border-bottom: 1px solid #ff4500;
    padding:    1em;
    margin-top: 1em;
}

pre.example::before {
    content:    "Example";
    display:    block;
    width:      150px;
    background: #ff4500;
    color:  #fff;
    font-family:    initial;
    padding:    3px;
    font-weight:    bold;
    margin: -1em 0 1em -1em;
}

/* --- EDITORIAL NOTES --- */
.issue {
    padding:    1em;
    margin: 1em 0em 0em;
    border: 1px solid #f00;
    background: #ffc;
}

.issue::before {
    content:    "Issue";
    display:    block;
    width:  150px;
    margin: -1.5em 0 0.5em 0;
    font-weight:    bold;
    border: 1px solid #f00;
    background: #fff;
    padding:    3px 1em;
}

.note {
    margin: 1em 0em 0em;
    padding:    1em;
    border: 2px solid #cff6d9;
    background: #e2fff0;
}

.note::before {
    content:    "Note";
    display:    block;
    width:  150px;
    margin: -1.5em 0 0.5em 0;
    font-weight:    bold;
    border: 1px solid #cff6d9;
    background: #fff;
    padding:    3px 1em;
}

/* --- Best Practices --- */
div.practice {
    border: solid #bebebe 1px;
    margin: 2em 1em 1em 2em;
}

span.practicelab {
    margin: 1.5em 0.5em 1em 1em;
    font-weight: bold;
    font-style: italic;
}

span.practicelab   { background: #dfffff; }

span.practicelab {
    position: relative;
    padding: 0 0.5em;
    top: -1.5em;
}

p.practicedesc {
    margin: 1.5em 0.5em 1em 1em;
}

@media screen {
    p.practicedesc {
        position: relative;
        top: -2em;
        padding: 0;
        margin: 1.5em 0.5em -1em 1em;
    }
}

/* --- SYNTAX HIGHLIGHTING --- */
pre.sh_sourceCode {
  background-color: white;
  color: black;
  font-style: normal;
  font-weight: normal;
}

pre.sh_sourceCode .sh_keyword { color: #005a9c; font-weight: bold; }           /* language keywords */
pre.sh_sourceCode .sh_type { color: #666; }                            /* basic types */
pre.sh_sourceCode .sh_usertype { color: teal; }                             /* user defined types */
pre.sh_sourceCode .sh_string { color: red; font-family: monospace; }        /* strings and chars */
pre.sh_sourceCode .sh_regexp { color: orange; font-family: monospace; }     /* regular expressions */
pre.sh_sourceCode .sh_specialchar { color: 	#ffc0cb; font-family: monospace; }  /* e.g., \n, \t, \\ */
pre.sh_sourceCode .sh_comment { color: #A52A2A; font-style: italic; }         /* comments */
pre.sh_sourceCode .sh_number { color: purple; }                             /* literal numbers */
pre.sh_sourceCode .sh_preproc { color: #00008B; font-weight: bold; }       /* e.g., #include, import */
pre.sh_sourceCode .sh_symbol { color: blue; }                            /* e.g., *, + */
pre.sh_sourceCode .sh_function { color: black; font-weight: bold; }         /* function calls and declarations */
pre.sh_sourceCode .sh_cbracket { color: red; }                              /* block brackets (e.g., {, }) */
pre.sh_sourceCode .sh_todo { font-weight: bold; background-color: #00FFFF; }   /* TODO and FIXME */

/* Predefined variables and functions (for instance glsl) */
pre.sh_sourceCode .sh_predef_var { color: #00008B; }
pre.sh_sourceCode .sh_predef_func { color: #00008B; font-weight: bold; }

/* for OOP */
pre.sh_sourceCode .sh_classname { color: teal; }

/* line numbers (not yet implemented) */
pre.sh_sourceCode .sh_linenum { display: none; }

/* Internet related */
pre.sh_sourceCode .sh_url { color: blue; text-decoration: underline; font-family: monospace; }

/* for ChangeLog and Log files */
pre.sh_sourceCode .sh_date { color: blue; font-weight: bold; }
pre.sh_sourceCode .sh_time, pre.sh_sourceCode .sh_file { color: #00008B; font-weight: bold; }
pre.sh_sourceCode .sh_ip, pre.sh_sourceCode .sh_name { color: #006400; }

/* for Prolog, Perl... */
pre.sh_sourceCode .sh_variable { color: #006400; }

/* for LaTeX */
pre.sh_sourceCode .sh_italics { color: #006400; font-style: italic; }
pre.sh_sourceCode .sh_bold { color: #006400; font-weight: bold; }
pre.sh_sourceCode .sh_underline { color: #006400; text-decoration: underline; }
pre.sh_sourceCode .sh_fixed { color: green; font-family: monospace; }
pre.sh_sourceCode .sh_argument { color: #006400; }
pre.sh_sourceCode .sh_optionalargument { color: purple; }
pre.sh_sourceCode .sh_math { color: orange; }
pre.sh_sourceCode .sh_bibtex { color: blue; }

/* for diffs */
pre.sh_sourceCode .sh_oldfile { color: orange; }
pre.sh_sourceCode .sh_newfile { color: #006400; }
pre.sh_sourceCode .sh_difflines { color: blue; }

/* for css */
pre.sh_sourceCode .sh_selector { color: purple; }
pre.sh_sourceCode .sh_property { color: blue; }
pre.sh_sourceCode .sh_value { color: #006400; font-style: italic; }

/* other */
pre.sh_sourceCode .sh_section { color: black; font-weight: bold; }
pre.sh_sourceCode .sh_paren { color: red; }
pre.sh_sourceCode .sh_attribute { color: #006400; }

</style><link href="http://www.w3.org/StyleSheets/TR/W3C-WD" rel="stylesheet" type="text/css" charset="utf-8"></head>


  <body style="display: inherit; "><div class="head"><p><a href="http://www.w3.org/"><img width="72" height="48" src="http://www.w3.org/Icons/w3c_home" alt="W3C"></a></p><h1 class="title" id="title">Content Security Policy</h1><h2 id="w3c-working-draft-29-november-2011">W3C Working Draft 29 November 2011</h2><dl><dt>This version:</dt><dd><a href="http://www.w3.org/TR/2011/WD-CSP-20111129/">http://www.w3.org/TR/2011/WD-CSP-20111129/</a></dd><dt>Latest published version:</dt><dd><a href="http://www.w3.org/TR/CSP/">http://www.w3.org/TR/CSP/</a></dd><dt>Latest editor's draft:</dt><dd><a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html">http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html</a></dd><dt>Editors:</dt><dd><a href="mailto:bsterne@mozilla.com">Brandon Sterne</a>, <a href="http://www.mozilla.com/">Mozilla Corporation</a></dd>
<dd><a href="mailto:w3c@adambarth.com">Adam Barth</a>, <a href="http://www.google.com/">Google, Inc.</a></dd>
</dl><p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2010-2011 <a href="http://www.w3.org/"><acronym title="World Wide Web Consortium">W3C</acronym></a><sup>®</sup> (<a href="http://www.csail.mit.edu/"><acronym title="Massachusetts Institute of Technology">MIT</acronym></a>, <a href="http://www.ercim.eu/"><acronym title="European Research Consortium for Informatics and Mathematics">ERCIM</acronym></a>, <a href="http://www.keio.ac.jp/">Keio</a>), All Rights Reserved. W3C <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply.</p><hr></div>
    <div id="abstract" class="introductory section"><h2>Abstract</h2>
      <p>This document defines a policy language used to declare a set of
      content restrictions for a web resource, and a mechanism for
      transmitting the policy from a server to a client where the policy is
      enforced.</p>
    </div><div id="sotd" class="introductory section"><h2>Status of This Document</h2><p><em>This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the <a href="http://www.w3.org/TR/">W3C technical reports index</a> at http://www.w3.org/TR/.</em></p>
      <p>Although a FPWD, this document describes a proposal that has been
      discussed by the broader community for approximately a year.  There are experimental
      implementations in Firefox and Chrome, using the header names
      <code>X-Content-Security-Policy</code> and <code>X-WebKit-CSP</code>
      respectively.  Internet Explorer 10 Platform Preview also contains a
      partial implementation, using the header name
      X-Content-Security-Policy.</p>

      <p>In addition to the documents in the W3C Web Application Security
      working group, the work on this document is also informed by the work of
      the <a href="http://tools.ietf.org/wg/websec/">IETF websec working
      group</a>, particularly that working group's requirements document:
      <a href="http://tools.ietf.org/id/draft-hodges-websec-framework-reqs">draft-hodges-websec-framework-reqs</a></p>
    <p>This document was published by the <a href="http://www.w3.org/2011/webappsec/">Web Application Security Working Group</a> as a First Public Working Draft. This document is intended to become a W3C Recommendation. If you wish to make comments regarding this document, please send them to <a href="mailto:public-webappsec@w3.org">public-webappsec@w3.org</a> (<a href="mailto:public-webappsec-request@w3.org?subject=subscribe">subscribe</a>, <a href="http://lists.w3.org/Archives/Public/public-webappsec/">archives</a>). All feedback is welcome.</p><p>Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.</p><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent Policy</a>. W3C maintains a <a href="http://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a> must disclose the information in accordance with <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the W3C Patent Policy</a>.</p></div><div id="toc" class="section"><h2 class="introductory">Table of Contents</h2><ul class="toc"><li class="tocline"><a href="#introduction" class="tocxref"><span class="secno">1. </span>Introduction</a></li><li class="tocline"><a href="#conformance" class="tocxref"><span class="secno">2. </span>Conformance</a><ul class="toc"><li class="tocline"><a href="#terminology" class="tocxref"><span class="secno">2.1 </span>Terminology</a></li></ul></li><li class="tocline"><a href="#framework" class="tocxref"><span class="secno">3. </span>Framework</a><ul class="toc"><li class="tocline"><a href="#policy-delivery" class="tocxref"><span class="secno">3.1 </span>Policy Delivery</a><ul class="toc"><li class="tocline"><a href="#content-security-policy-header-field" class="tocxref"><span class="secno">3.1.1 </span><code>Content-Security-Policy</code> Header Field</a></li><li class="tocline"><a href="#content-security-policy-report-only-header-field" class="tocxref"><span class="secno">3.1.2 </span><code>Content-Security-Policy-Report-Only</code> Header Field</a></li><li class="tocline"><a href="#html-meta-element" class="tocxref"><span class="secno">3.1.3 </span>HTML <code>meta</code> Element</a></li></ul></li><li class="tocline"><a href="#syntax" class="tocxref"><span class="secno">3.2 </span>Syntax</a><ul class="toc"><li class="tocline"><a href="#policies" class="tocxref"><span class="secno">3.2.1 </span>Policies</a></li><li class="tocline"><a href="#source-list" class="tocxref"><span class="secno">3.2.2 </span>Source List</a></li></ul></li><li class="tocline"><a href="#processing-model" class="tocxref"><span class="secno">3.3 </span>Processing Model</a></li></ul></li><li class="tocline"><a href="#directives" class="tocxref"><span class="secno">4. </span>Directives</a><ul class="toc"><li class="tocline"><a href="#default-src" class="tocxref"><span class="secno">4.1 </span><code>default-src</code></a></li><li class="tocline"><a href="#script-src" class="tocxref"><span class="secno">4.2 </span><code>script-src</code></a></li><li class="tocline"><a href="#object-src" class="tocxref"><span class="secno">4.3 </span><code>object-src</code></a></li><li class="tocline"><a href="#style-src" class="tocxref"><span class="secno">4.4 </span><code>style-src</code></a></li><li class="tocline"><a href="#img-src" class="tocxref"><span class="secno">4.5 </span><code>img-src</code></a></li><li class="tocline"><a href="#media-src" class="tocxref"><span class="secno">4.6 </span><code>media-src</code></a></li><li class="tocline"><a href="#frame-src" class="tocxref"><span class="secno">4.7 </span><code>frame-src</code></a></li><li class="tocline"><a href="#font-src" class="tocxref"><span class="secno">4.8 </span><code>font-src</code></a></li><li class="tocline"><a href="#connect-src" class="tocxref"><span class="secno">4.9 </span><code>connect-src</code></a></li><li class="tocline"><a href="#sandbox" class="tocxref"><span class="secno">4.10 </span><code>sandbox</code></a></li><li class="tocline"><a href="#report-uri" class="tocxref"><span class="secno">4.11 </span><code>report-uri</code></a></li><li class="tocline"><a href="#policy-uri" class="tocxref"><span class="secno">4.12 </span><code>policy-uri</code></a></li></ul></li><li class="tocline"><a href="#examples" class="tocxref"><span class="secno">5. </span>Examples</a><ul class="toc"><li class="tocline"><a href="#sample-policy-definitions" class="tocxref"><span class="secno">5.1 </span>Sample Policy Definitions</a></li><li class="tocline"><a href="#sample-violation-report" class="tocxref"><span class="secno">5.2 </span>Sample Violation Report</a></li></ul></li><li class="tocline"><a href="#references" class="tocxref"><span class="secno">A. </span>References</a><ul class="toc"><li class="tocline"><a href="#normative-references" class="tocxref"><span class="secno">A.1 </span>Normative references</a></li><li class="tocline"><a href="#informative-references" class="tocxref"><span class="secno">A.2 </span>Informative references</a></li></ul></li></ul></div>

    

    <div class="informative section" id="introduction">
      <!--OddPage--><h2><span class="secno">1. </span>Introduction</h2><p><em>This section is non-normative.</em></p>

      <p>This document defines Content Security Policy, a mechanism web
      applications can use to mitigate the broad class of content injection
      vulnerabilities, such as cross-site scripting (XSS). Content Security
      Policy is a declarative policy that lets the authors (or server
      administrators) of a web application restrict from where the application
      can load resources.</p>

      <p>To mitigate XSS, for example, a web application can restrict itself
      to loading scripts only from known, trusted URIs, making it difficult
      for an attacker who can inject content into the web application to
      inject malicious script.</p>

      <p>Content Security Policy (CSP) is not intended as a first line of
      defense against content injection vulnerabilities. Instead, CSP is best
      used as defense-in-depth, to reduce the harm caused by content injection
      attacks.</p>

      <p>There is often a non-trivial amount of work required to apply CSP to
      an existing web application. To reap the greatest benefit, authors will
      need to move all inline script and style out-of-line, for example into
      external scripts, because the user agent cannot determine whether an
      inline script was injected by an attacker.</p>

      <p>To take advantage of CSP, a web application needs to opt into using
      CSP by supplying a Content-Security-Policy HTTP header or an appropriate
      HTML <code>meta</code> element. Such policies apply the current document
      only. To supply a policy for an entire site, the server need to supply a
      policy along with each resource representation.</p>
    </div>

    <div id="conformance" class="section"><!--OddPage--><h2><span class="secno">2. </span>Conformance</h2><p>As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.</p>
<p>The key words <em class="rfc2119" title="must">must</em>, <em class="rfc2119" title="must not">must not</em>, <em class="rfc2119" title="required">required</em>, <em class="rfc2119" title="should">should</em>, <em class="rfc2119" title="should not">should not</em>, <em class="rfc2119" title="recommended">recommended</em>, <em class="rfc2119" title="may">may</em>, and <em class="rfc2119" title="optional">optional</em> in this specification are to be interpreted as described in [<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">RFC2119</a></cite>].</p>

      <p>Requirements phrased in the imperative as part of algorithms (such as
      "strip any leading space characters" or "return false and abort these
      steps") are to be interpreted with the meaning of the key word ("<em class="rfc2119" title="must">must</em>",
      "<em class="rfc2119" title="should">should</em>", "<em class="rfc2119" title="may">may</em>", etc) used in introducing the algorithm.</p>

      <p>A conformant user-agent is one that implements all the requirements
      listed in this specification that are applicable to user-agents.</p>

      <p>A conformant server is one that implements all the requirements
      listed in this specification that are applicable to servers.</p>

      <div id="terminology" class="section">
        <h3><span class="secno">2.1 </span>Terminology</h3>

        <p>This section defines several terms used throughout the document.</p>

        <p>The term <dfn id="dfn-security-policy">security policy</dfn>, or
        simply <dfn id="dfn-policy">policy</dfn>, for the purposes of this
        specification refers to either:
          </p><ol>
            <li>a set of security preferences for restricting the behavior of
            content within a given document, or</li>
            <li>a fragment of text that codifies these preferences.</li>
          </ol>
        <p></p>

        <p>The security policies defined by this document are applied by a
        user-agent on a <em>per-resource representation basis</em>.
        Specifically, when a user agent receives a policy along with the
        representation of a given resource, that policy applies to <em>that
        resource representation only</em>. That resource representation is
        often referred to in this document as the <dfn id="dfn-protected-document">protected
        document</dfn>.

        </p><p>A server transmits its security policy for a particular resource as
        a collection of <dfn id="dfn-directives">directives</dfn>, such as <code>default-src
        'self'</code>, each of which controls a specific set of privileges for
        a document rendered by a user-agent. More details are provided in the
        <a href="#directives">directives</a> section.</p>

        <p>A directive consists of a <dfn id="dfn-directive-name">directive name</dfn>, which
        indicates the privileges controlled by the directive, and a
        <dfn id="dfn-directive-value">directive value</dfn>, which specifies the restrictions the
        policy imposes on those privileges.</p>

        <p>Fetching resources requires <dfn id="resolve">resolving</dfn>
        and <dfn id="parse-url">parsing</dfn> URLs.  The algorithms
        for <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#resolving-urls">resolving
        a URL</a>
        and <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#parse-a-url">parsing
        a URL</a> are defined in the HTML5 standard [<cite><a class="bibref" rel="biblioentry" href="#bib-HTML5">HTML5</a></cite>].</p>

        <p>The term <dfn id="dfn-origin">origin</dfn> is defined in the Origin specification.
        [<em><a href="http://tools.ietf.org/html/draft-ietf-websec-origin">ORIGIN</a></em>]</p>

        <p>The term <dfn id="dfn-uri">URI</dfn> is defined in the URI specification.  [<cite><a class="bibref" rel="biblioentry" href="#bib-URI">URI</a></cite>]</p>

        <p>The <code>&lt;script&gt;</code>, <code>&lt;object&gt;</code>, <code>&lt;embed&gt;</code>,
        <code>&lt;img&gt;</code>, <code>&lt;video&gt;</code>, <code>&lt;audio&gt;</code>,
        <code>&lt;link&gt;</code>, <code>&lt;frame&gt;</code> and <code>&lt;iframe&gt;</code>
        elements are defined in the HTML5 standard. [<cite><a class="bibref" rel="biblioentry" href="#bib-HTML5">HTML5</a></cite>].</p>

        <p>The <code>&lt;applet&gt;</code> element is defined in the HTML 4.01 standard. [<cite><a class="bibref" rel="biblioentry" href="#bib-HTML401">HTML401</a></cite>].</p>

        <p>The <code>@font-face</code> CSS rule is defined in the CSS Fonts Module Level 3 standard.
        [<cite><a class="bibref" rel="biblioentry" href="#bib-CSS3FONT">CSS3FONT</a></cite>]</p>

        <p>The <code>XMLHttpRequest</code> object is defined in the <code>XMLHttpRequest</code>
        standard. [<cite><a class="bibref" rel="biblioentry" href="#bib-XMLHTTPREQUEST">XMLHTTPREQUEST</a></cite>]</p>

        <p>The <code>WebSocket</code> object is defined in the <code>WebSocket</code>
        standard. [<em><a href="http://dev.w3.org/html5/websockets/">WEBSOCKET</a></em>].</p>

        <p>The <code>EventSource</code> object is defined in the <code>EventSource</code>
        standard. [<em><a href="http://dev.w3.org/html5/eventsource/">EVENTSOURCE</a></em>].</p>

        <p>The Augmented Backus-Naur Form (ABNF) notation used in this
        document is specified in RFC 5234. [<cite><a class="bibref" rel="biblioentry" href="#bib-ABNF">ABNF</a></cite>]</p>

        <p>The following core rules are included by reference, as defined in
        [<em><a href="http://tools.ietf.org/html/rfc5234#appendix-B.1">ABNF Appendix B.1</a></em>]:
        <code>ALPHA</code> (letters), <code>DIGIT</code> (decimal
        0-9), <code>WSP</code> (white space) and <code>VCHAR</code> (printing
        characters).</p>
      </div>
    </div>

    <div id="framework" class="section">
      <!--OddPage--><h2><span class="secno">3. </span>Framework</h2>

      <p>This section defines the general framework for content security
      policies, including the delivery mechanisms and general syntax for
      policies. The next section contains the details of the specific
      directives introduced in this specification.</p>

      <div id="policy-delivery" class="section">
        <h3><span class="secno">3.1 </span>Policy Delivery</h3>

        <p>The policy can be delivered from the server to the client via an HTTP response header
        or an HTML <code>meta</code> element.</p>

        <p>Of the two delivery mechanisms, servers <em class="rfc2119" title="should">should</em> use the HTTP
        response header mechanism whenever possible because, when using the
        <code>meta</code> element mechanism, there is a period of time between
        when the user agent begins to process the document and when the user
        agent encounters the <code>meta</code> element when the document is
        not protected by the policy.</p>

        <div id="content-security-policy-header-field" class="section">
          <h4><span class="secno">3.1.1 </span><code>Content-Security-Policy</code> Header Field</h4>

          <p>The <code>Content-Security-Policy</code> header field is the
          preferred mechanism for delivering a CSP policy.</p>

          <p>A server <em class="rfc2119" title="may">may</em> supply one or more CSP policies in HTTP response
          header fields named <code>Content-Security-Policy</code> along with
          the protected document.</p>

          <p>Upon receiving an HTTP response containing at least one
          <code>Content-Security-Policy</code> header field, the user agent
          <em class="rfc2119" title="must">must</em> <a href="#enforce-the-combination">enforce the combination</a>
          of all the policies contained in these header fields.</p>
        </div>

        <div id="content-security-policy-report-only-header-field" class="section">
          <h4><span class="secno">3.1.2 </span><code>Content-Security-Policy-Report-Only</code> Header Field</h4>

          <p>The <code>Content-Security-Policy-Report-Only</code> header field
          lets server experiment with CSP by monitoring (rather than
          enforcing) a policy. This feature lets server operators develop
          their security policy iteratively. They can deploy a report-only
          policy based on their best estimate of how their site behaves. If
          their site violates this policy, instead of breaking the site, the
          user agent will send violation reports to a URI specified in the
          policy. Once a site has confidence that the policy is appropriate,
          they can promote the report-only policy to normal blocking mode.</p>

          <p>A server <em class="rfc2119" title="may">may</em> supply one or more CSP policies in HTTP response
          header fields named <code>Content-Security-Policy-Report-Only</code>
          along with the protected document.</p>

          <p>If a server supplies at least one
          <code>Content-Security-Policy-Report-Only</code> header field in an
          HTTP response, the server <em class="rfc2119" title="must not">must not</em> supply any
          <code>Content-Security-Policy</code> header fields.</p>

          <p>Upon receiving an HTTP response containing at least one
          <code>Content-Security-Policy-Report-Only</code> header field, the
          user agent <em class="rfc2119" title="must">must</em> <a href="#monitor-the-combination">monitor the
          combination</a> of all the policies contained in these header
          fields.</p>
        </div>

        <div id="html-meta-element" class="section">
          <h4><span class="secno">3.1.3 </span>HTML <code>meta</code> Element</h4>

          <p>The server <em class="rfc2119" title="may">may</em> supply a CSP policy in an HTML <code>meta</code>
          element with an <code>http-equiv</code> attribute that is a case
          insensitive match for either <code>Content-Security-Policy</code> or
          <code>Content-Security-Policy-Report-Only</code>.</p>

          <p>Add the following entries to the <a href="http://www.w3.org/TR/html5/semantics.html#pragma-directives">pragma
          directives</a> for the <code>meta</code> element:</p>

          <dl>
            <dt>Content security policy (<code>http-equiv="content-security-policy"</code>)</dt>
            <dd>
              <ol>
                <li>If the document already has a <var>csp-policy</var>, abort
                these steps.</li>

                <li>If the <code>meta</code> element lacks a
                <code>content</code> attribute, abort these steps.</li>

                <li><a href="#enforce">Enforce</a> the CSP policy contained in
                the <code>content</code> attribute of the <code>meta</code>
                element.</li>
              </ol>
            </dd>

            <dt>Content security policy, report only (<code>http-equiv="content-security-policy-report-only"</code>)</dt>
            <dd>
              <ol>
                <li>If the document already has a <var>csp-policy</var>, abort
                these steps.</li>

                <li>If the <code>meta</code> element lacks a
                <code>content</code> attribute, abort these steps.</li>

                <li><a href="#monitor">Monitor</a> the CSP policy contained in
                the <code>content</code> attribute of the <code>meta</code>
                element.</li>
              </ol>
            </dd>
          </dl>
        </div>
      </div>

      <div id="syntax" class="section">
        <h3><span class="secno">3.2 </span>Syntax</h3>

        <div id="policies" class="section">
          <h4><span class="secno">3.2.1 </span>Policies</h4>

          <p>A CSP <dfn id="dfn-policy-1">policy</dfn> consists of a U+003B SEMICOLON
          (<code>;</code>) delimited list of directives:</p>

<pre>policy            = directive-list
directive-list    = [ directive *( ";" [ directive ] ) ]
</pre>

          <p>Each <dfn id="dfn-directive">directive</dfn> consists of a <var>directive-name</var>
          and (optionally) a <var>directive-value</var>:</p>

<pre>directive         = *WSP [ directive-name [ WSP directive-value ] ]
directive-name    = 1*( ALPHA / DIGIT / "-" )
directive-value   = *( WSP / &lt;VCHAR except ";"&gt; )
</pre>

          <p>To <dfn id="parse-a-csp-policy">parse a CSP policy</dfn>
          <var>policy</var>, the user agent <em class="rfc2119" title="must">must</em> use an algorithm equivalent to
          the following:</p>

          <ol>
            <li>Let the <var>set of directives</var> be the empty set.</li>

            <li>For each token returned by <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#strictly-split-a-string">strictly
            splitting</a> the string <var>policy</var> on the character U+003B
            SEMICOLON (<code>;</code>):
              <ol>
                <li><a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#skip-whitespace">Skip whitespace</a>.</li>

                <li><a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#collect-a-sequence-of-characters">Collect
                a sequence of characters</a> that are not
                <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#space-character">space characters</a>. The
                collected characters are the <var>directive name</var>.</li>

                <li>If <var>position</var> doesn't point past the end of the
                token, skip ahead one character (which must be a <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#space-character">space
                character</a>).</li>

                <li>The remaining characters in <var>token</var> (if any) are
                the <var>directive value</var>.</li>

                <li>If the <var>set of directives</var> already contains a
                directive with name <var>directive name</var>, ignore this
                instance of the directive and continue to the next token.</li>

                <li>Add a <var>directive</var> to the <var>set of
                directives</var> with name <var>directive name</var> and value
                <var>directive value</var>.</li>
              </ol>
            </li>

            <li>Return the <var>set of directives</var>.
          </li></ol>
        </div>

        <div id="source-list" class="section">
          <h4><span class="secno">3.2.2 </span>Source List</h4>

          <p>Many CSP directives use a value consisting of a <dfn id="dfn-source-list">source
          list</dfn>.</p>

          <p>Each <dfn id="dfn-source-expression">source expression</dfn> in the source list represents a
          location from which content of the specified type can be retrieved.
          For example, the source expression <code>'self'</code> represents
          the set of URIs which are in the same origin as the protected
          document and the source expression <code>'unsafe-inline'</code>
          represents content supplied inline in the document itself.</p>

<pre>source-list       = *WSP [ source-expression *( 1*WSP source-expression ) *WSP ]
                  / *WSP "'none'" *WSP
source-expression = scheme-source / host-source / keyword-source
scheme-source     = scheme ":"
host-source       = ( [ scheme "://" ] host [ port ] )
keyword-source    = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"
scheme            = &lt;scheme&gt; production from RFC 3986
host              = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
host-char         = ALPHA / DIGIT / "-"
port              = ":" ( 1*DIGIT / "*" )
</pre>

          <p>To <dfn id="parse-a-source-list">parse a source list</dfn>
          <var>source list</var>, the user agent <em class="rfc2119" title="must">must</em> use an algorithm
          equivalent to the following:</p>

          <ol>
            <li>If <var>source list</var> (with <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#strip-leading-and-trailing-whitespace">leading
            and trailing whitespace stripped</a>) is a case insensitive match
            for the string <code>'none'</code> (including the quotation
            marks), return the empty set.</li>

            <li>Let the <var>set of source expressions</var> be the empty set.</li>

            <li>For each token returned by <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#split-a-string-on-spaces">splitting
            <var>source list</var> on spaces</a>, if the token matches the
            grammar for <code>source-expression</code>, add the token to the
            <var>set of source expressions</var>.</li>

            <li>Return the <var>set of source expressions</var>.</li>
          </ol>

          <p>To check whether a URI <dfn id="matches-a-source-expression">matches a source expression</dfn>,
          the user agent <em class="rfc2119" title="must">must</em> use an algorithm equivalent to the
          following:</p>

          <ol>
            <li>If the source expression a single U+002A ASTERISK character
            (<code>*</code>), then return <em>does match</em>.</li>

            <li>If the source expression matches the grammar for
            <code>scheme-source</code>, then the URI matches the source
            expression of the URI's scheme is a case-insensitive match for the
            source expression's <code>scheme</code>.</li>

            <li>Otherwise, if the source expression matches the grammar for
            <code>host-source</code>:
              <ol>
                <li>If the URI does not contain a host, then return <em>does
                not match</em>.</li>

                <li>Let <var>scheme</var>, <var>host</var>, and
                <var>port</var> be the scheme, host, and port of the URI,
                respectively. If the URI does not have a port, then let
                <var>port</var> be the default port for
                <var>scheme</var>.</li>

                <li>If the source expression has a <code>scheme</code> that is
                not a case insensitive match for <var>scheme</var>, then
                return <em>does not match</em>.</li>

                <li>If <var>scheme</var> is not a case insensitive match for
                the scheme of the protected document's URI, then return
                <em>does not match</em>.<br>
                <em>FIXME: Should we allow HTTPS when the document's scheme is
                HTTP?</em></li>

                <li>If the first character of the source expression's
                <code>host</code> is an U+002A ASTERISK character
                (<code>*</code>) and the remaining characters, including the
                leading U+002E FULL STOP character (<code>.</code>), are not a
                case insensitive match for the rightmost characters of
                <var>host</var>, then return <em>does not match</em>.</li>

                <li>If <var>host</var> is not a case insensitive match for the
                source expression's <code>host</code>, then return <em>does
                not match</em>.</li>

                <li>If the source expression does not contain a
                <code>port</code> and <var>port</var> is not the default port
                for <var>scheme</var>, then return <em>does not
                match</em>.</li>

                <li>If the source expression does contain a <code>port</code>
                that (a) does <em>not</em> contain an U+002A ASTERISK
                character (<code>*</code>) and (b) does <em>not</em> represent
                the same number as <var>port</var>, then return <em>does not
                match</em>.</li>

                <li>Return <em>does match</em>.</li>
              </ol>

              </li><li>Otherwise, if the source expression is a case insensitive
              match for <code>'self'</code> (including the quotation marks),
              then return the URI matches the source expression if the URI has
              the same scheme, host, and port as the document's URI.</li>

              <li>Otherwise, the URI does not match the source expression.</li>
            
          </ol>

          <p>A URI <dfn id="matches-a-source-list">matches a source
          list</dfn>, if, and only if, the URI <a href="#matches-a-source-expression">matches at least one source
          expression</a> in the set of source expressions obtained by <a href="#parse-a-source-list">parsing the source list</a>. Notice that
          no URIs match an empty set of source expressions, such as the set
          obtained by parsing the source list <code>'none'</code>.</p>
        </div>
      </div>

      <div id="processing-model" class="section">
        <h3><span class="secno">3.3 </span>Processing Model</h3>

        <p>To <dfn id="enforce">enforce</dfn> a CSP policy, the user agent <em class="rfc2119" title="must">must</em>
        <a href="#parse-a-csp-policy">parse the policy</a> and enforce each of
        the directives contained in the policy, where the specific
        requirements for enforcing each directive are defined separately for
        each directive (See <a href="#sec-directives">Directives</a>,
        below).</p>

        <p>Generally speaking, enforcing a directive prevent the protected
        document from performing certain actions, such as loading scripts from
        URIs other than those indicated in a source list. These restrictions
        make it more difficult for an attacker to abuse an injection
        vulnerability in the document because the attacker will be unable to
        usurp the document's privileges that have been restricted in this
        way.</p>

        <p>Enforcing a CSP policy <em class="rfc2119" title="should not">should not</em> interfere with the operation of
        user-supplied scripts such as third-party user-agent add-ons and
        JavaScript bookmarklets.</p>

        <p>To <dfn id="monitor">monitor</dfn> a CSP policy, the user agent <em class="rfc2119" title="must">must</em>
        <a href="#parse-a-csp-policy">parse the policy</a> and monitor each of
        the directives contained in the policy, where the specific
        requirements for monitoring each directive are defined separately for
        each directive (See <a href="#sec-directives">Directives</a>,
        below).</p>

        <p>Generally speaking, monitoring a directive does not prevent the
        protected document from undertaking any actions. Instead, any actions
        that would have been prevented by the directive are instead reported
        to the developer of the web application. Monitoring a CSP policy is
        most useful for testing whether enforcing the policy will break the
        web application.</p>

        <p>If the user agent monitors or enforces a CSP policy that does not
        contain any directives, the user agent <em class="rfc2119" title="should">should</em> report a warning message
        in the developer console.</p>

        <p>If the user agent monitors or enforces a CSP policy that contains
        an unrecognized directive, the user agent <em class="rfc2119" title="should">should</em> report a warning
        message in the developer console indicating the name of the
        unrecognized directive.</p>

        <p>To <dfn id="enforce-the-combination">enforce the combination</dfn>
        of one or more policies, the user agent <em class="rfc2119" title="must">must</em> enforce each policy. For
        example, if an action is prevented by at least one of the policies,
        then the action will be prevented by the combination of the
        policies.</p>

        <p>To <dfn id="monitor-the-combination">monitor the combination</dfn>
        of one or more policies, the user agent <em class="rfc2119" title="must">must</em> monitor each each
        policy.</p>
      </div>
    </div>

    <div id="directives" class="section">
      <!--OddPage--><h2 id="sec-directives"><span class="secno">4. </span>Directives</h2>

      <p>This section describes the content security policy directives
      introduced in this specification.</p>

      <p>In order to protect against Cross-site Scripting (XSS), authors
      <em class="rfc2119" title="should">should</em> include
      </p><ul>
        <li>both the <code>script-src</code> and <code>object-src</code>
        directives, or</li>

        <li>include a <code>default-src</code> directive, which covers both
        scripts and plug-ins.</li>
      </ul>

      <p>In either case, authors <em class="rfc2119" title="should not">should not</em> include
      <code>'unsafe-inline'</code> in their CSP policies if they wish to
      protect themselves against XSS.</p>

      <div id="default-src" class="section">
        <h3><span class="secno">4.1 </span><code>default-src</code></h3>

        <p>The <code>default-src</code> directive sets a default source list
        for a number of directives. The syntax for the name and value of the
        directive are described by the following ABNF grammar:</p>

<pre>directive-name    = "default-src"
directive-value   = source-list
</pre>

        <p>Let the <var>default sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a
        source list</a>.</p>

        <p>To enforce the <code>default-src</code> directive, the user agent
        <em class="rfc2119" title="must">must</em> enforce the following directives:</p>
        <ul>
          <li>script-src</li>
          <li>object-src</li>
          <li>style-src</li>
          <li>img-src</li>
          <li>media-src</li>
          <li>frame-src</li>
          <li>font-src</li>
          <li>connect-src</li>
        </ul>

        <p>If not specified explicitly in the policy, the directives listed
        above will use the <var>default sources</var>.</p>
      </div>

      <div id="script-src" class="section">
        <h3><span class="secno">4.2 </span><code>script-src</code></h3>

        <p>The <code>script-src</code> directive restricts which scripts the
        protected document can execute. The directive also controls other
        resources, such as XSLT stylesheets, which can cause the user agent to
        execute script. The syntax for the name and value of the directive are
        described by the following ABNF grammar:</p>

<pre>directive-name    = "script-src"
directive-value   = source-list
</pre>

        <p>If the policy contains an explicit <code>script-src</code>, let the
        <var>allowed script sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
        list</a>. Otherwise, let the <var>allowed script sources</var> be the
        <var>default sources</var></p>

        <p>If <code>'unsafe-inline'</code> is not in <var>allowed script
        sources</var>:</p>
        <ul>
          <li>Whenever the user agent would execute an inline script (either
          from a <code>script</code> element or from an inline event handler),
          instead the user agent <em class="rfc2119" title="must not">must not</em> execute script.</li>

          <li>Whenever the user agent would execute script contained in a
          <code>javascript</code> URI, instead the user agent <em class="rfc2119" title="must not">must not</em> execute
          the script. (Note: The user agent <em class="rfc2119" title="should">should</em> execute script contained in
          "bookmarklets" even when enforcing this restriction.)</li>
        </ul>

        <p>If <code>'unsafe-eval'</code> is not in <var>allowed script
        sources</var>:</p>
        <ul>
          <li>Instead of evaluating their arguments, both operator
          <code>eval</code> and function <code>eval</code> <em class="rfc2119" title="must">must</em> throw a
          security exception.</li>

          <li>When called as a constructor, the function <code>Function</code>
          <em class="rfc2119" title="must">must</em> throw a security exception.</li>

          <li>When called with a first argument that is non-callable (e.g.,
          not a function), the <code>setTimeout</code> function <em class="rfc2119" title="must">must</em> return
          zero without creating a timer.</li>

          <li>When called with a first argument that is non-callable (e.g.,
          not a function), the <code>setInterval</code> function <em class="rfc2119" title="must">must</em> return
          zero without creating a timer.</li>
        </ul>

        <p>The term <dfn id="dfn-callable">callable</dfn> refers to an object whose interface
        has one or more <dfn id="dfn-callers">callers</dfn> as defined in the <a href="http://www.w3.org/TR/2010/WD-WebIDL-20101021/#idl-callers">Web
        IDL</a> specification [<cite><a class="bibref" rel="biblioentry" href="#bib-WEBIDL">WEBIDL</a></cite>].</p>

        <p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
        a URI (including when following redirects) in the course of one of the
        following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed script
        sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
        HTTP 400 response:</p>
        <ul>
          <li>Requesting a script, such as when processing the
          <code>src</code> attribute of a <code>script</code> element or when
          processing the <code>Worker</code> or <code>SharedWorker</code>
          constructors.</li>

          <li>Requesting an Extensible Stylesheet Language Transformations
          (XSLT), such as when processing the
          <code>&lt;?xml-stylesheet?&gt;</code> processing directive in an XML
          document, the <code>href</code> attributes on
          <code>&lt;xsl:include&gt;</code> element, or the <code>href</code>
          attributes on <code>&lt;xsl:import&gt;</code> element.</li>
        </ul>
      </div>
      <div id="object-src" class="section">
        <h3><span class="secno">4.3 </span><code>object-src</code></h3>

        <p>The <code>object-src</code> directive restricts from where the
        protected document can load plugins. The syntax for the name and value
        of the directive are described by the following ABNF grammar:</p>

<pre>directive-name    = "object-src"
directive-value   = source-list
</pre>

        <p>If the policy contains an explicit <code>object-src</code>, let the
        <var>allowed object sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
        list</a>. Otherwise, let the <var>allowed object sources</var> be the
        <var>default sources</var></p>

        <p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
        a URI (including when following redirects) in the course of one of the
        following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed object
        sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
        HTTP 400 response:</p>
        <ul>
          <li>Requesting data for a plugin, such as when processing the
          <code>data</code> attribute of an <code>object</code> element, the
          <code>src</code> attribute of an <code>embed</code> elements, or the
          <code>code</code> or <code>archive</code> attributes of an
          <code>applet</code> element.</li>
        </ul>

        <p>Whenever the user agent would load a plug-in without an associated
        URI (e.g., because the <code>object</code> element lacked a
        <code>data</code> attribute), if the protected document's URI does not
        <a href="#matches-a-source-list">match the <var>allowed object
        sources</var></a>, the user agent <em class="rfc2119" title="must not">must not</em> load the plug-in.</p>
      </div>

      <div id="style-src" class="section">
        <h3><span class="secno">4.4 </span><code>style-src</code></h3>

        <p>The <code>style-src</code> directive restricts which styles the
        user applies to the protected document. The syntax for the name and
        value of the directive are described by the following ABNF
        grammar:</p>

<pre>directive-name    = "style-src"
directive-value   = source-list
</pre>


        <p>If the policy contains an explicit <code>style-src</code>, let the
        <var>allowed style sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
        list</a>. Otherwise, let the <var>allowed style sources</var> be the
        <var>default sources</var></p>

        <p>If <code>'unsafe-inline'</code> is not in <var>allowed style
        sources</var>:</p>
        <ul>
          <li>Whenever the user agent would apply style from a
          <code>style</code> element, instead the user agent <code><em class="rfc2119" title="must">must</em></code>
          ignore the style.</li>

          <li>Whenever the user agent would apply style from a
          <code>style</code> attribute, instead the user agent
          <code><em class="rfc2119" title="must">must</em></code> ignore the style.</li>
        </ul>

        <p>Note: These restrictions on inline do not prevent the user agent
        from applying style from an external stylesheet (e.g., found via
        <code>&lt;link rel="stylesheet"&gt;</code>). The user agent is also
        not prevented from applying style from CSSOM.</p>

        <p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
        a URI (including when following redirects) in the course of one of the
        following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed style
        sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
        HTTP 400 response:</p>
        <ul>
          <li>Requesting external stylesheets, such as when processing the
          <code>href</code> attribute of a <code>link</code> element with a
          <code>rel</code> attribute containing the token
          <code>stylesheet</code> or when processing the <code>@import</code>
          directive in a stylesheet.</li>
        </ul>

        <p>Note: The <code>style-src</code> directive does not restrict the
        use of XSLT. XSLT is restricted by the <code>script-src</code>
        directive because the security consequences of including an untrusted
        XSLT stylesheet are similar to those incurred by including an
        untrusted script.</p>
      </div>

      <div id="img-src" class="section">
        <h3><span class="secno">4.5 </span><code>img-src</code></h3>

        <p>The <code>img-src</code> directive restricts from where the
        protected document can load images. The syntax for the name and value
        of the directive are described by the following ABNF grammar:</p>

<pre>directive-name    = "img-src"
directive-value   = source-list
</pre>

        <p>If the policy contains an explicit <code>img-src</code>, let the
        <var>allowed image sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
        list</a>. Otherwise, let the <var>allowed image sources</var> be the
        <var>default sources</var></p>

        <p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
        a URI (including when following redirects) in the course of one of the
        following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed image
        sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
        HTTP 400 response:</p>
        <ul>
          <li>Requesting data for an image, such as when processing the
          <code>src</code> attribute of an <code>img</code> elements,
          the <code>url()</code> or <code>image()</code> values on any CSS
          property that is capable of loading an image [<em><a href="http://www.w3.org/TR/css3-images/">CSS3-Images</a></em>], or
          the <code>href</code> attribute of a <code>link</code> element with
          an image-related <code>rel</code> attribute, such as
          <code>icon</code>.</li>
        </ul>

        <p class="issue">Should the user agent fire the error event when one of these loads fails?</p>
      </div>

      <div id="media-src" class="section">
        <h3><span class="secno">4.6 </span><code>media-src</code></h3>

        <p>The <code>media-src</code> directive restricts from where the
        protected document can load video and audio. The syntax for the name
        and value of the directive are described by the following ABNF
        grammar:</p>

<pre>directive-name    = "media-src"
directive-value   = source-list
</pre>

        <p>If the policy contains an explicit <code>media-src</code>, let the
        <var>allowed media sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
        list</a>. Otherwise, let the <var>allowed media sources</var> be the
        <var>default sources</var></p>

        <p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
        a URI (including when following redirects) in the course of one of the
        following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed media
        sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
        HTTP 400 response:</p>
        <ul>
          <li>Requesting data for a video or audio clip, such as when
          processing the <code>src</code> attribute of a <code>video</code>
          or <code>audio</code> elements.</li>
        </ul>
      </div>

      <div id="frame-src" class="section">
        <h3><span class="secno">4.7 </span><code>frame-src</code></h3>

        <p>The <code>frame-src</code> directive restricts from where the
        protected document can embed frames. The syntax for the name
        and value of the directive are described by the following ABNF
        grammar:</p>

<pre>directive-name    = "frame-src"
directive-value   = source-list
</pre>

        <p>If the policy contains an explicit <code>frame-src</code>, let the
        <var>allowed frame sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
        list</a>. Otherwise, let the <var>allowed frame sources</var> be the
        <var>default sources</var></p>

        <p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
        a URI (including when following redirects) in the course of one of the
        following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed frame
        sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
        HTTP 400 response:</p>
        <ul>
          <li>Requesting data for display in a frame, such as when processing
          the <code>src</code> attribute of an <code>iframe</code> or
          <code>frame</code> element.</li>
          <li>Navigating a nested browsing context within the protected
          document.</li>
        </ul>

        <p class="issue">How does this work for the <code>object</code>
        element? We don't know whether the request is going to lead to a
        plug-in or a frame until we get the response back and can look at the
        MIME type.</p>
      </div>

      <div id="font-src" class="section">
        <h3><span class="secno">4.8 </span><code>font-src</code></h3>

        <p>The <code>font-src</code> directive restricts from where the
        protected document can load fonts. The syntax for the name and value
        of the directive are described by the following ABNF grammar:</p>

<pre>directive-name    = "font-src"
directive-value   = source-list
</pre>

        <p>If the policy contains an explicit <code>font-src</code>, let the
        <var>allowed font sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
        list</a>. Otherwise, let the <var>allowed font sources</var> be the
        <var>default sources</var></p>

        <p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
        a URI (including when following redirects) in the course of one of the
        following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed font
        sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
        HTTP 400 response:</p>
        <ul>
          <li>Requesting data for display in a font, such as when processing
          the <code>@font-face</code> CSS rule. <em>TODO: Citation needed.</em></li>
        </ul>
      </div>

      <div id="connect-src" class="section">
        <h3><span class="secno">4.9 </span><code>connect-src</code></h3>

        <p>The <code>connect-src</code> directive restricts which URIs the
        protected document can load using DOM APIs. The syntax for the name
        and value of the directive are described by the following ABNF
        grammar:</p>

<pre>directive-name    = "connect-src"
directive-value   = source-list
</pre>

        <p>If the policy contains an explicit <code>connect-src</code>, let
        the <var>allowed connection targets</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
        list</a>. Otherwise, let the <var>allowed connection targets</var> be
        the <var>default sources</var></p>

        <p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
        a URI (including when following redirects) in the course of one of the
        following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed font
        sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
        HTTP 400 response:</p>
        <ul>
          <li>Processing the <a href="http://www.w3.org/TR/XMLHttpRequest/#the-open-method"><code>open()</code>
          method</a> of an <code>XMLHttpRequest</code> object.</li>

          <li>Processing the <a href="http://dev.w3.org/html5/websockets/#websocket"><code>WebSocket</code>
          constructor</a>.</li>

          <li>Processing the <a href="http://dev.w3.org/html5/eventsource/#eventsource"><code>EventSource</code>
          constructor</a>.</li>
        </ul>
      </div>

      <div id="sandbox" class="section">
        <h3><span class="secno">4.10 </span><code>sandbox</code></h3>

        <p class="issue">A future version of this document might include a
        <code>sandbox</code> directive for controlling the HTML5 sandbox
        flags.</p>
      </div>

      <div id="report-uri" class="section">
        <h3><span class="secno">4.11 </span><code>report-uri</code></h3>

        <p>The <code>report-uri</code> directive specifies a URI to which the
        user agent sends reports about policy violation. The syntax for the
        name and value of the directive are described by the following ABNF
        grammar:</p>

<pre>directive-name    = "report-uri"
directive-value   = uri-reference *( 1*WSP uri-reference )
uri-reference     = &lt;URI-reference from RFC 3986&gt;
</pre>

        <p>Let the <var>set of report URIs</var> be the value of the
        <code>report-uri</code> directive, each resolved relative to the
        protected document's URI.</p>

        <p>To <dfn id="send-a-violation-report">send a violation report</dfn>,
        the user agent <em class="rfc2119" title="must">must</em> use an algorithm equivalent to the following:</p>
        <ol>
          <li>Prepare a dictionary <var>violation dictionary</var> with the
          following keys and values:
            <dl>
              <dt>request</dt>
              <dd>HTTP request line of the protected resource whose policy was
              violated including method, URI and HTTP version</dd>

              <dt>request-headers</dt>
              <dd>HTTP request headers sent with the request for the protected
              resource whose policy was violated</dd>

              <dt>blocked-uri</dt>
              <dd>URI of the resource that was prevented from loading due to
              the policy violation</dd>

              <dt>violated-directive</dt>
              <dd>The policy directive that was violated</dd>

              <dt>original-policy</dt>
              <dd>The original policy as received by the user-agent. If the
              policy was received via more than one Content Security Policy
              response header, this field <em class="rfc2119" title="must">must</em> contain a comma separated list
              of original policies</dd>
            </dl>

            <p class="issue">We might need to change some of these keys
            because they can leak sensitive information.</p>
          </li>

          <li>If the origin of the blocked-uri is not the same as the
          document's origin, then replace the blocked-uri with the ASCII
          serialization of the blocked-uri's origin.</li>

          <li>Let the <var>violation report</var> be the JSON stringification
          of the <var>violation dictionary</var>.</li>

          <li>For each <var>report URI</var> in the <var>set of report URIs</var>:
            <ol>
              <li>If the <var>report URI</var> has a different scheme than the
              URI of the protected document, then ignore this <var>report
              URI</var> and continue to the next iteration of the loop.</li>

              <li>If the <var>report URI</var> has a different port than the
              URI of the protected document, then ignore this <var>report
              URI</var> and continue to the next iteration of the loop.</li>

              <li>If the <var>report URI</var>'s host does not share the same
              <em><a href="http://publicsuffix.org/">public suffix</a> +1 DNS
              label</em> as the URI of the protected document, then ignore
              this <var>report URI</var> and continue to the next iteration of
              the loop.

              <p>Examples of public suffixes include <code>.com</code>,
              <code>.net</code> and <code>.co.uk</code>. Examples of
              <em>"public suffix +1 DNS label"</em> include
              <code>example.com</code>, <code>example.net</code> and
              <code>example.co.uk</code>. Therefore a protected document whose
              host is <code>www.example.com</code> could have a
              <code>report-uri</code> hosted on
              <code>reports.example.com</code> but <b>not</b>
              <code>reports.example.net</code>.</p></li>

              <li>Fetch the <var>report URI</var> from origin of the protected
              document, with the synchronous flag <em>not</em> set, using HTTP
              method <code>POST</code>, with a <code>Content-Type</code>
              header field of <code>application/json</code> with an entity
              body consisting of the <var>violation report</var>. The user
              agent <em class="rfc2119" title="must not">must not</em> follow redirects when fetching this resource.
              (Note: The user agent ignores the fetched resource.)</li>
            </ol>
          </li>
        </ol>
      </div>

      <div id="policy-uri" class="section">
        <h3><span class="secno">4.12 </span><code>policy-uri</code></h3>

        <p>The <code>policy-uri</code> directive specifies a URI from which
        the user agent can retrieve the actual policy. The syntax for the name
        and value of the directive are described by the following ABNF
        grammar:</p>

<pre>directive-name    = "policy-uri"
directive-value   = &lt;URI-reference from RFC 3986&gt;
</pre>

        <p class="issue">The <code>policy-uri</code> directive might be
        removed from this document.</p>

        <p>Authors <em class="rfc2119" title="must not">must not</em> specify policies that contain both a
        <code>policy-uri</code> directive and another directive.</p>

        <p>If the user agent would enforce a policy containing both the
        <code>policy-uri</code> directive and another directive, instead the
        user agent <em class="rfc2119" title="must">must</em> enforce the policy <code>default-src
        'none'</code>.</p>

        <p>When processing the <code>policy-uri</code> directive, the user
        agent <em class="rfc2119" title="must">must</em> run an algorithm equivalent to the following:</p>
        <ul>
          <li>Let <var>request URI</var> be the URI that results from
          resolving the value of the <code>policy-uri</code> directive
          relative to the URI of the protected document.</li>

          <li>If <var>request URI</var> is not from the same origin as the
          protected document, abort these steps and enforce the policy
          <code>default-src 'none'</code>.

          </li><li>Fetch the <var>request URI</var> from origin of the protected
          document, with the synchronous flag set, using HTTP method
          <code>GET</code>.</li>

          <li>If the fetch returned a status code other than <code>200</code>
          or if the request encountered an HTTP redirect, abort these steps
          and enforce the policy <code>default-src 'none'</code>.</li>

          <li>If the fetched resource lacks a <code>Content-Type</code> header
          field or if the <code>Content-Type</code> header field is not a case
          insensitive match for <code>text/x-content-security-policy</code>,
          abort these steps and enforce the policy <code>default-src
          'none'</code>.</li>

          <li>Let the <var>fetched policy</var> be the result of <a href="#parse-a-csp-policy">parsing the fetched resource as a CSP
          policy</a>.</li>

          <li>If the <var>fetched policy</var> contains a
          <code>policy-uri</code> directive, abort these steps and enforce the
          policy <code>default-src 'none'</code>.</li>

          <li><a href="#enforce">Enforce</a> the <var>fetched
          policy</var>.</li>
        </ul>
      </div>
    </div>

    <div id="examples" class="section">
      <!--OddPage--><h2><span class="secno">5. </span>Examples</h2>

      <div class="informative section" id="sample-policy-definitions">
        <h3><span class="secno">5.1 </span>Sample Policy Definitions</h3><p><em>This section is non-normative.</em></p>

        <p>This section provides some sample use cases and accompanying security policies.</p>

        <p><strong>Example 1:</strong> A server wishes to load resources only
        form its own origin:</p>

        <pre>Content-Security-Policy: default-src 'self'</pre>

        <p><strong>Example 2:</strong> An auction site wishes to load images
        from any URI, plug-in content from a list of trusted media providers
        (including a content distribution network), and scripts only from a
        server under its control hosting sanitized ECMAScript:</p>

        <pre>Content-Security-Policy: default-src 'self'; img-src *;
                         object-src media1.example.com media2.example.com *.cdn.example.com;
                         script-src trustedscripts.example.com</pre>

        <p><strong>Example 3:</strong> A site operations group wishes to globally deny all
        third-party scripts in the site, and a particular project team wishes to also disallow
        third-party media in their section of the site.  Site operations sends the first header
        while the project team sends the second header, and the user-agent takes the combination of
        the two headers to form the complete interpreted policy:</p>

        <pre>Content-Security-Policy: default-src *; script-src 'self'
Content-Security-Policy: default-src *; script-src 'self'; media-src 'self'</pre>

        <p><strong>Example 4:</strong> Online banking site wishes to ensure that all of the content
        in its pages is loaded over TLS to prevent attackers from eavesdropping on insecure content
        requests:</p>

        <pre>Content-Security-Policy: default-src https:</pre>
      </div>

      <div class="informative section" id="sample-violation-report">
        <h3><span class="secno">5.2 </span>Sample Violation Report</h3><p><em>This section is non-normative.</em></p>

        <p>This section contains an example violation report the user agent
        might sent to a server when the protected document violations a sample
        policy.</p>

        <p>In the following example, a document from
        <code>http://example.org/page.html</code> was rendered with the
        following CSP policy:</p>

<pre>default-src 'self'; report-uri http://example.org/csp-report.cgi</pre>

        <p>The document loaded an image from
        <code>http://evil.example.com/image.png</code>, violating the
        policy.</p>

        <pre>{
  "csp-report": {
    "request": "GET http://example.org/page.html HTTP/1.1",
    "request-headers": "Host: example.org
                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b12pre) Gecko/20110222 Firefox/4.0b12pre
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                        Accept-Language: en-us,en;q=0.5
                        Accept-Encoding: gzip, deflate
                        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
                        Keep-Alive: 115
                        Proxy-Connection: keep-alive
                        Cache-Control: max-age=0",
    "blocked-uri": "http://evil.example.com/image.png",
    "violated-directive": "default-src http://example.org"
  }
}</pre>

        <p>In the above sample report the <code>violated-directive</code>
        field was sent in the way it was interpreted by the user-agent. The
        directive was made explicit by replacing the keyword
        <code>'self'</code> with the explicit host name of the protected
        resource. This is recommended behavior for user-agents as it reduces
        ambiguity, making policy violations easier to trace by server
        admins.</p>

        <p class="issue">Should we add this as a requirement when preparing
        reports?</p>
      </div>
    </div>
  

<div id="references" class="appendix section"><!--OddPage--><h2><span class="secno">A. </span>References</h2><div id="normative-references" class="section"><h3><span class="secno">A.1 </span>Normative references</h3><dl class="bibliography"><dt id="bib-ABNF">[ABNF]</dt><dd>D. Crocker and P. Overell. <a href="http://www.ietf.org/rfc/rfc5234.txt"><cite>Augmented BNF for Syntax Specifications: ABNF.</cite></a> January 2008. Internet RFC 5234. URL: <a href="http://www.ietf.org/rfc/rfc5234.txt">http://www.ietf.org/rfc/rfc5234.txt</a>
</dd><dt id="bib-CSS3FONT">[CSS3FONT]</dt><dd>Michel Suignard; Chris Lilley. <a href="http://www.w3.org/TR/2002/WD-css3-fonts-20020802"><cite>CSS3 module: Fonts.</cite></a> 2 August 2002. W3C Working Draft. (Work in progress.) URL: <a href="http://www.w3.org/TR/2002/WD-css3-fonts-20020802">http://www.w3.org/TR/2002/WD-css3-fonts-20020802</a> 
</dd><dt id="bib-HTML401">[HTML401]</dt><dd>David Raggett; Ian Jacobs; Arnaud Le Hors. <a href="http://www.w3.org/TR/1999/REC-html401-19991224"><cite>HTML 4.01 Specification.</cite></a> 24 December 1999. W3C Recommendation. URL: <a href="http://www.w3.org/TR/1999/REC-html401-19991224">http://www.w3.org/TR/1999/REC-html401-19991224</a> 
</dd>

<dt id="bib-HTML5">[HTML5]</dt><dd>Ian Hickson; David Hyatt. <a
   href="http://www.w3.org/TR/html5"><cite>HTML5.</cite></a> 25 May
  2011. W3C Last Call Working Draft. (Work in progress.) URL: <a
   href="http://www.w3.org/TR/html5">http://www.w3.org/TR/html5</a><br>
  This draft refers to an updated version of section <a
   href="http://dev.w3.org/html5/spec/common-microsyntaxes.html">2.5
  Common microsyntaxes</a> that is, at time of this publication, only
  contained in the <a
   href="http://dev.w3.org/html5/spec/Overview.html">HTML5 Editor's
  Draft</a>.  </dd>

<dt id="bib-RFC2119">[RFC2119]</dt><dd>S. Bradner. <a href="http://www.ietf.org/rfc/rfc2119.txt"><cite>Key words for use in RFCs to Indicate Requirement Levels.</cite></a> March 1997. Internet RFC 2119.  URL: <a href="http://www.ietf.org/rfc/rfc2119.txt">http://www.ietf.org/rfc/rfc2119.txt</a> 
</dd><dt id="bib-URI">[URI]</dt><dd>T. Berners-Lee; R. Fielding; L. Masinter. <a href="http://www.ietf.org/rfc/rfc3986.txt"><cite>Uniform Resource Identifiers (URI): generic syntax.</cite></a> January 2005. Internet RFC 3986. URL: <a href="http://www.ietf.org/rfc/rfc3986.txt">http://www.ietf.org/rfc/rfc3986.txt</a> 
</dd><dt id="bib-WEBIDL">[WEBIDL]</dt><dd>Cameron McCormack. <a href="http://www.w3.org/TR/2008/WD-WebIDL-20081219"><cite>Web IDL.</cite></a> 19 December 2008. W3C Working Draft. (Work in progress.) URL: <a href="http://www.w3.org/TR/2008/WD-WebIDL-20081219">http://www.w3.org/TR/2008/WD-WebIDL-20081219</a> 
</dd><dt id="bib-XMLHTTPREQUEST">[XMLHTTPREQUEST]</dt><dd>Anne van Kesteren. <a href="http://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415"><cite>The XMLHttpRequest Object.</cite></a> 15 April 2008. W3C Working Draft. (Work in progress.) URL: <a href="http://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415">http://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415</a> 
</dd></dl></div><div id="informative-references" class="section"><h3><span class="secno">A.2 </span>Informative references</h3><p>No informative references.</p></div></div></body></html>