index.html
79.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
<!DOCTYPE html PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN' 'http://www.w3.org/TR/html4/loose.dtd'>
<html lang="en" dir="ltr">
<head>
<title>Content Security Policy</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<!--
=== NOTA BENE ===
For the three scripts below, if your spec resides on dev.w3 you can check them
out in the same tree and use relative links so that they'll work offline,
-->
<style type="text/css">
/*****************************************************************
* ReSpec CSS
* Robin Berjon (robin at berjon dot com)
* v0.05 - 2009-07-31
*****************************************************************/
/* --- INLINES --- */
em.rfc2119 {
text-transform: lowercase;
font-variant: small-caps;
font-style: normal;
color: #900;
}
h1 acronym, h2 acronym, h3 acronym, h4 acronym, h5 acronym, h6 acronym, a acronym,
h1 abbr, h2 abbr, h3 abbr, h4 abbr, h5 abbr, h6 abbr, a abbr {
border: none;
}
dfn {
font-weight: bold;
}
a.internalDFN {
color: inherit;
border-bottom: 1px solid #99c;
text-decoration: none;
}
a.externalDFN {
color: inherit;
border-bottom: 1px dotted #ccc;
text-decoration: none;
}
a.bibref {
text-decoration: none;
}
code {
color: #ff4500;
}
/* --- WEB IDL --- */
pre.idl {
border-top: 1px solid #90b8de;
border-bottom: 1px solid #90b8de;
padding: 1em;
line-height: 120%;
}
pre.idl::before {
content: "WebIDL";
display: block;
width: 150px;
background: #90b8de;
color: #fff;
font-family: initial;
padding: 3px;
font-weight: bold;
margin: -1em 0 1em -1em;
}
.idlType {
color: #ff4500;
font-weight: bold;
text-decoration: none;
}
/*.idlModule*/
/*.idlModuleID*/
/*.idlInterface*/
.idlInterfaceID, .idlDictionaryID {
font-weight: bold;
color: #005a9c;
}
.idlSuperclass {
font-style: italic;
color: #005a9c;
}
/*.idlAttribute*/
.idlAttrType, .idlFieldType, .idlMemberType {
color: #005a9c;
}
.idlAttrName, .idlFieldName, .idlMemberName {
color: #ff4500;
}
.idlAttrName a, .idlFieldName a, .idlMemberName a {
color: #ff4500;
border-bottom: 1px dotted #ff4500;
text-decoration: none;
}
/*.idlMethod*/
.idlMethType {
color: #005a9c;
}
.idlMethName {
color: #ff4500;
}
.idlMethName a {
color: #ff4500;
border-bottom: 1px dotted #ff4500;
text-decoration: none;
}
/*.idlParam*/
.idlParamType {
color: #005a9c;
}
.idlParamName {
font-style: italic;
}
.extAttr {
color: #666;
}
/*.idlConst*/
.idlConstType {
color: #005a9c;
}
.idlConstName {
color: #ff4500;
}
.idlConstName a {
color: #ff4500;
border-bottom: 1px dotted #ff4500;
text-decoration: none;
}
/*.idlException*/
.idlExceptionID {
font-weight: bold;
color: #c00;
}
.idlTypedefID, .idlTypedefType {
color: #005a9c;
}
.idlRaises, .idlRaises a.idlType, .idlRaises a.idlType code, .excName a, .excName a code {
color: #c00;
font-weight: normal;
}
.excName a {
font-family: monospace;
}
.idlRaises a.idlType, .excName a.idlType {
border-bottom: 1px dotted #c00;
}
.excGetSetTrue, .excGetSetFalse, .prmNullTrue, .prmNullFalse, .prmOptTrue, .prmOptFalse {
width: 45px;
text-align: center;
}
.excGetSetTrue, .prmNullTrue, .prmOptTrue { color: #0c0; }
.excGetSetFalse, .prmNullFalse, .prmOptFalse { color: #c00; }
.idlImplements a {
font-weight: bold;
}
dl.attributes, dl.methods, dl.constants, dl.fields, dl.dictionary-members {
margin-left: 2em;
}
.attributes dt, .methods dt, .constants dt, .fields dt, .dictionary-members dt {
font-weight: normal;
}
.attributes dt code, .methods dt code, .constants dt code, .fields dt code, .dictionary-members dt code {
font-weight: bold;
color: #000;
font-family: monospace;
}
.attributes dt code, .fields dt code, .dictionary-members dt code {
background: #ffffd2;
}
.attributes dt .idlAttrType code, .fields dt .idlFieldType code, .dictionary-members dt .idlMemberType code {
color: #005a9c;
background: transparent;
font-family: inherit;
font-weight: normal;
font-style: italic;
}
.methods dt code {
background: #d9e6f8;
}
.constants dt code {
background: #ddffd2;
}
.attributes dd, .methods dd, .constants dd, .fields dd, .dictionary-members dd {
margin-bottom: 1em;
}
table.parameters, table.exceptions {
border-spacing: 0;
border-collapse: collapse;
margin: 0.5em 0;
width: 100%;
}
table.parameters { border-bottom: 1px solid #90b8de; }
table.exceptions { border-bottom: 1px solid #deb890; }
.parameters th, .exceptions th {
color: #fff;
padding: 3px 5px;
text-align: left;
font-family: initial;
font-weight: normal;
text-shadow: #666 1px 1px 0;
}
.parameters th { background: #90b8de; }
.exceptions th { background: #deb890; }
.parameters td, .exceptions td {
padding: 3px 10px;
border-top: 1px solid #ddd;
vertical-align: top;
}
.parameters tr:first-child td, .exceptions tr:first-child td {
border-top: none;
}
.parameters td.prmName, .exceptions td.excName, .exceptions td.excCodeName {
width: 100px;
}
.parameters td.prmType {
width: 120px;
}
table.exceptions table {
border-spacing: 0;
border-collapse: collapse;
width: 100%;
}
/* --- TOC --- */
.toc a {
text-decoration: none;
}
a .secno {
color: #000;
}
/* --- TABLE --- */
table.simple {
border-spacing: 0;
border-collapse: collapse;
border-bottom: 3px solid #005a9c;
}
.simple th {
background: #005a9c;
color: #fff;
padding: 3px 5px;
text-align: left;
}
.simple th[scope="row"] {
background: inherit;
color: inherit;
border-top: 1px solid #ddd;
}
.simple td {
padding: 3px 10px;
border-top: 1px solid #ddd;
}
.simple tr:nth-child(even) {
background: #f0f6ff;
}
/* --- DL --- */
.section dd > p:first-child {
margin-top: 0;
}
.section dd > p:last-child {
margin-bottom: 0;
}
.section dd {
margin-bottom: 1em;
}
.section dl.attrs dd, .section dl.eldef dd {
margin-bottom: 0;
}
/* --- EXAMPLES --- */
pre.example {
border-top: 1px solid #ff4500;
border-bottom: 1px solid #ff4500;
padding: 1em;
margin-top: 1em;
}
pre.example::before {
content: "Example";
display: block;
width: 150px;
background: #ff4500;
color: #fff;
font-family: initial;
padding: 3px;
font-weight: bold;
margin: -1em 0 1em -1em;
}
/* --- EDITORIAL NOTES --- */
.issue {
padding: 1em;
margin: 1em 0em 0em;
border: 1px solid #f00;
background: #ffc;
}
.issue::before {
content: "Issue";
display: block;
width: 150px;
margin: -1.5em 0 0.5em 0;
font-weight: bold;
border: 1px solid #f00;
background: #fff;
padding: 3px 1em;
}
.note {
margin: 1em 0em 0em;
padding: 1em;
border: 2px solid #cff6d9;
background: #e2fff0;
}
.note::before {
content: "Note";
display: block;
width: 150px;
margin: -1.5em 0 0.5em 0;
font-weight: bold;
border: 1px solid #cff6d9;
background: #fff;
padding: 3px 1em;
}
/* --- Best Practices --- */
div.practice {
border: solid #bebebe 1px;
margin: 2em 1em 1em 2em;
}
span.practicelab {
margin: 1.5em 0.5em 1em 1em;
font-weight: bold;
font-style: italic;
}
span.practicelab { background: #dfffff; }
span.practicelab {
position: relative;
padding: 0 0.5em;
top: -1.5em;
}
p.practicedesc {
margin: 1.5em 0.5em 1em 1em;
}
@media screen {
p.practicedesc {
position: relative;
top: -2em;
padding: 0;
margin: 1.5em 0.5em -1em 1em;
}
}
/* --- SYNTAX HIGHLIGHTING --- */
pre.sh_sourceCode {
background-color: white;
color: black;
font-style: normal;
font-weight: normal;
}
pre.sh_sourceCode .sh_keyword { color: #005a9c; font-weight: bold; } /* language keywords */
pre.sh_sourceCode .sh_type { color: #666; } /* basic types */
pre.sh_sourceCode .sh_usertype { color: teal; } /* user defined types */
pre.sh_sourceCode .sh_string { color: red; font-family: monospace; } /* strings and chars */
pre.sh_sourceCode .sh_regexp { color: orange; font-family: monospace; } /* regular expressions */
pre.sh_sourceCode .sh_specialchar { color: #ffc0cb; font-family: monospace; } /* e.g., \n, \t, \\ */
pre.sh_sourceCode .sh_comment { color: #A52A2A; font-style: italic; } /* comments */
pre.sh_sourceCode .sh_number { color: purple; } /* literal numbers */
pre.sh_sourceCode .sh_preproc { color: #00008B; font-weight: bold; } /* e.g., #include, import */
pre.sh_sourceCode .sh_symbol { color: blue; } /* e.g., *, + */
pre.sh_sourceCode .sh_function { color: black; font-weight: bold; } /* function calls and declarations */
pre.sh_sourceCode .sh_cbracket { color: red; } /* block brackets (e.g., {, }) */
pre.sh_sourceCode .sh_todo { font-weight: bold; background-color: #00FFFF; } /* TODO and FIXME */
/* Predefined variables and functions (for instance glsl) */
pre.sh_sourceCode .sh_predef_var { color: #00008B; }
pre.sh_sourceCode .sh_predef_func { color: #00008B; font-weight: bold; }
/* for OOP */
pre.sh_sourceCode .sh_classname { color: teal; }
/* line numbers (not yet implemented) */
pre.sh_sourceCode .sh_linenum { display: none; }
/* Internet related */
pre.sh_sourceCode .sh_url { color: blue; text-decoration: underline; font-family: monospace; }
/* for ChangeLog and Log files */
pre.sh_sourceCode .sh_date { color: blue; font-weight: bold; }
pre.sh_sourceCode .sh_time, pre.sh_sourceCode .sh_file { color: #00008B; font-weight: bold; }
pre.sh_sourceCode .sh_ip, pre.sh_sourceCode .sh_name { color: #006400; }
/* for Prolog, Perl... */
pre.sh_sourceCode .sh_variable { color: #006400; }
/* for LaTeX */
pre.sh_sourceCode .sh_italics { color: #006400; font-style: italic; }
pre.sh_sourceCode .sh_bold { color: #006400; font-weight: bold; }
pre.sh_sourceCode .sh_underline { color: #006400; text-decoration: underline; }
pre.sh_sourceCode .sh_fixed { color: green; font-family: monospace; }
pre.sh_sourceCode .sh_argument { color: #006400; }
pre.sh_sourceCode .sh_optionalargument { color: purple; }
pre.sh_sourceCode .sh_math { color: orange; }
pre.sh_sourceCode .sh_bibtex { color: blue; }
/* for diffs */
pre.sh_sourceCode .sh_oldfile { color: orange; }
pre.sh_sourceCode .sh_newfile { color: #006400; }
pre.sh_sourceCode .sh_difflines { color: blue; }
/* for css */
pre.sh_sourceCode .sh_selector { color: purple; }
pre.sh_sourceCode .sh_property { color: blue; }
pre.sh_sourceCode .sh_value { color: #006400; font-style: italic; }
/* other */
pre.sh_sourceCode .sh_section { color: black; font-weight: bold; }
pre.sh_sourceCode .sh_paren { color: red; }
pre.sh_sourceCode .sh_attribute { color: #006400; }
</style><link href="http://www.w3.org/StyleSheets/TR/W3C-WD" rel="stylesheet" type="text/css" charset="utf-8"></head>
<body style="display: inherit; "><div class="head"><p><a href="http://www.w3.org/"><img width="72" height="48" src="http://www.w3.org/Icons/w3c_home" alt="W3C"></a></p><h1 class="title" id="title">Content Security Policy</h1><h2 id="w3c-working-draft-29-november-2011">W3C Working Draft 29 November 2011</h2><dl><dt>This version:</dt><dd><a href="http://www.w3.org/TR/2011/WD-CSP-20111129/">http://www.w3.org/TR/2011/WD-CSP-20111129/</a></dd><dt>Latest published version:</dt><dd><a href="http://www.w3.org/TR/CSP/">http://www.w3.org/TR/CSP/</a></dd><dt>Latest editor's draft:</dt><dd><a href="http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html">http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html</a></dd><dt>Editors:</dt><dd><a href="mailto:bsterne@mozilla.com">Brandon Sterne</a>, <a href="http://www.mozilla.com/">Mozilla Corporation</a></dd>
<dd><a href="mailto:w3c@adambarth.com">Adam Barth</a>, <a href="http://www.google.com/">Google, Inc.</a></dd>
</dl><p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2010-2011 <a href="http://www.w3.org/"><acronym title="World Wide Web Consortium">W3C</acronym></a><sup>®</sup> (<a href="http://www.csail.mit.edu/"><acronym title="Massachusetts Institute of Technology">MIT</acronym></a>, <a href="http://www.ercim.eu/"><acronym title="European Research Consortium for Informatics and Mathematics">ERCIM</acronym></a>, <a href="http://www.keio.ac.jp/">Keio</a>), All Rights Reserved. W3C <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply.</p><hr></div>
<div id="abstract" class="introductory section"><h2>Abstract</h2>
<p>This document defines a policy language used to declare a set of
content restrictions for a web resource, and a mechanism for
transmitting the policy from a server to a client where the policy is
enforced.</p>
</div><div id="sotd" class="introductory section"><h2>Status of This Document</h2><p><em>This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the <a href="http://www.w3.org/TR/">W3C technical reports index</a> at http://www.w3.org/TR/.</em></p>
<p>Although a FPWD, this document describes a proposal that has been
discussed by the broader community for approximately a year. There are experimental
implementations in Firefox and Chrome, using the header names
<code>X-Content-Security-Policy</code> and <code>X-WebKit-CSP</code>
respectively. Internet Explorer 10 Platform Preview also contains a
partial implementation, using the header name
X-Content-Security-Policy.</p>
<p>In addition to the documents in the W3C Web Application Security
working group, the work on this document is also informed by the work of
the <a href="http://tools.ietf.org/wg/websec/">IETF websec working
group</a>, particularly that working group's requirements document:
<a href="http://tools.ietf.org/id/draft-hodges-websec-framework-reqs">draft-hodges-websec-framework-reqs</a></p>
<p>This document was published by the <a href="http://www.w3.org/2011/webappsec/">Web Application Security Working Group</a> as a First Public Working Draft. This document is intended to become a W3C Recommendation. If you wish to make comments regarding this document, please send them to <a href="mailto:public-webappsec@w3.org">public-webappsec@w3.org</a> (<a href="mailto:public-webappsec-request@w3.org?subject=subscribe">subscribe</a>, <a href="http://lists.w3.org/Archives/Public/public-webappsec/">archives</a>). All feedback is welcome.</p><p>Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.</p><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent Policy</a>. W3C maintains a <a href="http://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a> must disclose the information in accordance with <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the W3C Patent Policy</a>.</p></div><div id="toc" class="section"><h2 class="introductory">Table of Contents</h2><ul class="toc"><li class="tocline"><a href="#introduction" class="tocxref"><span class="secno">1. </span>Introduction</a></li><li class="tocline"><a href="#conformance" class="tocxref"><span class="secno">2. </span>Conformance</a><ul class="toc"><li class="tocline"><a href="#terminology" class="tocxref"><span class="secno">2.1 </span>Terminology</a></li></ul></li><li class="tocline"><a href="#framework" class="tocxref"><span class="secno">3. </span>Framework</a><ul class="toc"><li class="tocline"><a href="#policy-delivery" class="tocxref"><span class="secno">3.1 </span>Policy Delivery</a><ul class="toc"><li class="tocline"><a href="#content-security-policy-header-field" class="tocxref"><span class="secno">3.1.1 </span><code>Content-Security-Policy</code> Header Field</a></li><li class="tocline"><a href="#content-security-policy-report-only-header-field" class="tocxref"><span class="secno">3.1.2 </span><code>Content-Security-Policy-Report-Only</code> Header Field</a></li><li class="tocline"><a href="#html-meta-element" class="tocxref"><span class="secno">3.1.3 </span>HTML <code>meta</code> Element</a></li></ul></li><li class="tocline"><a href="#syntax" class="tocxref"><span class="secno">3.2 </span>Syntax</a><ul class="toc"><li class="tocline"><a href="#policies" class="tocxref"><span class="secno">3.2.1 </span>Policies</a></li><li class="tocline"><a href="#source-list" class="tocxref"><span class="secno">3.2.2 </span>Source List</a></li></ul></li><li class="tocline"><a href="#processing-model" class="tocxref"><span class="secno">3.3 </span>Processing Model</a></li></ul></li><li class="tocline"><a href="#directives" class="tocxref"><span class="secno">4. </span>Directives</a><ul class="toc"><li class="tocline"><a href="#default-src" class="tocxref"><span class="secno">4.1 </span><code>default-src</code></a></li><li class="tocline"><a href="#script-src" class="tocxref"><span class="secno">4.2 </span><code>script-src</code></a></li><li class="tocline"><a href="#object-src" class="tocxref"><span class="secno">4.3 </span><code>object-src</code></a></li><li class="tocline"><a href="#style-src" class="tocxref"><span class="secno">4.4 </span><code>style-src</code></a></li><li class="tocline"><a href="#img-src" class="tocxref"><span class="secno">4.5 </span><code>img-src</code></a></li><li class="tocline"><a href="#media-src" class="tocxref"><span class="secno">4.6 </span><code>media-src</code></a></li><li class="tocline"><a href="#frame-src" class="tocxref"><span class="secno">4.7 </span><code>frame-src</code></a></li><li class="tocline"><a href="#font-src" class="tocxref"><span class="secno">4.8 </span><code>font-src</code></a></li><li class="tocline"><a href="#connect-src" class="tocxref"><span class="secno">4.9 </span><code>connect-src</code></a></li><li class="tocline"><a href="#sandbox" class="tocxref"><span class="secno">4.10 </span><code>sandbox</code></a></li><li class="tocline"><a href="#report-uri" class="tocxref"><span class="secno">4.11 </span><code>report-uri</code></a></li><li class="tocline"><a href="#policy-uri" class="tocxref"><span class="secno">4.12 </span><code>policy-uri</code></a></li></ul></li><li class="tocline"><a href="#examples" class="tocxref"><span class="secno">5. </span>Examples</a><ul class="toc"><li class="tocline"><a href="#sample-policy-definitions" class="tocxref"><span class="secno">5.1 </span>Sample Policy Definitions</a></li><li class="tocline"><a href="#sample-violation-report" class="tocxref"><span class="secno">5.2 </span>Sample Violation Report</a></li></ul></li><li class="tocline"><a href="#references" class="tocxref"><span class="secno">A. </span>References</a><ul class="toc"><li class="tocline"><a href="#normative-references" class="tocxref"><span class="secno">A.1 </span>Normative references</a></li><li class="tocline"><a href="#informative-references" class="tocxref"><span class="secno">A.2 </span>Informative references</a></li></ul></li></ul></div>
<div class="informative section" id="introduction">
<!--OddPage--><h2><span class="secno">1. </span>Introduction</h2><p><em>This section is non-normative.</em></p>
<p>This document defines Content Security Policy, a mechanism web
applications can use to mitigate the broad class of content injection
vulnerabilities, such as cross-site scripting (XSS). Content Security
Policy is a declarative policy that lets the authors (or server
administrators) of a web application restrict from where the application
can load resources.</p>
<p>To mitigate XSS, for example, a web application can restrict itself
to loading scripts only from known, trusted URIs, making it difficult
for an attacker who can inject content into the web application to
inject malicious script.</p>
<p>Content Security Policy (CSP) is not intended as a first line of
defense against content injection vulnerabilities. Instead, CSP is best
used as defense-in-depth, to reduce the harm caused by content injection
attacks.</p>
<p>There is often a non-trivial amount of work required to apply CSP to
an existing web application. To reap the greatest benefit, authors will
need to move all inline script and style out-of-line, for example into
external scripts, because the user agent cannot determine whether an
inline script was injected by an attacker.</p>
<p>To take advantage of CSP, a web application needs to opt into using
CSP by supplying a Content-Security-Policy HTTP header or an appropriate
HTML <code>meta</code> element. Such policies apply the current document
only. To supply a policy for an entire site, the server need to supply a
policy along with each resource representation.</p>
</div>
<div id="conformance" class="section"><!--OddPage--><h2><span class="secno">2. </span>Conformance</h2><p>As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.</p>
<p>The key words <em class="rfc2119" title="must">must</em>, <em class="rfc2119" title="must not">must not</em>, <em class="rfc2119" title="required">required</em>, <em class="rfc2119" title="should">should</em>, <em class="rfc2119" title="should not">should not</em>, <em class="rfc2119" title="recommended">recommended</em>, <em class="rfc2119" title="may">may</em>, and <em class="rfc2119" title="optional">optional</em> in this specification are to be interpreted as described in [<cite><a class="bibref" rel="biblioentry" href="#bib-RFC2119">RFC2119</a></cite>].</p>
<p>Requirements phrased in the imperative as part of algorithms (such as
"strip any leading space characters" or "return false and abort these
steps") are to be interpreted with the meaning of the key word ("<em class="rfc2119" title="must">must</em>",
"<em class="rfc2119" title="should">should</em>", "<em class="rfc2119" title="may">may</em>", etc) used in introducing the algorithm.</p>
<p>A conformant user-agent is one that implements all the requirements
listed in this specification that are applicable to user-agents.</p>
<p>A conformant server is one that implements all the requirements
listed in this specification that are applicable to servers.</p>
<div id="terminology" class="section">
<h3><span class="secno">2.1 </span>Terminology</h3>
<p>This section defines several terms used throughout the document.</p>
<p>The term <dfn id="dfn-security-policy">security policy</dfn>, or
simply <dfn id="dfn-policy">policy</dfn>, for the purposes of this
specification refers to either:
</p><ol>
<li>a set of security preferences for restricting the behavior of
content within a given document, or</li>
<li>a fragment of text that codifies these preferences.</li>
</ol>
<p></p>
<p>The security policies defined by this document are applied by a
user-agent on a <em>per-resource representation basis</em>.
Specifically, when a user agent receives a policy along with the
representation of a given resource, that policy applies to <em>that
resource representation only</em>. That resource representation is
often referred to in this document as the <dfn id="dfn-protected-document">protected
document</dfn>.
</p><p>A server transmits its security policy for a particular resource as
a collection of <dfn id="dfn-directives">directives</dfn>, such as <code>default-src
'self'</code>, each of which controls a specific set of privileges for
a document rendered by a user-agent. More details are provided in the
<a href="#directives">directives</a> section.</p>
<p>A directive consists of a <dfn id="dfn-directive-name">directive name</dfn>, which
indicates the privileges controlled by the directive, and a
<dfn id="dfn-directive-value">directive value</dfn>, which specifies the restrictions the
policy imposes on those privileges.</p>
<p>Fetching resources requires <dfn id="resolve">resolving</dfn>
and <dfn id="parse-url">parsing</dfn> URLs. The algorithms
for <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#resolving-urls">resolving
a URL</a>
and <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/urls.html#parse-a-url">parsing
a URL</a> are defined in the HTML5 standard [<cite><a class="bibref" rel="biblioentry" href="#bib-HTML5">HTML5</a></cite>].</p>
<p>The term <dfn id="dfn-origin">origin</dfn> is defined in the Origin specification.
[<em><a href="http://tools.ietf.org/html/draft-ietf-websec-origin">ORIGIN</a></em>]</p>
<p>The term <dfn id="dfn-uri">URI</dfn> is defined in the URI specification. [<cite><a class="bibref" rel="biblioentry" href="#bib-URI">URI</a></cite>]</p>
<p>The <code><script></code>, <code><object></code>, <code><embed></code>,
<code><img></code>, <code><video></code>, <code><audio></code>,
<code><link></code>, <code><frame></code> and <code><iframe></code>
elements are defined in the HTML5 standard. [<cite><a class="bibref" rel="biblioentry" href="#bib-HTML5">HTML5</a></cite>].</p>
<p>The <code><applet></code> element is defined in the HTML 4.01 standard. [<cite><a class="bibref" rel="biblioentry" href="#bib-HTML401">HTML401</a></cite>].</p>
<p>The <code>@font-face</code> CSS rule is defined in the CSS Fonts Module Level 3 standard.
[<cite><a class="bibref" rel="biblioentry" href="#bib-CSS3FONT">CSS3FONT</a></cite>]</p>
<p>The <code>XMLHttpRequest</code> object is defined in the <code>XMLHttpRequest</code>
standard. [<cite><a class="bibref" rel="biblioentry" href="#bib-XMLHTTPREQUEST">XMLHTTPREQUEST</a></cite>]</p>
<p>The <code>WebSocket</code> object is defined in the <code>WebSocket</code>
standard. [<em><a href="http://dev.w3.org/html5/websockets/">WEBSOCKET</a></em>].</p>
<p>The <code>EventSource</code> object is defined in the <code>EventSource</code>
standard. [<em><a href="http://dev.w3.org/html5/eventsource/">EVENTSOURCE</a></em>].</p>
<p>The Augmented Backus-Naur Form (ABNF) notation used in this
document is specified in RFC 5234. [<cite><a class="bibref" rel="biblioentry" href="#bib-ABNF">ABNF</a></cite>]</p>
<p>The following core rules are included by reference, as defined in
[<em><a href="http://tools.ietf.org/html/rfc5234#appendix-B.1">ABNF Appendix B.1</a></em>]:
<code>ALPHA</code> (letters), <code>DIGIT</code> (decimal
0-9), <code>WSP</code> (white space) and <code>VCHAR</code> (printing
characters).</p>
</div>
</div>
<div id="framework" class="section">
<!--OddPage--><h2><span class="secno">3. </span>Framework</h2>
<p>This section defines the general framework for content security
policies, including the delivery mechanisms and general syntax for
policies. The next section contains the details of the specific
directives introduced in this specification.</p>
<div id="policy-delivery" class="section">
<h3><span class="secno">3.1 </span>Policy Delivery</h3>
<p>The policy can be delivered from the server to the client via an HTTP response header
or an HTML <code>meta</code> element.</p>
<p>Of the two delivery mechanisms, servers <em class="rfc2119" title="should">should</em> use the HTTP
response header mechanism whenever possible because, when using the
<code>meta</code> element mechanism, there is a period of time between
when the user agent begins to process the document and when the user
agent encounters the <code>meta</code> element when the document is
not protected by the policy.</p>
<div id="content-security-policy-header-field" class="section">
<h4><span class="secno">3.1.1 </span><code>Content-Security-Policy</code> Header Field</h4>
<p>The <code>Content-Security-Policy</code> header field is the
preferred mechanism for delivering a CSP policy.</p>
<p>A server <em class="rfc2119" title="may">may</em> supply one or more CSP policies in HTTP response
header fields named <code>Content-Security-Policy</code> along with
the protected document.</p>
<p>Upon receiving an HTTP response containing at least one
<code>Content-Security-Policy</code> header field, the user agent
<em class="rfc2119" title="must">must</em> <a href="#enforce-the-combination">enforce the combination</a>
of all the policies contained in these header fields.</p>
</div>
<div id="content-security-policy-report-only-header-field" class="section">
<h4><span class="secno">3.1.2 </span><code>Content-Security-Policy-Report-Only</code> Header Field</h4>
<p>The <code>Content-Security-Policy-Report-Only</code> header field
lets server experiment with CSP by monitoring (rather than
enforcing) a policy. This feature lets server operators develop
their security policy iteratively. They can deploy a report-only
policy based on their best estimate of how their site behaves. If
their site violates this policy, instead of breaking the site, the
user agent will send violation reports to a URI specified in the
policy. Once a site has confidence that the policy is appropriate,
they can promote the report-only policy to normal blocking mode.</p>
<p>A server <em class="rfc2119" title="may">may</em> supply one or more CSP policies in HTTP response
header fields named <code>Content-Security-Policy-Report-Only</code>
along with the protected document.</p>
<p>If a server supplies at least one
<code>Content-Security-Policy-Report-Only</code> header field in an
HTTP response, the server <em class="rfc2119" title="must not">must not</em> supply any
<code>Content-Security-Policy</code> header fields.</p>
<p>Upon receiving an HTTP response containing at least one
<code>Content-Security-Policy-Report-Only</code> header field, the
user agent <em class="rfc2119" title="must">must</em> <a href="#monitor-the-combination">monitor the
combination</a> of all the policies contained in these header
fields.</p>
</div>
<div id="html-meta-element" class="section">
<h4><span class="secno">3.1.3 </span>HTML <code>meta</code> Element</h4>
<p>The server <em class="rfc2119" title="may">may</em> supply a CSP policy in an HTML <code>meta</code>
element with an <code>http-equiv</code> attribute that is a case
insensitive match for either <code>Content-Security-Policy</code> or
<code>Content-Security-Policy-Report-Only</code>.</p>
<p>Add the following entries to the <a href="http://www.w3.org/TR/html5/semantics.html#pragma-directives">pragma
directives</a> for the <code>meta</code> element:</p>
<dl>
<dt>Content security policy (<code>http-equiv="content-security-policy"</code>)</dt>
<dd>
<ol>
<li>If the document already has a <var>csp-policy</var>, abort
these steps.</li>
<li>If the <code>meta</code> element lacks a
<code>content</code> attribute, abort these steps.</li>
<li><a href="#enforce">Enforce</a> the CSP policy contained in
the <code>content</code> attribute of the <code>meta</code>
element.</li>
</ol>
</dd>
<dt>Content security policy, report only (<code>http-equiv="content-security-policy-report-only"</code>)</dt>
<dd>
<ol>
<li>If the document already has a <var>csp-policy</var>, abort
these steps.</li>
<li>If the <code>meta</code> element lacks a
<code>content</code> attribute, abort these steps.</li>
<li><a href="#monitor">Monitor</a> the CSP policy contained in
the <code>content</code> attribute of the <code>meta</code>
element.</li>
</ol>
</dd>
</dl>
</div>
</div>
<div id="syntax" class="section">
<h3><span class="secno">3.2 </span>Syntax</h3>
<div id="policies" class="section">
<h4><span class="secno">3.2.1 </span>Policies</h4>
<p>A CSP <dfn id="dfn-policy-1">policy</dfn> consists of a U+003B SEMICOLON
(<code>;</code>) delimited list of directives:</p>
<pre>policy = directive-list
directive-list = [ directive *( ";" [ directive ] ) ]
</pre>
<p>Each <dfn id="dfn-directive">directive</dfn> consists of a <var>directive-name</var>
and (optionally) a <var>directive-value</var>:</p>
<pre>directive = *WSP [ directive-name [ WSP directive-value ] ]
directive-name = 1*( ALPHA / DIGIT / "-" )
directive-value = *( WSP / <VCHAR except ";"> )
</pre>
<p>To <dfn id="parse-a-csp-policy">parse a CSP policy</dfn>
<var>policy</var>, the user agent <em class="rfc2119" title="must">must</em> use an algorithm equivalent to
the following:</p>
<ol>
<li>Let the <var>set of directives</var> be the empty set.</li>
<li>For each token returned by <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#strictly-split-a-string">strictly
splitting</a> the string <var>policy</var> on the character U+003B
SEMICOLON (<code>;</code>):
<ol>
<li><a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#skip-whitespace">Skip whitespace</a>.</li>
<li><a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#collect-a-sequence-of-characters">Collect
a sequence of characters</a> that are not
<a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#space-character">space characters</a>. The
collected characters are the <var>directive name</var>.</li>
<li>If <var>position</var> doesn't point past the end of the
token, skip ahead one character (which must be a <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#space-character">space
character</a>).</li>
<li>The remaining characters in <var>token</var> (if any) are
the <var>directive value</var>.</li>
<li>If the <var>set of directives</var> already contains a
directive with name <var>directive name</var>, ignore this
instance of the directive and continue to the next token.</li>
<li>Add a <var>directive</var> to the <var>set of
directives</var> with name <var>directive name</var> and value
<var>directive value</var>.</li>
</ol>
</li>
<li>Return the <var>set of directives</var>.
</li></ol>
</div>
<div id="source-list" class="section">
<h4><span class="secno">3.2.2 </span>Source List</h4>
<p>Many CSP directives use a value consisting of a <dfn id="dfn-source-list">source
list</dfn>.</p>
<p>Each <dfn id="dfn-source-expression">source expression</dfn> in the source list represents a
location from which content of the specified type can be retrieved.
For example, the source expression <code>'self'</code> represents
the set of URIs which are in the same origin as the protected
document and the source expression <code>'unsafe-inline'</code>
represents content supplied inline in the document itself.</p>
<pre>source-list = *WSP [ source-expression *( 1*WSP source-expression ) *WSP ]
/ *WSP "'none'" *WSP
source-expression = scheme-source / host-source / keyword-source
scheme-source = scheme ":"
host-source = ( [ scheme "://" ] host [ port ] )
keyword-source = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"
scheme = <scheme> production from RFC 3986
host = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
host-char = ALPHA / DIGIT / "-"
port = ":" ( 1*DIGIT / "*" )
</pre>
<p>To <dfn id="parse-a-source-list">parse a source list</dfn>
<var>source list</var>, the user agent <em class="rfc2119" title="must">must</em> use an algorithm
equivalent to the following:</p>
<ol>
<li>If <var>source list</var> (with <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#strip-leading-and-trailing-whitespace">leading
and trailing whitespace stripped</a>) is a case insensitive match
for the string <code>'none'</code> (including the quotation
marks), return the empty set.</li>
<li>Let the <var>set of source expressions</var> be the empty set.</li>
<li>For each token returned by <a href="http://dev.w3.org/html5/spec/common-microsyntaxes.html#split-a-string-on-spaces">splitting
<var>source list</var> on spaces</a>, if the token matches the
grammar for <code>source-expression</code>, add the token to the
<var>set of source expressions</var>.</li>
<li>Return the <var>set of source expressions</var>.</li>
</ol>
<p>To check whether a URI <dfn id="matches-a-source-expression">matches a source expression</dfn>,
the user agent <em class="rfc2119" title="must">must</em> use an algorithm equivalent to the
following:</p>
<ol>
<li>If the source expression a single U+002A ASTERISK character
(<code>*</code>), then return <em>does match</em>.</li>
<li>If the source expression matches the grammar for
<code>scheme-source</code>, then the URI matches the source
expression of the URI's scheme is a case-insensitive match for the
source expression's <code>scheme</code>.</li>
<li>Otherwise, if the source expression matches the grammar for
<code>host-source</code>:
<ol>
<li>If the URI does not contain a host, then return <em>does
not match</em>.</li>
<li>Let <var>scheme</var>, <var>host</var>, and
<var>port</var> be the scheme, host, and port of the URI,
respectively. If the URI does not have a port, then let
<var>port</var> be the default port for
<var>scheme</var>.</li>
<li>If the source expression has a <code>scheme</code> that is
not a case insensitive match for <var>scheme</var>, then
return <em>does not match</em>.</li>
<li>If <var>scheme</var> is not a case insensitive match for
the scheme of the protected document's URI, then return
<em>does not match</em>.<br>
<em>FIXME: Should we allow HTTPS when the document's scheme is
HTTP?</em></li>
<li>If the first character of the source expression's
<code>host</code> is an U+002A ASTERISK character
(<code>*</code>) and the remaining characters, including the
leading U+002E FULL STOP character (<code>.</code>), are not a
case insensitive match for the rightmost characters of
<var>host</var>, then return <em>does not match</em>.</li>
<li>If <var>host</var> is not a case insensitive match for the
source expression's <code>host</code>, then return <em>does
not match</em>.</li>
<li>If the source expression does not contain a
<code>port</code> and <var>port</var> is not the default port
for <var>scheme</var>, then return <em>does not
match</em>.</li>
<li>If the source expression does contain a <code>port</code>
that (a) does <em>not</em> contain an U+002A ASTERISK
character (<code>*</code>) and (b) does <em>not</em> represent
the same number as <var>port</var>, then return <em>does not
match</em>.</li>
<li>Return <em>does match</em>.</li>
</ol>
</li><li>Otherwise, if the source expression is a case insensitive
match for <code>'self'</code> (including the quotation marks),
then return the URI matches the source expression if the URI has
the same scheme, host, and port as the document's URI.</li>
<li>Otherwise, the URI does not match the source expression.</li>
</ol>
<p>A URI <dfn id="matches-a-source-list">matches a source
list</dfn>, if, and only if, the URI <a href="#matches-a-source-expression">matches at least one source
expression</a> in the set of source expressions obtained by <a href="#parse-a-source-list">parsing the source list</a>. Notice that
no URIs match an empty set of source expressions, such as the set
obtained by parsing the source list <code>'none'</code>.</p>
</div>
</div>
<div id="processing-model" class="section">
<h3><span class="secno">3.3 </span>Processing Model</h3>
<p>To <dfn id="enforce">enforce</dfn> a CSP policy, the user agent <em class="rfc2119" title="must">must</em>
<a href="#parse-a-csp-policy">parse the policy</a> and enforce each of
the directives contained in the policy, where the specific
requirements for enforcing each directive are defined separately for
each directive (See <a href="#sec-directives">Directives</a>,
below).</p>
<p>Generally speaking, enforcing a directive prevent the protected
document from performing certain actions, such as loading scripts from
URIs other than those indicated in a source list. These restrictions
make it more difficult for an attacker to abuse an injection
vulnerability in the document because the attacker will be unable to
usurp the document's privileges that have been restricted in this
way.</p>
<p>Enforcing a CSP policy <em class="rfc2119" title="should not">should not</em> interfere with the operation of
user-supplied scripts such as third-party user-agent add-ons and
JavaScript bookmarklets.</p>
<p>To <dfn id="monitor">monitor</dfn> a CSP policy, the user agent <em class="rfc2119" title="must">must</em>
<a href="#parse-a-csp-policy">parse the policy</a> and monitor each of
the directives contained in the policy, where the specific
requirements for monitoring each directive are defined separately for
each directive (See <a href="#sec-directives">Directives</a>,
below).</p>
<p>Generally speaking, monitoring a directive does not prevent the
protected document from undertaking any actions. Instead, any actions
that would have been prevented by the directive are instead reported
to the developer of the web application. Monitoring a CSP policy is
most useful for testing whether enforcing the policy will break the
web application.</p>
<p>If the user agent monitors or enforces a CSP policy that does not
contain any directives, the user agent <em class="rfc2119" title="should">should</em> report a warning message
in the developer console.</p>
<p>If the user agent monitors or enforces a CSP policy that contains
an unrecognized directive, the user agent <em class="rfc2119" title="should">should</em> report a warning
message in the developer console indicating the name of the
unrecognized directive.</p>
<p>To <dfn id="enforce-the-combination">enforce the combination</dfn>
of one or more policies, the user agent <em class="rfc2119" title="must">must</em> enforce each policy. For
example, if an action is prevented by at least one of the policies,
then the action will be prevented by the combination of the
policies.</p>
<p>To <dfn id="monitor-the-combination">monitor the combination</dfn>
of one or more policies, the user agent <em class="rfc2119" title="must">must</em> monitor each each
policy.</p>
</div>
</div>
<div id="directives" class="section">
<!--OddPage--><h2 id="sec-directives"><span class="secno">4. </span>Directives</h2>
<p>This section describes the content security policy directives
introduced in this specification.</p>
<p>In order to protect against Cross-site Scripting (XSS), authors
<em class="rfc2119" title="should">should</em> include
</p><ul>
<li>both the <code>script-src</code> and <code>object-src</code>
directives, or</li>
<li>include a <code>default-src</code> directive, which covers both
scripts and plug-ins.</li>
</ul>
<p>In either case, authors <em class="rfc2119" title="should not">should not</em> include
<code>'unsafe-inline'</code> in their CSP policies if they wish to
protect themselves against XSS.</p>
<div id="default-src" class="section">
<h3><span class="secno">4.1 </span><code>default-src</code></h3>
<p>The <code>default-src</code> directive sets a default source list
for a number of directives. The syntax for the name and value of the
directive are described by the following ABNF grammar:</p>
<pre>directive-name = "default-src"
directive-value = source-list
</pre>
<p>Let the <var>default sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a
source list</a>.</p>
<p>To enforce the <code>default-src</code> directive, the user agent
<em class="rfc2119" title="must">must</em> enforce the following directives:</p>
<ul>
<li>script-src</li>
<li>object-src</li>
<li>style-src</li>
<li>img-src</li>
<li>media-src</li>
<li>frame-src</li>
<li>font-src</li>
<li>connect-src</li>
</ul>
<p>If not specified explicitly in the policy, the directives listed
above will use the <var>default sources</var>.</p>
</div>
<div id="script-src" class="section">
<h3><span class="secno">4.2 </span><code>script-src</code></h3>
<p>The <code>script-src</code> directive restricts which scripts the
protected document can execute. The directive also controls other
resources, such as XSLT stylesheets, which can cause the user agent to
execute script. The syntax for the name and value of the directive are
described by the following ABNF grammar:</p>
<pre>directive-name = "script-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>script-src</code>, let the
<var>allowed script sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed script sources</var> be the
<var>default sources</var></p>
<p>If <code>'unsafe-inline'</code> is not in <var>allowed script
sources</var>:</p>
<ul>
<li>Whenever the user agent would execute an inline script (either
from a <code>script</code> element or from an inline event handler),
instead the user agent <em class="rfc2119" title="must not">must not</em> execute script.</li>
<li>Whenever the user agent would execute script contained in a
<code>javascript</code> URI, instead the user agent <em class="rfc2119" title="must not">must not</em> execute
the script. (Note: The user agent <em class="rfc2119" title="should">should</em> execute script contained in
"bookmarklets" even when enforcing this restriction.)</li>
</ul>
<p>If <code>'unsafe-eval'</code> is not in <var>allowed script
sources</var>:</p>
<ul>
<li>Instead of evaluating their arguments, both operator
<code>eval</code> and function <code>eval</code> <em class="rfc2119" title="must">must</em> throw a
security exception.</li>
<li>When called as a constructor, the function <code>Function</code>
<em class="rfc2119" title="must">must</em> throw a security exception.</li>
<li>When called with a first argument that is non-callable (e.g.,
not a function), the <code>setTimeout</code> function <em class="rfc2119" title="must">must</em> return
zero without creating a timer.</li>
<li>When called with a first argument that is non-callable (e.g.,
not a function), the <code>setInterval</code> function <em class="rfc2119" title="must">must</em> return
zero without creating a timer.</li>
</ul>
<p>The term <dfn id="dfn-callable">callable</dfn> refers to an object whose interface
has one or more <dfn id="dfn-callers">callers</dfn> as defined in the <a href="http://www.w3.org/TR/2010/WD-WebIDL-20101021/#idl-callers">Web
IDL</a> specification [<cite><a class="bibref" rel="biblioentry" href="#bib-WEBIDL">WEBIDL</a></cite>].</p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed script
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting a script, such as when processing the
<code>src</code> attribute of a <code>script</code> element or when
processing the <code>Worker</code> or <code>SharedWorker</code>
constructors.</li>
<li>Requesting an Extensible Stylesheet Language Transformations
(XSLT), such as when processing the
<code><?xml-stylesheet?></code> processing directive in an XML
document, the <code>href</code> attributes on
<code><xsl:include></code> element, or the <code>href</code>
attributes on <code><xsl:import></code> element.</li>
</ul>
</div>
<div id="object-src" class="section">
<h3><span class="secno">4.3 </span><code>object-src</code></h3>
<p>The <code>object-src</code> directive restricts from where the
protected document can load plugins. The syntax for the name and value
of the directive are described by the following ABNF grammar:</p>
<pre>directive-name = "object-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>object-src</code>, let the
<var>allowed object sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed object sources</var> be the
<var>default sources</var></p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed object
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting data for a plugin, such as when processing the
<code>data</code> attribute of an <code>object</code> element, the
<code>src</code> attribute of an <code>embed</code> elements, or the
<code>code</code> or <code>archive</code> attributes of an
<code>applet</code> element.</li>
</ul>
<p>Whenever the user agent would load a plug-in without an associated
URI (e.g., because the <code>object</code> element lacked a
<code>data</code> attribute), if the protected document's URI does not
<a href="#matches-a-source-list">match the <var>allowed object
sources</var></a>, the user agent <em class="rfc2119" title="must not">must not</em> load the plug-in.</p>
</div>
<div id="style-src" class="section">
<h3><span class="secno">4.4 </span><code>style-src</code></h3>
<p>The <code>style-src</code> directive restricts which styles the
user applies to the protected document. The syntax for the name and
value of the directive are described by the following ABNF
grammar:</p>
<pre>directive-name = "style-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>style-src</code>, let the
<var>allowed style sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed style sources</var> be the
<var>default sources</var></p>
<p>If <code>'unsafe-inline'</code> is not in <var>allowed style
sources</var>:</p>
<ul>
<li>Whenever the user agent would apply style from a
<code>style</code> element, instead the user agent <code><em class="rfc2119" title="must">must</em></code>
ignore the style.</li>
<li>Whenever the user agent would apply style from a
<code>style</code> attribute, instead the user agent
<code><em class="rfc2119" title="must">must</em></code> ignore the style.</li>
</ul>
<p>Note: These restrictions on inline do not prevent the user agent
from applying style from an external stylesheet (e.g., found via
<code><link rel="stylesheet"></code>). The user agent is also
not prevented from applying style from CSSOM.</p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed style
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting external stylesheets, such as when processing the
<code>href</code> attribute of a <code>link</code> element with a
<code>rel</code> attribute containing the token
<code>stylesheet</code> or when processing the <code>@import</code>
directive in a stylesheet.</li>
</ul>
<p>Note: The <code>style-src</code> directive does not restrict the
use of XSLT. XSLT is restricted by the <code>script-src</code>
directive because the security consequences of including an untrusted
XSLT stylesheet are similar to those incurred by including an
untrusted script.</p>
</div>
<div id="img-src" class="section">
<h3><span class="secno">4.5 </span><code>img-src</code></h3>
<p>The <code>img-src</code> directive restricts from where the
protected document can load images. The syntax for the name and value
of the directive are described by the following ABNF grammar:</p>
<pre>directive-name = "img-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>img-src</code>, let the
<var>allowed image sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed image sources</var> be the
<var>default sources</var></p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed image
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting data for an image, such as when processing the
<code>src</code> attribute of an <code>img</code> elements,
the <code>url()</code> or <code>image()</code> values on any CSS
property that is capable of loading an image [<em><a href="http://www.w3.org/TR/css3-images/">CSS3-Images</a></em>], or
the <code>href</code> attribute of a <code>link</code> element with
an image-related <code>rel</code> attribute, such as
<code>icon</code>.</li>
</ul>
<p class="issue">Should the user agent fire the error event when one of these loads fails?</p>
</div>
<div id="media-src" class="section">
<h3><span class="secno">4.6 </span><code>media-src</code></h3>
<p>The <code>media-src</code> directive restricts from where the
protected document can load video and audio. The syntax for the name
and value of the directive are described by the following ABNF
grammar:</p>
<pre>directive-name = "media-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>media-src</code>, let the
<var>allowed media sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed media sources</var> be the
<var>default sources</var></p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed media
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting data for a video or audio clip, such as when
processing the <code>src</code> attribute of a <code>video</code>
or <code>audio</code> elements.</li>
</ul>
</div>
<div id="frame-src" class="section">
<h3><span class="secno">4.7 </span><code>frame-src</code></h3>
<p>The <code>frame-src</code> directive restricts from where the
protected document can embed frames. The syntax for the name
and value of the directive are described by the following ABNF
grammar:</p>
<pre>directive-name = "frame-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>frame-src</code>, let the
<var>allowed frame sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed frame sources</var> be the
<var>default sources</var></p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed frame
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting data for display in a frame, such as when processing
the <code>src</code> attribute of an <code>iframe</code> or
<code>frame</code> element.</li>
<li>Navigating a nested browsing context within the protected
document.</li>
</ul>
<p class="issue">How does this work for the <code>object</code>
element? We don't know whether the request is going to lead to a
plug-in or a frame until we get the response back and can look at the
MIME type.</p>
</div>
<div id="font-src" class="section">
<h3><span class="secno">4.8 </span><code>font-src</code></h3>
<p>The <code>font-src</code> directive restricts from where the
protected document can load fonts. The syntax for the name and value
of the directive are described by the following ABNF grammar:</p>
<pre>directive-name = "font-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>font-src</code>, let the
<var>allowed font sources</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed font sources</var> be the
<var>default sources</var></p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed font
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Requesting data for display in a font, such as when processing
the <code>@font-face</code> CSS rule. <em>TODO: Citation needed.</em></li>
</ul>
</div>
<div id="connect-src" class="section">
<h3><span class="secno">4.9 </span><code>connect-src</code></h3>
<p>The <code>connect-src</code> directive restricts which URIs the
protected document can load using DOM APIs. The syntax for the name
and value of the directive are described by the following ABNF
grammar:</p>
<pre>directive-name = "connect-src"
directive-value = source-list
</pre>
<p>If the policy contains an explicit <code>connect-src</code>, let
the <var>allowed connection targets</var> be the result of <a href="#parse-a-source-list">parsing the directive's value as a source
list</a>. Otherwise, let the <var>allowed connection targets</var> be
the <var>default sources</var></p>
<p>Whenever the user agent <a href="http://www.w3.org/TR/html5/fetching-resources.html#fetch">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match the <var>allowed font
sources</var></a>, the user agent <em class="rfc2119" title="must">must</em> act as if it had received an empty
HTTP 400 response:</p>
<ul>
<li>Processing the <a href="http://www.w3.org/TR/XMLHttpRequest/#the-open-method"><code>open()</code>
method</a> of an <code>XMLHttpRequest</code> object.</li>
<li>Processing the <a href="http://dev.w3.org/html5/websockets/#websocket"><code>WebSocket</code>
constructor</a>.</li>
<li>Processing the <a href="http://dev.w3.org/html5/eventsource/#eventsource"><code>EventSource</code>
constructor</a>.</li>
</ul>
</div>
<div id="sandbox" class="section">
<h3><span class="secno">4.10 </span><code>sandbox</code></h3>
<p class="issue">A future version of this document might include a
<code>sandbox</code> directive for controlling the HTML5 sandbox
flags.</p>
</div>
<div id="report-uri" class="section">
<h3><span class="secno">4.11 </span><code>report-uri</code></h3>
<p>The <code>report-uri</code> directive specifies a URI to which the
user agent sends reports about policy violation. The syntax for the
name and value of the directive are described by the following ABNF
grammar:</p>
<pre>directive-name = "report-uri"
directive-value = uri-reference *( 1*WSP uri-reference )
uri-reference = <URI-reference from RFC 3986>
</pre>
<p>Let the <var>set of report URIs</var> be the value of the
<code>report-uri</code> directive, each resolved relative to the
protected document's URI.</p>
<p>To <dfn id="send-a-violation-report">send a violation report</dfn>,
the user agent <em class="rfc2119" title="must">must</em> use an algorithm equivalent to the following:</p>
<ol>
<li>Prepare a dictionary <var>violation dictionary</var> with the
following keys and values:
<dl>
<dt>request</dt>
<dd>HTTP request line of the protected resource whose policy was
violated including method, URI and HTTP version</dd>
<dt>request-headers</dt>
<dd>HTTP request headers sent with the request for the protected
resource whose policy was violated</dd>
<dt>blocked-uri</dt>
<dd>URI of the resource that was prevented from loading due to
the policy violation</dd>
<dt>violated-directive</dt>
<dd>The policy directive that was violated</dd>
<dt>original-policy</dt>
<dd>The original policy as received by the user-agent. If the
policy was received via more than one Content Security Policy
response header, this field <em class="rfc2119" title="must">must</em> contain a comma separated list
of original policies</dd>
</dl>
<p class="issue">We might need to change some of these keys
because they can leak sensitive information.</p>
</li>
<li>If the origin of the blocked-uri is not the same as the
document's origin, then replace the blocked-uri with the ASCII
serialization of the blocked-uri's origin.</li>
<li>Let the <var>violation report</var> be the JSON stringification
of the <var>violation dictionary</var>.</li>
<li>For each <var>report URI</var> in the <var>set of report URIs</var>:
<ol>
<li>If the <var>report URI</var> has a different scheme than the
URI of the protected document, then ignore this <var>report
URI</var> and continue to the next iteration of the loop.</li>
<li>If the <var>report URI</var> has a different port than the
URI of the protected document, then ignore this <var>report
URI</var> and continue to the next iteration of the loop.</li>
<li>If the <var>report URI</var>'s host does not share the same
<em><a href="http://publicsuffix.org/">public suffix</a> +1 DNS
label</em> as the URI of the protected document, then ignore
this <var>report URI</var> and continue to the next iteration of
the loop.
<p>Examples of public suffixes include <code>.com</code>,
<code>.net</code> and <code>.co.uk</code>. Examples of
<em>"public suffix +1 DNS label"</em> include
<code>example.com</code>, <code>example.net</code> and
<code>example.co.uk</code>. Therefore a protected document whose
host is <code>www.example.com</code> could have a
<code>report-uri</code> hosted on
<code>reports.example.com</code> but <b>not</b>
<code>reports.example.net</code>.</p></li>
<li>Fetch the <var>report URI</var> from origin of the protected
document, with the synchronous flag <em>not</em> set, using HTTP
method <code>POST</code>, with a <code>Content-Type</code>
header field of <code>application/json</code> with an entity
body consisting of the <var>violation report</var>. The user
agent <em class="rfc2119" title="must not">must not</em> follow redirects when fetching this resource.
(Note: The user agent ignores the fetched resource.)</li>
</ol>
</li>
</ol>
</div>
<div id="policy-uri" class="section">
<h3><span class="secno">4.12 </span><code>policy-uri</code></h3>
<p>The <code>policy-uri</code> directive specifies a URI from which
the user agent can retrieve the actual policy. The syntax for the name
and value of the directive are described by the following ABNF
grammar:</p>
<pre>directive-name = "policy-uri"
directive-value = <URI-reference from RFC 3986>
</pre>
<p class="issue">The <code>policy-uri</code> directive might be
removed from this document.</p>
<p>Authors <em class="rfc2119" title="must not">must not</em> specify policies that contain both a
<code>policy-uri</code> directive and another directive.</p>
<p>If the user agent would enforce a policy containing both the
<code>policy-uri</code> directive and another directive, instead the
user agent <em class="rfc2119" title="must">must</em> enforce the policy <code>default-src
'none'</code>.</p>
<p>When processing the <code>policy-uri</code> directive, the user
agent <em class="rfc2119" title="must">must</em> run an algorithm equivalent to the following:</p>
<ul>
<li>Let <var>request URI</var> be the URI that results from
resolving the value of the <code>policy-uri</code> directive
relative to the URI of the protected document.</li>
<li>If <var>request URI</var> is not from the same origin as the
protected document, abort these steps and enforce the policy
<code>default-src 'none'</code>.
</li><li>Fetch the <var>request URI</var> from origin of the protected
document, with the synchronous flag set, using HTTP method
<code>GET</code>.</li>
<li>If the fetch returned a status code other than <code>200</code>
or if the request encountered an HTTP redirect, abort these steps
and enforce the policy <code>default-src 'none'</code>.</li>
<li>If the fetched resource lacks a <code>Content-Type</code> header
field or if the <code>Content-Type</code> header field is not a case
insensitive match for <code>text/x-content-security-policy</code>,
abort these steps and enforce the policy <code>default-src
'none'</code>.</li>
<li>Let the <var>fetched policy</var> be the result of <a href="#parse-a-csp-policy">parsing the fetched resource as a CSP
policy</a>.</li>
<li>If the <var>fetched policy</var> contains a
<code>policy-uri</code> directive, abort these steps and enforce the
policy <code>default-src 'none'</code>.</li>
<li><a href="#enforce">Enforce</a> the <var>fetched
policy</var>.</li>
</ul>
</div>
</div>
<div id="examples" class="section">
<!--OddPage--><h2><span class="secno">5. </span>Examples</h2>
<div class="informative section" id="sample-policy-definitions">
<h3><span class="secno">5.1 </span>Sample Policy Definitions</h3><p><em>This section is non-normative.</em></p>
<p>This section provides some sample use cases and accompanying security policies.</p>
<p><strong>Example 1:</strong> A server wishes to load resources only
form its own origin:</p>
<pre>Content-Security-Policy: default-src 'self'</pre>
<p><strong>Example 2:</strong> An auction site wishes to load images
from any URI, plug-in content from a list of trusted media providers
(including a content distribution network), and scripts only from a
server under its control hosting sanitized ECMAScript:</p>
<pre>Content-Security-Policy: default-src 'self'; img-src *;
object-src media1.example.com media2.example.com *.cdn.example.com;
script-src trustedscripts.example.com</pre>
<p><strong>Example 3:</strong> A site operations group wishes to globally deny all
third-party scripts in the site, and a particular project team wishes to also disallow
third-party media in their section of the site. Site operations sends the first header
while the project team sends the second header, and the user-agent takes the combination of
the two headers to form the complete interpreted policy:</p>
<pre>Content-Security-Policy: default-src *; script-src 'self'
Content-Security-Policy: default-src *; script-src 'self'; media-src 'self'</pre>
<p><strong>Example 4:</strong> Online banking site wishes to ensure that all of the content
in its pages is loaded over TLS to prevent attackers from eavesdropping on insecure content
requests:</p>
<pre>Content-Security-Policy: default-src https:</pre>
</div>
<div class="informative section" id="sample-violation-report">
<h3><span class="secno">5.2 </span>Sample Violation Report</h3><p><em>This section is non-normative.</em></p>
<p>This section contains an example violation report the user agent
might sent to a server when the protected document violations a sample
policy.</p>
<p>In the following example, a document from
<code>http://example.org/page.html</code> was rendered with the
following CSP policy:</p>
<pre>default-src 'self'; report-uri http://example.org/csp-report.cgi</pre>
<p>The document loaded an image from
<code>http://evil.example.com/image.png</code>, violating the
policy.</p>
<pre>{
"csp-report": {
"request": "GET http://example.org/page.html HTTP/1.1",
"request-headers": "Host: example.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b12pre) Gecko/20110222 Firefox/4.0b12pre
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cache-Control: max-age=0",
"blocked-uri": "http://evil.example.com/image.png",
"violated-directive": "default-src http://example.org"
}
}</pre>
<p>In the above sample report the <code>violated-directive</code>
field was sent in the way it was interpreted by the user-agent. The
directive was made explicit by replacing the keyword
<code>'self'</code> with the explicit host name of the protected
resource. This is recommended behavior for user-agents as it reduces
ambiguity, making policy violations easier to trace by server
admins.</p>
<p class="issue">Should we add this as a requirement when preparing
reports?</p>
</div>
</div>
<div id="references" class="appendix section"><!--OddPage--><h2><span class="secno">A. </span>References</h2><div id="normative-references" class="section"><h3><span class="secno">A.1 </span>Normative references</h3><dl class="bibliography"><dt id="bib-ABNF">[ABNF]</dt><dd>D. Crocker and P. Overell. <a href="http://www.ietf.org/rfc/rfc5234.txt"><cite>Augmented BNF for Syntax Specifications: ABNF.</cite></a> January 2008. Internet RFC 5234. URL: <a href="http://www.ietf.org/rfc/rfc5234.txt">http://www.ietf.org/rfc/rfc5234.txt</a>
</dd><dt id="bib-CSS3FONT">[CSS3FONT]</dt><dd>Michel Suignard; Chris Lilley. <a href="http://www.w3.org/TR/2002/WD-css3-fonts-20020802"><cite>CSS3 module: Fonts.</cite></a> 2 August 2002. W3C Working Draft. (Work in progress.) URL: <a href="http://www.w3.org/TR/2002/WD-css3-fonts-20020802">http://www.w3.org/TR/2002/WD-css3-fonts-20020802</a>
</dd><dt id="bib-HTML401">[HTML401]</dt><dd>David Raggett; Ian Jacobs; Arnaud Le Hors. <a href="http://www.w3.org/TR/1999/REC-html401-19991224"><cite>HTML 4.01 Specification.</cite></a> 24 December 1999. W3C Recommendation. URL: <a href="http://www.w3.org/TR/1999/REC-html401-19991224">http://www.w3.org/TR/1999/REC-html401-19991224</a>
</dd>
<dt id="bib-HTML5">[HTML5]</dt><dd>Ian Hickson; David Hyatt. <a
href="http://www.w3.org/TR/html5"><cite>HTML5.</cite></a> 25 May
2011. W3C Last Call Working Draft. (Work in progress.) URL: <a
href="http://www.w3.org/TR/html5">http://www.w3.org/TR/html5</a><br>
This draft refers to an updated version of section <a
href="http://dev.w3.org/html5/spec/common-microsyntaxes.html">2.5
Common microsyntaxes</a> that is, at time of this publication, only
contained in the <a
href="http://dev.w3.org/html5/spec/Overview.html">HTML5 Editor's
Draft</a>. </dd>
<dt id="bib-RFC2119">[RFC2119]</dt><dd>S. Bradner. <a href="http://www.ietf.org/rfc/rfc2119.txt"><cite>Key words for use in RFCs to Indicate Requirement Levels.</cite></a> March 1997. Internet RFC 2119. URL: <a href="http://www.ietf.org/rfc/rfc2119.txt">http://www.ietf.org/rfc/rfc2119.txt</a>
</dd><dt id="bib-URI">[URI]</dt><dd>T. Berners-Lee; R. Fielding; L. Masinter. <a href="http://www.ietf.org/rfc/rfc3986.txt"><cite>Uniform Resource Identifiers (URI): generic syntax.</cite></a> January 2005. Internet RFC 3986. URL: <a href="http://www.ietf.org/rfc/rfc3986.txt">http://www.ietf.org/rfc/rfc3986.txt</a>
</dd><dt id="bib-WEBIDL">[WEBIDL]</dt><dd>Cameron McCormack. <a href="http://www.w3.org/TR/2008/WD-WebIDL-20081219"><cite>Web IDL.</cite></a> 19 December 2008. W3C Working Draft. (Work in progress.) URL: <a href="http://www.w3.org/TR/2008/WD-WebIDL-20081219">http://www.w3.org/TR/2008/WD-WebIDL-20081219</a>
</dd><dt id="bib-XMLHTTPREQUEST">[XMLHTTPREQUEST]</dt><dd>Anne van Kesteren. <a href="http://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415"><cite>The XMLHttpRequest Object.</cite></a> 15 April 2008. W3C Working Draft. (Work in progress.) URL: <a href="http://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415">http://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415</a>
</dd></dl></div><div id="informative-references" class="section"><h3><span class="secno">A.2 </span>Informative references</h3><p>No informative references.</p></div></div></body></html>