Skip to content

Commit

Permalink
Correct headers syntax descriptions, the rest
Browse files Browse the repository at this point in the history
  • Loading branch information
wbamberg authored and hamishwillee committed Sep 30, 2024
1 parent 271b933 commit 2613d02
Show file tree
Hide file tree
Showing 17 changed files with 127 additions and 110 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -43,16 +43,17 @@ loaded using script interfaces. The APIs that are restricted are:

## Syntax

One or more sources can be allowed for the connect-src policy:

```http
Content-Security-Policy: connect-src <source>;
Content-Security-Policy: connect-src <source> <source>;
Content-Security-Policy: connect-src 'none';
Content-Security-Policy: connect-src <source-expression-list>;
```

### Sources
This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,16 +41,17 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`default-src`** direc

## Syntax

One or more sources can be allowed for the `default-src` policy:

```http
Content-Security-Policy: default-src <source>;
Content-Security-Policy: default-src <source> <source>;
Content-Security-Policy: default-src 'none';
Content-Security-Policy: default-src <source-expression-list>;
```

### Sources
This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,17 @@ valid sources for fonts loaded using {{cssxref("@font-face")}}.

## Syntax

One or more sources can be allowed for the `font-src` policy:

```http
Content-Security-Policy: font-src <source>;
Content-Security-Policy: font-src <source> <source>;
Content-Security-Policy: font-src 'none';
Content-Security-Policy: font-src <source-expression-list>;
```

### Sources
This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,17 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`form-action`** direc

## Syntax

One or more sources can be set for the `form-action` policy:

```http
Content-Security-Policy: form-action <source>;
Content-Security-Policy: form-action <source> <source>;
Content-Security-Policy: form-action 'none';
Content-Security-Policy: form-action <source-expression-list>;
```

### Sources
This directive may have either:

- the single keyword value `'none'`, meaning that no form submissions may be made
- a list of _source expression_ values, meaning that form submissions may be made to URLs that match any of the given source expressions.

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,16 +38,17 @@ browsing contexts loading using elements such as {{HTMLElement("frame")}} and

## Syntax

One or more sources can be allowed for the `frame-src` policy:

```http
Content-Security-Policy: frame-src <source>;
Content-Security-Policy: frame-src <source> <source>;
Content-Security-Policy: frame-src 'none';
Content-Security-Policy: frame-src <source-expression-list>;
```

### Sources
This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,17 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} **`img-src`** directive speci

## Syntax

One or more sources can be allowed for the `img-src` policy:

```http
Content-Security-Policy: img-src <source>;
Content-Security-Policy: img-src <source> <source>;
Content-Security-Policy: img-src 'none';
Content-Security-Policy: img-src <source-expression-list>;
```

### Sources
This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,16 +34,17 @@ to the resource.

## Syntax

One or more sources can be allowed for the `manifest-src` policy:

```http
Content-Security-Policy: manifest-src <source>;
Content-Security-Policy: manifest-src <source> <source>;
Content-Security-Policy: manifest-src 'none';
Content-Security-Policy: manifest-src <source-expression-list>;
```

### Sources
This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,17 @@ media using the {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements.

## Syntax

One or more sources can be allowed for the `media-src` policy:

```http
Content-Security-Policy: media-src <source>;
Content-Security-Policy: media-src <source> <source>;
Content-Security-Policy: media-src 'none';
Content-Security-Policy: media-src <source-expression-list>;
```

### Sources
This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,16 +40,17 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}}

## Syntax

One or more sources can be allowed for the `object-src` policy:

```http
Content-Security-Policy: object-src <source>;
Content-Security-Policy: object-src <source> <source>;
Content-Security-Policy: object-src 'none';
Content-Security-Policy: object-src <source-expression-list>;
```

### Sources
This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,16 +36,17 @@ be prefetched or prerendered.

## Syntax

One or more sources can be allowed for the `prefetch-src` policy:

```http
Content-Security-Policy: prefetch-src <source>;
Content-Security-Policy: prefetch-src <source> <source>;
Content-Security-Policy: prefetch-src 'none';
Content-Security-Policy: prefetch-src <source-expression-list>;
```

### Sources
This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Example

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,24 +35,25 @@ It does not apply to other JavaScript sources that can trigger script execution,

## Syntax

One or more sources can be allowed for the `script-src-attr` policy:

```http
Content-Security-Policy: script-src-attr <source>;
Content-Security-Policy: script-src-attr <source> <source>;
Content-Security-Policy: script-src-attr 'none';
Content-Security-Policy: script-src-attr <source-expression-list>;
```

This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

`script-src-attr` can be used in conjunction with {{CSP("script-src")}}, and will override that directive for checks on inline handlers:

```http
Content-Security-Policy: script-src <source>;
Content-Security-Policy: script-src-attr <source>;
```

### Sources

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

## Examples

### Violation case
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,24 +35,25 @@ It does not apply to other JavaScript sources that can trigger script execution,

## Syntax

One or more sources can be allowed for the `script-src-elem` policy:

```http
Content-Security-Policy: script-src-elem <source>;
Content-Security-Policy: script-src-elem <source> <source>;
Content-Security-Policy: script-src-elem 'none';
Content-Security-Policy: script-src-elem <source-expression-list>;
```

This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

`script-src-elem` can be used in conjunction with {{CSP("script-src")}}:

```http
Content-Security-Policy: script-src <source>;
Content-Security-Policy: script-src-elem <source>;
```

### Sources

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

## Examples

### Violation case
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,17 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`script-src`** direct

## Syntax

One or more sources can be allowed for the `script-src` policy:

```http
Content-Security-Policy: script-src <source>;
Content-Security-Policy: script-src <source> <source>;
Content-Security-Policy: script-src 'none';
Content-Security-Policy: script-src <source-expression-list>;
```

### Sources
This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

## Examples

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,24 +36,25 @@ These are set using {{CSP("style-src-elem")}} (and valid sources for all styles

## Syntax

One or more sources can be allowed for the `style-src-attr` policy:

```http
Content-Security-Policy: style-src-attr <source>;
Content-Security-Policy: style-src-attr <source> <source>;
Content-Security-Policy: style-src-attr 'none';
Content-Security-Policy: style-src-attr <source-expression-list>;
```

This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

`style-src-attr` can be used in conjunction with {{CSP("style-src")}}:

```http
Content-Security-Policy: style-src <source>;
Content-Security-Policy: style-src-attr <source>;
```

### Sources

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

## Examples

### Violation cases
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,24 +35,25 @@ The directive does not set valid sources for inline style attributes; these are

## Syntax

One or more sources can be allowed for the `style-src-elem` policy:

```http
Content-Security-Policy: style-src-elem <source>;
Content-Security-Policy: style-src-elem <source> <source>;
Content-Security-Policy: style-src-elem 'none';
Content-Security-Policy: style-src-elem <source-expression-list>;
```

This directive may have either:

- the single keyword value `'none'`, meaning that no resources of this type may be loaded
- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.

The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).

`style-src-elem` can be used in conjunction with {{CSP("style-src")}}:

```http
Content-Security-Policy: style-src <source>;
Content-Security-Policy: style-src-elem <source>;
```

### Sources

`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

## Examples

### Violation cases
Expand Down
Loading

0 comments on commit 2613d02

Please sign in to comment.