From 271b9337c6e7dc0622420d7ac593236dadc816c6 Mon Sep 17 00:00:00 2001 From: wbamberg Date: Wed, 18 Sep 2024 16:00:42 -0700 Subject: [PATCH] Correct headers syntax descriptions --- .../content-security-policy/base-uri/index.md | 17 ++++--- .../child-src/index.md | 13 +++-- .../connect-src/index.md | 2 - .../default-src/index.md | 2 - .../content-security-policy/font-src/index.md | 2 - .../form-action/index.md | 2 - .../frame-src/index.md | 2 - .../content-security-policy/img-src/index.md | 2 - .../manifest-src/index.md | 2 - .../media-src/index.md | 2 - .../object-src/index.md | 2 - .../prefetch-src/index.md | 2 - .../script-src-attr/index.md | 2 - .../script-src-elem/index.md | 2 - .../script-src/index.md | 2 - .../content-security-policy/sources/index.md | 48 ++++--------------- .../style-src-attr/index.md | 2 - .../style-src-elem/index.md | 2 - .../style-src/index.md | 2 - .../worker-src/index.md | 2 - 20 files changed, 25 insertions(+), 87 deletions(-) diff --git a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md index 9f8d49f0cc45307..fbd3191794f188f 100644 --- a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md +++ b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md @@ -28,16 +28,21 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} **`base-uri`** directive rest ## Syntax -One or more _sources_ can be allowed for the base-uri policy: - ```http -Content-Security-Policy: base-uri ; -Content-Security-Policy: base-uri ; +Content-Security-Policy: base-uri 'none'; +Content-Security-Policy: base-uri ; ``` -### Sources +This directive may have either: + +- the single keyword value `'none'`, meaning that no base URI may be set using a `` element +- a list of _source expression_ values, meaning that a `` element may set a base URI if it matches any of the given source expressions. + +The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `base-uri`: -This directive uses the same [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) syntax for arguments as other CSP directives. However, only values that match URLs make sense for `base-uri`, including ``, ``, `'self'`, and `'none'`. +- `` +- `` +- the keyword value `'self'`. ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/child-src/index.md b/files/en-us/web/http/headers/content-security-policy/child-src/index.md index cf3aa4c68c2b5ac..564e58cc5b88b34 100644 --- a/files/en-us/web/http/headers/content-security-policy/child-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/child-src/index.md @@ -35,18 +35,17 @@ network errors by the user agent. ## Syntax -One or more sources can be allowed for the `child-src` policy: - ```http -Content-Security-Policy: child-src ; -Content-Security-Policy: child-src ; +Content-Security-Policy: child-src 'none'; +Content-Security-Policy: child-src ; ``` -### Sources +This directive may have either: -`` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). +- the single keyword value `'none'`, meaning that no resources of this type may be loaded +- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions. -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). +The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/connect-src/index.md b/files/en-us/web/http/headers/content-security-policy/connect-src/index.md index 490b20280ed6620..1c72861b810ffcd 100644 --- a/files/en-us/web/http/headers/content-security-policy/connect-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/connect-src/index.md @@ -54,8 +54,6 @@ Content-Security-Policy: connect-src ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases diff --git a/files/en-us/web/http/headers/content-security-policy/default-src/index.md b/files/en-us/web/http/headers/content-security-policy/default-src/index.md index 05bdb34629ac257..9c1b8f365d1a048 100644 --- a/files/en-us/web/http/headers/content-security-policy/default-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/default-src/index.md @@ -52,8 +52,6 @@ Content-Security-Policy: default-src ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### No inheritance with default-src diff --git a/files/en-us/web/http/headers/content-security-policy/font-src/index.md b/files/en-us/web/http/headers/content-security-policy/font-src/index.md index 003da75983b93db..489272cfdfaa0e7 100644 --- a/files/en-us/web/http/headers/content-security-policy/font-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/font-src/index.md @@ -44,8 +44,6 @@ Content-Security-Policy: font-src ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases diff --git a/files/en-us/web/http/headers/content-security-policy/form-action/index.md b/files/en-us/web/http/headers/content-security-policy/form-action/index.md index 569c38ff3660174..bc5819b8b6eca82 100644 --- a/files/en-us/web/http/headers/content-security-policy/form-action/index.md +++ b/files/en-us/web/http/headers/content-security-policy/form-action/index.md @@ -42,8 +42,6 @@ Content-Security-Policy: form-action ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Meta tag configuration diff --git a/files/en-us/web/http/headers/content-security-policy/frame-src/index.md b/files/en-us/web/http/headers/content-security-policy/frame-src/index.md index b7ee20794ec3dec..473687aea2d31c1 100644 --- a/files/en-us/web/http/headers/content-security-policy/frame-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/frame-src/index.md @@ -49,8 +49,6 @@ Content-Security-Policy: frame-src ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases diff --git a/files/en-us/web/http/headers/content-security-policy/img-src/index.md b/files/en-us/web/http/headers/content-security-policy/img-src/index.md index 7865c59b4bbc7f2..3f085361f573899 100644 --- a/files/en-us/web/http/headers/content-security-policy/img-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/img-src/index.md @@ -42,8 +42,6 @@ Content-Security-Policy: img-src ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases diff --git a/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md b/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md index 8c7d36511cb53dd..04baae34c6d18b8 100644 --- a/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md @@ -45,8 +45,6 @@ Content-Security-Policy: manifest-src ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases diff --git a/files/en-us/web/http/headers/content-security-policy/media-src/index.md b/files/en-us/web/http/headers/content-security-policy/media-src/index.md index 77a8a810482766e..73a9750efb5c104 100644 --- a/files/en-us/web/http/headers/content-security-policy/media-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/media-src/index.md @@ -44,8 +44,6 @@ Content-Security-Policy: media-src ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases diff --git a/files/en-us/web/http/headers/content-security-policy/object-src/index.md b/files/en-us/web/http/headers/content-security-policy/object-src/index.md index 7cbec9a06abc998..c4f3dae6c5eec3f 100644 --- a/files/en-us/web/http/headers/content-security-policy/object-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/object-src/index.md @@ -51,8 +51,6 @@ Content-Security-Policy: object-src ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases diff --git a/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md b/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md index 5c1021c1fb40fe9..f03ec1ca3dc6b07 100644 --- a/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md @@ -47,8 +47,6 @@ Content-Security-Policy: prefetch-src ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Example ### Prefetch resources do not match header diff --git a/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md b/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md index 5483e0867beafd7..d241ea62c199b22 100644 --- a/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md +++ b/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md @@ -53,8 +53,6 @@ Content-Security-Policy: script-src-attr ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation case diff --git a/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md b/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md index f36573ebb0f7467..97c6e8b9963b6ed 100644 --- a/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md +++ b/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md @@ -53,8 +53,6 @@ Content-Security-Policy: script-src-elem ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation case diff --git a/files/en-us/web/http/headers/content-security-policy/script-src/index.md b/files/en-us/web/http/headers/content-security-policy/script-src/index.md index 6ab5dd782daa439..7674c6df9b723e6 100644 --- a/files/en-us/web/http/headers/content-security-policy/script-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/script-src/index.md @@ -42,8 +42,6 @@ Content-Security-Policy: script-src ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Allowlisting resources from trusted domains diff --git a/files/en-us/web/http/headers/content-security-policy/sources/index.md b/files/en-us/web/http/headers/content-security-policy/sources/index.md index 8debb1d4dfe551f..ee99555a7141a53 100644 --- a/files/en-us/web/http/headers/content-security-policy/sources/index.md +++ b/files/en-us/web/http/headers/content-security-policy/sources/index.md @@ -7,8 +7,13 @@ spec-urls: https://w3c.github.io/webappsec-csp/#framework-directive-source-list {{HTTPSidebar}} -HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) header directives that specify a `` from which resources may be loaded can use any one of the values listed below. -Relevant directives include the {{Glossary("fetch directive", "fetch directives")}}, along with others [listed below](#relevant_directives). +HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) [fetch directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives) may take as a value a space-separated list of _source expressions_. Each source expression can be any of the values listed below. + +As well as fetch directives, some other CSP directives may take as a value a space-separated list of source expressions, each of which may be a subset of the values listed below, namely: one of ``, ``, or the keyword `'self'`. These other directives are: + +- {{CSP("base-uri")}} +- {{CSP("form-action")}} +- {{CSP("frame-ancestors")}} ## Sources @@ -64,12 +69,9 @@ Relevant directives include the {{Glossary("fetch directive", "fetch directives" - `'unsafe-inline'` - : Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, [`javascript:` URLs](/en-US/docs/Web/URI/Schemes/javascript), inline event handlers, and inline {{HTMLElement("style")}} elements. The single quotes are required. -- `'none'` - - : Refers to the empty set; that is, no URLs match. - The single quotes are required. - `'nonce-'` - - : An allowlist for specific inline scripts using a cryptographic nonce (number used once). + - : An allowlist for specific scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial. See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example. @@ -96,37 +98,3 @@ Relevant directives include the {{Glossary("fetch directive", "fetch directives" ## Specifications {{Specifications}} - -## Relevant directives - -Directives for which the above sources apply include: - -- {{Glossary("fetch directive", "Fetch directives")}}: - - - {{CSP("default-src")}} - - {{CSP("child-src")}} - - {{CSP("connect-src")}} - - {{CSP("font-src")}} - - {{CSP("frame-src")}} - - {{CSP("img-src")}} - - {{CSP("manifest-src")}} - - {{CSP("media-src")}} - - {{CSP("object-src")}} - - {{CSP("prefetch-src")}} - - {{CSP("script-src")}} - - {{CSP("script-src-elem")}} - - {{CSP("script-src-attr")}} - - {{CSP("style-src")}} - - {{CSP("style-src-elem")}} - - {{CSP("style-src-attr")}} - - {{CSP("worker-src")}} - -- {{Glossary("Document directive", "Document directives")}}: - - - {{CSP("base-uri")}} - - {{CSP("sandbox")}} - -- {{Glossary("Navigation directive", "Navigation directives")}}: - - - {{CSP("form-action")}} - - {{CSP("frame-ancestors")}} diff --git a/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md b/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md index cbccae9bafb8c7a..685829ddfbe8468 100644 --- a/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md +++ b/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md @@ -54,8 +54,6 @@ Content-Security-Policy: style-src-attr ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases diff --git a/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md b/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md index 44e0e8302556f72..0e7fcd0db94f2fe 100644 --- a/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md +++ b/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md @@ -53,8 +53,6 @@ Content-Security-Policy: style-src-elem ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases diff --git a/files/en-us/web/http/headers/content-security-policy/style-src/index.md b/files/en-us/web/http/headers/content-security-policy/style-src/index.md index 7a8ce96758f07ad..7f0773313be6d4f 100644 --- a/files/en-us/web/http/headers/content-security-policy/style-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/style-src/index.md @@ -42,8 +42,6 @@ Content-Security-Policy: style-src ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases diff --git a/files/en-us/web/http/headers/content-security-policy/worker-src/index.md b/files/en-us/web/http/headers/content-security-policy/worker-src/index.md index c17e54c02775704..5ea3572df1b98ae 100644 --- a/files/en-us/web/http/headers/content-security-policy/worker-src/index.md +++ b/files/en-us/web/http/headers/content-security-policy/worker-src/index.md @@ -50,8 +50,6 @@ Content-Security-Policy: worker-src ; `` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources). -Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). - ## Examples ### Violation cases