<!DOCTYPE html>
<html>
<head>
<title>Content Security Policy 1.1</title>
<meta http-equiv='Content-Type' content='text/html;charset=utf-8'/>
<meta http-equiv='Content-Security-Policy' content="default-src 'none'; script-src 'self'; style-src 'self' https://www.w3.org; img-src https://www.w3.org http://www.w3.org; connect-src 'self'"/>
<!--
=== NOTA BENE ===
For the three scripts below, if your spec resides on dev.w3 you can check them
out in the same tree and use relative links so that they'll work offline.
-->
<script src='js/respec.js' class='remove'></script>
<!--
Configure respec information via 'respect-config.js' (moved out of line
in order to set a reasonable example by defining a policy for this
document. :)
-->
<script src='respec-config.js' class='remove'></script>
</head>
<body>
<section id="abstract">
<p>This document defines a policy language used to declare a set of
content restrictions for a web resource, and a mechanism for
transmitting the policy from a server to a client where the policy is
enforced.</p>
</section>
<section id="sotd">
<p><strong>Changes to this document may be tracked at
<a href="https://github.com/w3c/webappsec">https://github.com/w3c/webappsec</a>.</strong></p>
<p>This document describes an evolution of the Content-Security-Policy 1.0
specification. Version 1.1 is backwards compatible with 1.0 and adds
support for a number of new directives that web sites can use to ease
deployment of Content-Security-Policy and to improve security.</p>
<p>In addition to the documents in the W3C Web Application Security
working group, the work on this document is also informed by the work of
the <a href="http://tools.ietf.org/wg/websec/">IETF websec working
group</a>, particularly that working group's requirements document:
<a href="http://tools.ietf.org/id/draft-hodges-websec-framework-reqs">draft-hodges-websec-framework-reqs</a>.</p>
<p>A portion of the <code>frame-ancestors</code> directive was originally
developed as <code>X-Frame-Options</code>. [[!RFC7034]]</p>
</section>
<section class="informative">
<h2>Introduction</h2>
<p>This document defines Content Security Policy, a mechanism web
applications can use to mitigate a broad class of content injection
vulnerabilities, such as cross-site scripting (XSS). Content Security
Policy is a declarative policy that lets the authors (or server
administrators) of a web application inform the client about the sources
from which the application expects to load resources.</p>
<p>To mitigate XSS attacks, for example, a web application can declare
that it only expects to load script from specific, trusted sources. This
declaration allows the client to detect and block malicious scripts
injected into the application by an attacker.</p>
<p>Content Security Policy (CSP) is not intended as a first line of
defense against content injection vulnerabilities. Instead, CSP is best
used as defense-in-depth, to reduce the harm caused by content injection
attacks. As a first line of defense against content injection, server
operators should validate their input and encode their output.</p>
<p>There is often a non-trivial amount of work required to apply CSP to
an existing web application. To reap the greatest benefit, authors will
need to move all inline script and style out-of-line, for example into
external scripts, because the user agent cannot determine whether an
inline script was injected by an attacker.</p>
<p>To take advantage of CSP, a web application opts into using CSP by
supplying a <code>Content-Security-Policy</code> HTTP header. Such
policies apply to the current resource representation only. To supply a
policy for an entire site, the server needs to supply a policy with each
resource representation.</p>
</section>
<section id="conformance">
<p>Requirements phrased in the imperative as part of algorithms (such as
"strip any leading space characters" or "return false and abort these
steps") are to be interpreted with the meaning of the key word ("MUST",
"SHOULD", "MAY", etc) used in introducing the algorithm.</p>
<p>A <dfn>conformant user agent</dfn> MUST implement all the
requirements listed in this specification that are applicable to
user-agents.
<p>A <dfn>conformant server</dfn> MUST implement all the requirements
listed in this specification that are applicable to servers.</p>
<section>
<h3>Key Concepts and Terminology</h3>
<p>This section defines several terms used throughout the document.</p>
<p>The term <dfn>security policy</dfn>, or simply <dfn>policy</dfn>, for
the purposes of this specification refers to either:</p>
<ol>
<li>a set of security preferences for restrictions within which the
content can operate, or</li>
<li>a fragment of text that codifies these preferences.</li>
</ol>
<p>The security policies defined by this document are applied by a
user agent on a <em>per-resource representation basis</em>.
Specifically, when a user agent receives a policy along with the
representation of a given resource, that policy applies to <em>that
resource representation only</em>. This document often refers to
that resource representation as the <dfn>protected resource</dfn>.
<p>A server transmits its security policy for a particular protected
resource as a collection of <dfn>directives</dfn>, such as
<code>default-src 'self'</code>, each of which declares a specific set
of restrictions for that resource as instantiated by the user agent.
More details are provided in the <a href="#directives">directives</a>
section.</p>
<p>A directive consists of a <dfn>directive name</dfn>, which
indicates the privileges controlled by the directive, and a
<dfn>directive value</dfn>, which specifies the restrictions the
policy imposes on those privileges.</p>
<p>The term <dfn id="origin">origin</dfn> is defined in the Origin specification. [[!RFC6454]]</p>
<p>The term <dfn>globally unique identifier</dfn> is defined in section 4 of the Origin specification. Note that URLs that do not use hierarchical elements as naming authorities have origins which are globally unique identifiers. [[!RFC6454]]</p>
<p>The term <dfn>URI</dfn> is defined in the URI specification. [[!URI]]</p>
<p>The term <dfn>resource representation</dfn> is defined in the HTTP 1.1 specification. [[!HTTP11]]</p>
<p>The term <dfn>JSON object</dfn> is defined in the JSON specification. [[!RFC4627]]</p>
<p>The <code><script></code>, <code><object></code>, <code><embed></code>,
<code><img></code>, <code><video></code>, <code><audio></code>,
<code><source></code>, <code><track></code>,
<code><link></code>, <code><applet></code>, <code><frame></code>
and <code><iframe></code> elements are defined in the HTML5 specification. [[!HTML5]]</p>
<p>The terms <a href="http://www.w3.org/TR/html5/browsers.html#auxiliary-browsing-context"><dfn>auxiliary browsing context</dfn></a>,
<a href="http://www.w3.org/TR/html5/browsers.html#opener-browsing-context"><dfn>opener browsing context</dfn></a>,
and <a href="http://www.w3.org/TR/html5/browsers.html#nested-browsing-context"><dfn>nested browsing context</dfn></a>
are defined in the HTML5 specification. [[!HTML5]]</p>
<p>A <a href="http://www.w3.org/TR/html5/infrastructure.html#plugin">plugin</a> is defined
in the HTML5 specification. [[!HTML5]]</p>
<p>The <code>@font-face</code> Cascading Style Sheets (CSS) rule is defined in the
CSS Fonts Module Level 3 specification. [[!CSS3FONT]]</p>
<p>The <code>XMLHttpRequest</code> object is defined in the <code>XMLHttpRequest</code>
specification. [[!XMLHTTPREQUEST]]</p>
<p>The <code>WebSocket</code> object is defined in the <code>WebSocket</code>
specification. [[!WEBSOCKETS]]</p>
<p>The <code>EventSource</code> object is defined in the <code>EventSource</code>
specification. [[!EVENTSOURCE]]</p>
<p>The Augmented Backus-Naur Form (ABNF) notation used in this
document is specified in RFC 5234. [[!ABNF]]</p>
<p>This document also uses the ABNF extension "#rule" as defined in HTTP 1.1. [[!HTTP11]]</p>
<p>The following core rules are included by reference, as defined in
[<em><a href="http://tools.ietf.org/html/rfc5234#appendix-B.1">ABNF Appendix B.1</a></em>]:
<code>ALPHA</code> (letters), <code>DIGIT</code> (decimal
0-9), <code>WSP</code> (white space) and <code>VCHAR</code> (printing
characters).</p>
</section>
</section>
<section>
<h2>Framework</h2>
<p>This section defines the general framework for content security
policies, including the delivery mechanisms and general syntax for
policies. The next section contains the details of the specific
directives introduced in this specification.</p>
<section>
<h3>Policy Delivery</h3>
<p>The server delivers the policy to the user agent via an HTTP
response header.</p>
<section>
<h4><code>Content-Security-Policy</code> Header Field</h4>
<p>The <code>Content-Security-Policy</code> header field is the
preferred mechanism for delivering a policy.</p>
<pre>
"Content-Security-Policy:" 1#policy
</pre>
<p>A server MAY send more than one HTTP header field named
<code>Content-Security-Policy</code> with a given resource
representation.</p>
<p>A server MAY send different <code>Content-Security-Policy</code>
header field values with different representations of the same
resource or with different resources.</p>
<p>Upon receiving an HTTP response containing at least one
<code>Content-Security-Policy</code> header field, the user agent
MUST <a href="#enforce">enforce</a> each of the policies contained
in each such header field.</p>
</section>
<section>
<h4><code>Content-Security-Policy-Report-Only</code> Header Field</h4>
<p>The <code>Content-Security-Policy-Report-Only</code> header field
lets servers experiment with policies by monitoring (rather than
enforcing) a policy.</p>
<pre>
"Content-Security-Policy-Report-Only:" 1#policy
</pre>
<p>For example, a server operators might wish to develop their
security policy iteratively. The operators can deploy a report-only
policy based on their best estimate of how their site behaves. If
their site violates this policy, instead of breaking the site, the
user agent will
<a href="#dfn-send-violation-reports">send violation reports</a> to
a URI specified in the policy. Once a site has confidence that the
policy is appropriate, they start enforcing the policy using the
<code>Content-Security-Policy</code> header field.</p>
<p>A server MAY send more than one HTTP header field named
<code>Content-Security-Policy-Report-Only</code> with a given
resource representation.</p>
<p>A server MAY send different
<code>Content-Security-Policy-Report-Only</code> header field values
with different representations of the same resource or with different
resources.</p>
<p>Upon receiving an HTTP response containing at least one
<code>Content-Security-Policy-Report-Only</code> header field, the
user agent MUST <a href="#monitor">monitor</a> each of the policies
contained in each such header field.</p>
</section>
<section>
<h4>HTML <code>meta</code> Element</h4>
<p>The server MAY supply a policy in an HTML <code>meta</code>
element with an <code>http-equiv</code> attribute that is a case
insensitive match for either <code>Content-Security-Policy</code>.</p>
<p>Add the following entry to the <a
href="http://www.w3.org/TR/html5/document-metadata.html#pragma-directives">pragma
directives</a> for the <code>meta</code> element:</p>
<dl>
<dt>Content security policy (<code>http-equiv="content-security-policy"</code>)</dt>
<dd>
<ol>
<li>If the user agent is already enforcing a policy for the
document, abort these steps.</li>
<li>If the Document's <code>head</code> element is not an
ancestor of the <code>meta</code> element, abort these
steps.</li>
<li>If the <code>meta</code> element lacks a
<code>content</code> attribute, abort these steps.</li>
<li>Let <var>policy</var> be the value of the
<code>content</code> attribute of the <code>meta</code>
element.</li>
<li>Let <var>directive-set</var> be the result of
<a href="#parse-a-policy">parsing <var>policy</var></a>.</li>
<li>Remove all occurances of <code>report-uri</code> and
<code>sandbox</code> directives from <var>directive-set</var>.</li>
<li>Enforce each of the directives in <var>directive-set</var>,
as <a href="#sec-directives">defined for each directive type</a>.</li>
</ol>
</dd>
</dl>
<p>As a consequence of these requirements, a policy supplied in an
HTTP header field takes precedence over policies supplied in
<code>meta</code> elements. Similarly, the above requirements entail
that the first <code>meta</code> element containing a policy takes
precedence over policies supplied in subsequent <code>meta</code>
elements. Authors SHOULD place the <code>meta</code> element as
early in the document as possible to reduce the risk of content
injection before a protective policy can be read and enforced.</p>
<p>Note that the <code>Content-Security-Policy-Report-Only</code>
header is <em>not</em> supported inside a <code>meta</code>
element.</p>
</section>
<section class="informative">
<h4>Enforcing multiple policies.</h4>
<p>The above sections note that when multiple policies are present,
each must be enforced or reported, according to its type. An example
will help clarify how that ought to work in practice. The behavior of
an <code>XMLHttpRequest</code> might seem unclear given a site
that, for whatever reason, delivered the following HTTP headers:</p>
<pre>
Content-Security-Policy: default-src 'self' http://example.com http://example.net;
connect-src 'none';
Content-Security-Policy: connect-src http://example.com/;
script-src http://example.com/
</pre>
<p>Is a connection to <code>example.com</code> allowed or not? The
short answer is that the connection is not allowed. Enforcing both
policies means that a potential connection would have to pass through
both unscathed. Even though the second policy would allow this
connection, the first policy contains <code>connect-src 'none'</code>,
so its enforcement blocks the connection. The impact is that adding
additional policies to the list of policies to enforce can only
further restrict the capabilities of the protected resource.</p>
<p>To demonstrate that further, consider a script tag on this page.
The first policy would lock scripts down to <code>'self'</code>,
<code>http://example.com</code> and <code>http://example.net</code>
via the <code>default-src</code> directive. The second, however, would
only allow script from <code>http://example.com/</code>. Script will
only load if it meets both policy's criteria: in this case, the only
origin that can match is <code>http://example.com</code>, as both
policies allow it.</p>
</section>
</section>
<section>
<h3>Syntax and Algorithms</h3>
<section>
<h4>Policies</h4>
<p>A CSP <dfn>policy</dfn> consists of a U+003B SEMICOLON
(<code>;</code>) delimited list of directives:</p>
<pre>
policy = [ directive *( ";" [ directive ] ) ]
</pre>
<p>Each <dfn>directive</dfn> consists of a <var>directive-name</var>
and (optionally) a <var>directive-value</var>:</p>
<pre>
directive = *WSP [ directive-name [ WSP directive-value ] ]
directive-name = 1*( ALPHA / DIGIT / "-" )
directive-value = *( WSP / <VCHAR except ";" and ","> )
</pre>
<section>
<h5>Parsing</h5>
<p>To <dfn id="parse-a-policy">parse a policy</dfn>
<var>policy</var>, the user agent MUST use an algorithm equivalent to
the following:</p>
<ol>
<li>Let the <var>set of directives</var> be the empty set.</li>
<li>For each non-empty token returned by <a
href="http://www.w3.org/TR/html5/infrastructure.html#strictly-split-a-string">strictly
splitting</a> the string <var>policy</var> on the character U+003B
SEMICOLON (<code>;</code>):
<ol>
<li><a href="http://www.w3.org/TR/html5/infrastructure.html#skip-whitespace">Skip whitespace</a>.</li>
<li><a href="http://www.w3.org/TR/html5/infrastructure.html#collect-a-sequence-of-characters">Collect
a sequence of characters</a> that are not
<a href="http://www.w3.org/TR/html5/infrastructure.html#space-character">space characters</a>. The
collected characters are the <var>directive name</var>.</li>
<li>If there are characters remaining in <var>token</var>,
skip ahead exactly one character (which must be a <a
href="http://www.w3.org/TR/html5/infrastructure.html#space-character">space
character</a>).</li>
<li>The remaining characters in <var>token</var> (if any) are
the <var>directive value</var>.</li>
<li>If the <var>set of directives</var> already contains a
directive whose name is a case insensitive match for
<var>directive name</var>, ignore this instance of the directive
and continue to the next token.</li>
<li>Add a <var>directive</var> to the <var>set of
directives</var> with name <var>directive name</var> and value
<var>directive value</var>.</li>
</ol>
</li>
<li>Return the <var>set of directives</var>.
</ol>
</section>
</section>
<section>
<h4>Source List</h4>
<p>Many CSP directives use a value consisting of a <dfn>source
list</dfn>.</p>
<p>Each <dfn>source expression</dfn> in the source list represents a
location from which content of the specified type can be retrieved.
For example, the source expression <code>'self'</code> represents
the set of URIs which are in the same <a href="#origin">origin</a> as the protected
resource and the source expression <code>'unsafe-inline'</code>
represents content supplied inline in the resource itself.</p>
<pre>
source-list = *WSP [ source-expression *( 1*WSP source-expression ) *WSP ]
/ *WSP "'none'" *WSP
source-expression = scheme-source / host-source / keyword-source / nonce-source / hash-source
scheme-source = scheme ":"
host-source = [ scheme "://" ] host [ port ] [ path ]
keyword-source = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"
base64-value = 1*( ALPHA / DIGIT / "+" / "/" )*2( "=" )
nonce-value = base64-value
hash-value = base64-value
nonce-source = "'nonce-" nonce-value "'"
hash-algo = "sha256" / "sha384" / "sha512"
hash-source = "'" hash-algo "-" base64-value "'"
scheme = <scheme production from <a href="http://tools.ietf.org/html/rfc3986#section-3.1">RFC 3986, section 3.1</a>>
host = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
host-char = ALPHA / DIGIT / "-"
path = <path production from <a href="http://tools.ietf.org/html/rfc3986#section-3.3">RFC 3986, section 3.3</a>>
port = ":" ( 1*DIGIT / "*" )
</pre>
<p>If the policy contains a <code>nonce-source</code> expression, the
server MUST generate a fresh value for the <code>nonce-value</code>
directive at random and independently each time it transmits a policy.
This requirement ensures that the <code>nonce-value</code> is difficult
for an attacker to predict.</p>
<section>
<h5>Parsing</h5>
<p>To <dfn id="parse-a-source-list">parse a source list</dfn>
<var>source list</var>, the user agent MUST use an algorithm
equivalent to the following:</p>
<ol>
<li>If <var>source list</var> (with <a href="http://www.w3.org/TR/html5/infrastructure.html#strip-leading-and-trailing-whitespace">leading
and trailing whitespace stripped</a>) is a case insensitive match
for the string <code>'none'</code> (including the quotation
marks), return the empty set.</li>
<li>Let the <var>set of source expressions</var> be the empty set.</li>
<li>For each token returned by <a href="http://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-spaces">splitting
<var>source list</var> on spaces</a>, if the token matches the
grammar for <code>source-expression</code>, add the token to the
<var>set of source expressions</var>.</li>
<li>Return the <var>set of source expressions</var>.</li>
</ol>
<p>Note that characters like U+003B SEMICOLON (<code>;</code>) and
U+002C COMMA (<code>,</code>) cannot appear in source expressions
directly: if you'd like to include these characters in a source
expression, they must be <a href="http://tools.ietf.org/html/rfc3986#section-2.1">percent encoded</a>
as <code>%3B</code> and <code>%2C</code> respectively.</p>
</section>
<section>
<h5>Matching</h5>
<p>To check whether a URI <dfn
id="matches-a-source-expression">matches a source expression</dfn>,
the user agent MUST use an algorithm equivalent to the
following:</p>
<ol>
<li>Normalize the URI according to <a href="http://tools.ietf.org/html/rfc3986#section-6">RFC 3986, section 6</a>.</li>
<li>If the source expression a consists of a single U+002A ASTERISK character
(<code>*</code>), then return <em>does match</em>.</li>
<li>If the source expression matches the grammar for
<code>scheme-source</code>:
<ol>
<li>If the URI's scheme is a case-insensitive match for the
source expression's <code>scheme</code>, return <em>does
match</em>.</li>
<li>Otherwise, return <em>does not match</em>.</li>
</ol>
</li>
<li>If the source expression matches the grammar for
<code>host-source</code>:
<ol>
<li>If the URI does not contain a host, then return <em>does
not match</em>.</li>
<li>Let <var>uri-scheme</var>, <var>uri-host</var>, and
<var>uri-port</var> be the scheme, host, and port of the URI,
respectively. If the URI does not have a port, then let
<var>uri-port</var> be the default port for
<var>uri-scheme</var>. Let <var>uri-path</var> be
the path of the URI after
<a href="http://tools.ietf.org/html/rfc3986#section-2.1">decoding
percent-encoded characters</a>. If the URI does not have a
path, then let <var>uri-path</var> be the U+002F SOLIDUS
character (<code>/</code>).</li>
<li>If the source expression has a <code>scheme</code> that is
not a case insensitive match for <var>uri-scheme</var>, then
return <em>does not match</em>.</li>
<li>If the source expression does <strong>not</strong> have a
scheme, return <em>does not match</em> if
<ol>
<li>the scheme of the protected resource's URI is a case
insensitive match for <code>HTTP</code>, and
<var>uri-scheme</var> is <strong>not</strong> a case
insensitive match for either <code>HTTP</code> or
<code>HTTPS</code></li>
<li>the scheme of the protected resource's URI is
<strong>not</strong> a case insensitive match for
<code>HTTP</code>, and <var>uri-scheme</var> is
<strong>not</strong> a case insensitive match
for the scheme of the protected resource's URI.</li>
</ol>
</li>
<li>If the first character of the source expression's
<code>host</code> is an U+002A ASTERISK character
(<code>*</code>) and the remaining characters, including the
leading U+002E FULL STOP character (<code>.</code>), are not a
case insensitive match for the rightmost characters of
<var>uri-host</var>, then return <em>does not match</em>.</li>
<li>If the first character of the source expression's
<code>host</code> is <em>not</em> an U+002A ASTERISK
character (<code>*</code>) and <var>uri-host</var> is not a
case insensitive match for the source expression's
<code>host</code>, then return <em>does not match</em>.</li>
<li>If the source expression does <strong>not</strong> contain
a <code>port</code> and <var>uri-port</var> is not the default
port for <var>uri-scheme</var>, then return <em>does not
match</em>.</li>
<li>If the source expression does contain a <code>port</code>,
then return <em>does not match</em> if
<ol>
<li><code>port</code> does <strong>not</strong> contain
an U+002A ASTERISK character (<code>*</code>), and</li>
<li><code>port</code> does <strong>not</strong>
represent the same number as <var>uri-port</var>.</li>
</ol>
</li>
<li>If the source expression contains a non-empty
<code>path</code>, then:
<ol>
<li>Let <var>decoded-path</var> be the result of
<a href="http://tools.ietf.org/html/rfc3986#section-2.1">decoding
<code>path</code>'s percent-encoded characters</a>.</li>
<li>If the final character of <var>decoded-path</var> is
the U+002F SOLIDUS character (<code>/</code>), and
<var>decoded-path</var> is not a prefix of
<var>uri-path</var>, then return <em>does not
match</em>.</li>
<li>If the final character of <var>decoded-path</var> is
not the the U+002F SOLIDUS character (<code>/</code>),
and <var>decoded-path</var> is not an exact match for
<var>uri-path</var> then return <em>does not
match</em>.</li>
</ol>
</li>
<li>Otherwise, return <em>does match</em>.</li>
</ol>
</li>
<li>If the source expression is a case insensitive
match for <code>'self'</code> (including the quotation marks),
then:
<ol>
<li>Return <em>does match</em> if the URI has the same scheme,
host, and port as the protected resource's URI (using the
default port for the appropriate scheme if either or both URIs
are missing ports).</li>
</ol>
</li>
<li>Otherwise, return <em>does not match</em>.</li>
</ol>
<p>A URI <dfn id="matches-a-source-list">matches a source
list</dfn>, if, and only if, the URI <a
href="#matches-a-source-expression">matches at least one source
expression</a> in the set of source expressions obtained by <a
href="#parse-a-source-list">parsing the source list</a>. Notice that
no URIs match an empty set of source expressions, such as the set
obtained by parsing the source list <code>'none'</code>.</p>
<section class="informative">
<h6>Path Matching</h6>
<p>The rules for matching source expressions that contain paths
are simpler than they look: paths that end with the '/' character
match all files in a directory and its subdirectories. Paths that
do not end with the '/' character match only one specific file. A
few examples should make this clear:</p>
<ol>
<li>The source expression <code>example.com</code> has no path,
and therefore matches any file served from that host.</li>
<li>The source expression <code>example.com/scripts/</code>
matches any file in the <code>scripts</code> directory of
<code>example.com</code>, and any of its subdirectories. For
example, both <code>https://example.com/scripts/file.js</code>
and <code>https://example.com/scripts/js/file.js</code> would
match.</li>
<li>The source expression
<code>example.com/scripts/file.js</code> matches only the file
named <code>file.js</code> in the <code>scripts</code> directory
of <code>example.com</code>.</li>
<li>Likewise, the source expression <code>example.com/js</code>
matches only the file named <code>js</code>. In particular, note
that it would not match files inside a directory named
<code>js</code>. Files like <code>example.com/js/file.js</code>
would be matched only if the source expression ended with a
trailing "/", as in <code>example.com/js/</code>.</li>
</ol>
<p>Note that query strings have no impact on matching: the source
expression <code>example.com/file?key=value</code> matches all of
<code>https://example.com/file</code>,
<code>https://example.com/file?key=value</code>,
<code>https://example.com/file?key=notvalue</code>, and
<code>https://example.com/file?notkey=notvalue</code>.</p>
</section>
</section>
<section>
<h5>Valid Nonces</h5>
<p>An element has <dfn>a valid nonce</dfn> for a set of source expressions
if the value of the <code>nonce</code> attribute of the element after <a
href="http://www.whatwg.org/specs/web-apps/current-work/#strip-leading-and-trailing-whitespace">stripping
leading and trailing whitespace</a> is a case-sensitive match for the
<code>nonce-value</code> component of at least one <code>nonce-source</code>
expression in the set of source expressions.</p>
</section>
<section>
<h5>Valid Hashes</h5>
<p>An <dfn>element's contents</dfn> are
<a href="http://www.w3.org/TR/html5/scripting-1.html#the-script-block's-source">the script block's source</a>
for <code>script</code> elements, or the value of the element's
<a href="http://dom.spec.whatwg.org/#dom-node-textcontent"><code>textContent</code></a>
IDL attribute for non-<code>script</code> elements such as
<code>style</code>.</p>
<p>The <dfn><code>algorithm</code> digest of an element's contents</dfn> is the
result of applying <code>algorithm</code> to the
<a href="#dfn-elements-contents">element's contents</a>.
<p>To determine whether <var>element</var> has <dfn>a valid hash</dfn> for a set of
source expressions, execute the following steps:</p>
<ol>
<li>Let <var>hashes</var> be a list of all <code>hash-source</code>
expressions in the set of source expressions.</li>
<li>For each <var>hash</var> in <var>hashes</var>:
<ol>
<li>Let <var>algorithm</var> be:
<ul>
<li>SHA-256 if the <code>hash-algo</code> component of <var>hash</var> is a case-insensitive match for the string "sha256"</li>
<li>SHA-384 if the <code>hash-algo</code> component of <var>hash</var> is a case-insensitive match for the string "sha384"</li>
<li>SHA-512 if the <code>hash-algo</code> component of <var>hash</var> is a case-insensitive match for the string "sha512"</li>
</ul>
(SHA-256, SHA-384, and SHA-512 are the digest algorithms
<a href="http://csrc.nist.gov/groups/STM/cavp/documents/shs/sha256-384-512.pdf">defined by the NIST</a>)
</li>
<li>Let <var>expected</var> be the <code>hash-value</code> component of <var>hash</var>.</li>
<li>Let <var>actual</var> be the <a href="http://tools.ietf.org/html/rfc4648#section-4">base64 encoding</a>
of the binary <a href="#dfn-digest-of-an-elements-contents"><var>algorithm</var> digest of <var>element</var>'s
contents</a>.</li>
<li>If <var>actual</var> is a case-sensitive match for
<var>expected</var>, return true and abort these steps.</li>
</ol>
</li>
<li>Return false.</li>
</ol>
<p>Note that if an element has an invalid hash, it would be helpful
if the user agent reported the failure to the author by adding
a warning message containing the <var>actual</var> hash value.</p>
</section>
<section>
<h4>Media Type List</h4>
<p>The experimental
<a href="#plugin-types"><code>plugin-types</code></a>
directive uses a value consisting of a <dfn>media type list</dfn>.</p>
<p>Each <dfn>media type</dfn> in the media type list represents a
specific type of resource that can be retrieved and used to
instantiate a <a href="http://www.whatwg.org/specs/web-apps/current-work/#plugin">plugin</a>
in the protected resource.</p>
<pre>
media-type-list = media-type *( 1*WSP media-type )
media-type = <type from RFC 2045> "/" <subtype from RFC 2045>
</pre>
<section>
<h5>Parsing</h5>
<p>To <dfn id="parse-a-media-type-list">parse a media type
list</dfn> <var>media type list</var>, the user agent MUST use an
algorithm equivalent to the following:</p>
<ol>
<li>Let the <var>set of media types</var> be the empty set.</li>
<li>For each token returned by <a href="http://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-spaces">splitting
<var>media type list</var> on spaces</a>, if the token matches the
grammar for <code>media-type</code>, add the token to the
<var>set of media types</var>. Otherwise ignore the token.</li>
<li>Return the <var>set of media types</var>.</li>
</ol>
</section>
<section>
<h5>Matching</h5>
<p>A media type <dfn>matches a media type list</dfn> if, and only
if, the media type is a case-insensitive match for at least one
token in the set of media types obtained by <a href="#parse-a-media-type-list">parsing
the media type list</a>.
</section>
</section>
<section>
<h4>Reporting</h4>
<p>To <dfn>strip <code>uri</code> for reporting</dfn>, the user agent
MUST use an algorithm equivalent to the following:</p>
<ol>
<li>If the origin of <var>uri</var> is a <a href="#dfn-globally-unique-identifier">globally unique identifier</a>
(for example, <var>uri</var> has a scheme of <code>data</code>, <code>blob</code>, or <code>file</code>), then
abort these steps, and return the ASCII serialization of <var>uri</var>'s scheme.</li>
<li>If the origin of <var>uri</var> is not the same as the origin
of the protected resource, then abort these steps, and return the
ASCII serialization of <var>uri</var>'s origin.</li>
<li>Return <var>uri</var>, with any <a href="http://www.w3.org/TR/html5/infrastructure.html#url-fragment"><fragment></a>
component removed.</li>
</ol>
<p>To <dfn>generate a violation report object</dfn>, the user agent
MUST use an algorithm equivalent to the following:</p>
<ol>
<li>Prepare a JSON object <var>violation</var> with the
following keys and values:
<dl>
<dt id="violation-report-blocked-uri">blocked-uri</dt>
<dd>The URI of the resource that was prevented from loading,
<a href="#dfn-strip-uri-for-reporting">stripped for reporting</a>,
or the empty string if the resource has no URI (inline script and
inline style, for example).</dd>
<dt id="violation-report-document-uri">document-uri</dt>
<dd>The <a href="http://www.w3.org/TR/html5/dom.html#the-document%27s-address">address</a>
of the protected resource, <a href="#dfn-strip-uri-for-reporting">stripped for reporting</a>.</dd>
<dt id="violation-report-effective-directive">effective-directive</dt>
<dd>The name of the policy directive that was violated. This will
contain the directive whose enforcement triggered the violation,
even if that directive does not explicitly appear in the policy,
but is implicitly activated via the <code>default-src</code>
directive.</dd>
<dt id="violation-report-original-policy">original-policy</dt>
<dd>The original policy, as received by the user agent.</dd>
<dt id="violation-report-referrer">referrer</dt>
<dd>The <a href="http://www.w3.org/TR/html5/dom.html#dom-document-referrer">referrer</a>
attribute of the protected resource, or the empty string if the
protected resource has no referrer.</dd>
<dt id="violation-report-status-code">status-code</dt>
<dd>The <code>status-code</code> of the HTTP response that
contained the protected resource, if the protected resource was
obtained over HTTP. Otherwise, the number 0.</dd>
<dt id="violation-report-violated-directive">violated-directive</dt>
<dd>The policy directive that was violated, as it appears in the
policy. This will contain the <code>default-src</code> directive
in the case of violations caused by falling back to the
<a href="#dfn-default-sources">default sources</a> when enforcing
a directive.</dd>
</dl>
</li>
<li>If a specific line or a specific file can be identified as the
cause of the violation (for example, script execution that violates
the <code>script-src</code> directive), the user agent MAY add the
following keys and values to <var>violation</var>:
<dl>
<dt id="violation-report-source-file">source-file</dt>
<dd>The URI of the resource where the violation occurred,
<a href="#dfn-strip-uri-for-reporting">stripped for reporting</a>.</dd>
<dt id="violation-report-line-number">line-number</dt>
<dd>The line number in <code>source-file</code> on which
the violation occurred.</dd>
<dt id="violation-report-column-number">column-number</dt>
<dd>The column number in <code>source-file</code> on which
the violation occurred.</dd>
</dl>
</li>
<li>Return <var>violation</var>.</li>
</ol>
<p>To <dfn>send violation reports</dfn>, the user agent MUST use an
algorithm equivalent to the following:</p>
<ol>
<li>Prepare a JSON object <var>report object</var> with a single
key, <code>csp-report</code>, whose value is the result of
<a href="#dfn-generate-a-violation-report-object">generating a violation report object</a>.</li>
<li>Let <var>report body</var> be the JSON stringification of
<var>report object</var>.</li>
<li>For each <var>report URI</var> in the <a href="#dfn-set-of-report-uris">set of report URIs</a>:
<ol>
<li>If the user agent has already sent a violation report for
the protected resource to <var>report URI</var>, and that report
contained an entity body that exactly matches
<var>report body</var>, the user agent MAY abort these
steps and continue to the next <var>report URI</var>.</li>
<li><a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">Queue a task</a>
to <a href="http://www.w3.org/TR/html5/infrastructure.html#fetch">fetch</a>
<var>report URI</var> from the origin of the protected resource,
with the synchronous flag <em>not</em> set, using HTTP method
<code>POST</code>, with a <code>Content-Type</code> header field
of <code>application/csp-report</code>, and an entity body
consisting of <var>report body</var>. If the origin of
<var>report URI</var> is not the same as the origin of the protected
resource, the block cookies flag MUST also be set. The
user agent MUST NOT follow redirects when fetching this
resource. (Note: The user agent ignores the fetched resource.)
The <a href="http://www.w3.org/TR/html5/webappapis.html#task-source">task source</a>
for this <a href="http://www.w3.org/TR/html5/webappapis.html#concept-task">task</a>
is the <dfn>Content Security Policy task source</dfn>.</li>
</ol>
</li>
</ol>
<p>To <dfn>report a violation</dfn>, the user agent MUST:</p>
<ol>
<li><a href="#dfn-fire-a-violation-event">Fire a violation event</a> at
the protected resource's <a href="http://www.w3.org/TR/html5/dom.html#document"><code>Document</code></a>, and</li>
<li>If the <a href="#dfn-set-of-report-uris">set of report URIs</a>
is non-empty, <a href="#dfn-send-violation-reports">send violation reports</a>
to each.</li>
</ol>
</section>
</section>
<section>
<h3>Processing Model</h3>
<p>To <dfn id="enforce">enforce</dfn> a policy, the user agent MUST
<a href="#parse-a-policy">parse the policy</a> and enforce each of
the directives contained in the policy, where the specific
requirements for enforcing each directive are defined separately for
each directive (See <a href="#sec-directives">Directives</a>,
below).</p>
<p>Generally speaking, enforcing a directive prevents the protected
resource from performing certain actions, such as loading scripts from
URIs other than those indicated in a source list. These restrictions
make it more difficult for an attacker to abuse an injection
vulnerability in the resource because the attacker will be unable to
usurp the resource's privileges that have been restricted in this
way.</p>
<p>Enforcing a policy SHOULD NOT interfere with the operation of
user-supplied scripts such as third-party user-agent add-ons and
JavaScript bookmarklets.</p>
<p>To <dfn id="monitor">monitor</dfn> a policy, the user agent MUST
<a href="#parse-a-policy">parse the policy</a> and monitor each of
the directives contained in the policy.</p>
<p>Monitoring a directive does not prevent the protected resource from
undertaking any actions. Instead, any actions that would have been
prevented by the directives are instead reported to the developer of
the web application. Monitoring a policy is useful for testing
whether enforcing the policy will cause the web application to
malfunction.</p>
<p>A server MAY cause user agents to monitor one policy while enforcing
another policy by returning both <code>Content-Security-Policy</code>
and <code>Content-Security-Policy-Report-Only</code> header fields.
For example, if a server operator is using one policy but wishes to
experiment with a stricter policy, the server operator can monitor
the stricter policy while enforcing the original policy. Once the
server operator is satisfied that the stricter policy does not break
the web application, the server operator can start enforcing the
stricter policy.</p>
<p>If the user agent monitors or enforces a policy that does not
contain any directives, the user agent SHOULD report a warning message
in the developer console.</p>
<p>If the user agent monitors or enforces a policy that contains
an unrecognized directive, the user agent SHOULD report a warning
message in the developer console indicating the name of the
unrecognized directive.</p>
<p>Whenever a user agent <a
href="http://www.w3.org/TR/workers/#run-a-worker">runs a worker</a>:
[[!WEBWORKERS]]</p>
<ul>
<li>If the worker's script's origin is a <a href="#dfn-globally-unique-identifier">globally unique identifier</a>
(for example, the worker's script's URL has a scheme of
<code>data</code>, <code>blob</code>, or <code>file</code>), then:
<ul>
<li>If the user agent is enforcing a CSP policy for the <var>owner
document</var>, the user agent MUST enforce the CSP policy for the
worker.</li>
<li>If the user agent is monitoring a CSP policy for the <var>owner
document</var>, the user agent MUST monitor the CSP policy for the
worker.</li>
</ul></li>
<li>Otherwise:
<ul>
<li>If the worker's script is delivered with a <code>Content-Security-Policy</code>
HTTP header containing the value <var>policy</var>, the user agent MUST
<a href="#enforce">enforce <var>policy</var></a> for the
worker.</li>
<li>If the worker's script is delivered with a <code>Content-Security-Policy-Report-Only</code>
HTTP header containing the value <var>policy</var>, the user agent MUST
<a href="#monitor">monitor <var>policy</var></a> for the
worker.</li>
</ul></li>
</ul>
<p>Whenever a user agent creates a <a
href="http://www.whatwg.org/specs/web-apps/current-work/#an-iframe-srcdoc-document">an
<code>iframe</code> <code>srcdoc</code> document</a> in a browsing
context nested in the protected resource, if the user agent is
enforcing any CSP policies for the protected resource, the user agent
MUST <a href="#enforce">enforce</a> those CSP policies on the
<code>iframe</code> <code>srcdoc</code> document as well.</p>
<p>Whenever a user agent creates a <a
href="http://www.whatwg.org/specs/web-apps/current-work/#an-iframe-srcdoc-document">an
<code>iframe</code> <code>srcdoc</code> document</a> in a browsing
context nested in the protected resource, if the user agent is
monitoring any CSP policies for the protected resource, the user agent
MUST <a href="#monitor">monitor</a> those CSP policies on the
<code>iframe</code> <code>srcdoc</code> document as well.</p>
</section>
<section>
<h3>Script Interfaces</h3>
<section>
<h4><code>SecurityPolicyViolationEvent</code> Events</h4>
<dl title="[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)] interface SecurityPolicyViolationEvent : Event" class="idl">
<dt>readonly attribute DOMString documentURI</dt>
<dd>Refer to the <a href="#violation-report-document-uri"><code>document-uri</code></a> property of violation reports for a description of this property.</dd>
<dt>readonly attribute DOMString referrer</dt>
<dd>Refer to the <a href="#violation-report-referrer"><code>referrer</code></a> property of violation reports for a description of this property.</dd>
<dt>readonly attribute DOMString blockedURI</dt>
<dd>Refer to the <a href="#violation-report-blocked-uri"><code>blocked-uri</code></a> property of violation reports for a description of this property.</dd>
<dt>readonly attribute DOMString violatedDirective</dt>
<dd>Refer to the <a href="#violation-report-violated-directive"><code>violated-directive</code></a> property of violation reports for a description of this property.</dd>
<dt>readonly attribute DOMString effectiveDirective</dt>
<dd>Refer to the <a href="#violation-report-effective-directive"><code>effective-directive</code></a> property of violation reports for a description of this property.</dd>
<dt>readonly attribute DOMString originalPolicy</dt>
<dd>Refer to the <a href="#violation-report-original-policy"><code>original-policy</code></a> property of violation reports for a description of this property.</dd>
<dt>readonly attribute DOMString sourceFile</dt>
<dd>Refer to the <a href="#violation-report-source-file"><code>source-file</code></a> property of violation reports for a description of this property.</dd>
<dt>readonly attribute long lineNumber</dt>
<dd>Refer to the <a href="#violation-report-line-number"><code>line-number</code></a> property of violation reports for a description of this property.</dd>
<dt>readonly attribute long columnNumber</dt>
<dd>Refer to the <a href="#violation-report-column-number"><code>column-number</code></a> property of violation reports for a description of this property.</dd>
</dl>
<dl title="dictionary SecurityPolicyViolationEventInit : EventInit" class="idl">
<dt>DOMString documentURI</dt>
<dd>Refer to the <a href="#violation-report-document-uri"><code>document-uri</code></a> property of violation reports for a description of this property.</dd>
<dt>DOMString referrer</dt>
<dd>Refer to the <a href="#violation-report-referrer"><code>referrer</code></a> property of violation reports for a description of this property.</dd>
<dt>DOMString blockedURI</dt>
<dd>Refer to the <a href="#violation-report-blocked-uri"><code>blocked-uri</code></a> property of violation reports for a description of this property.</dd>
<dt>DOMString violatedDirective</dt>
<dd>Refer to the <a href="#violation-report-violated-directive"><code>violated-directive</code></a> property of violation reports for a description of this property.</dd>
<dt>DOMString effectiveDirective</dt>
<dd>Refer to the <a href="#violation-report-effective-directive"><code>effective-directive</code></a> property of violation reports for a description of this property.</dd>
<dt>DOMString originalPolicy</dt>
<dd>Refer to the <a href="#violation-report-original-policy"><code>original-policy</code></a> property of violation reports for a description of this property.</dd>
<dt>DOMString sourceFile</dt>
<dd>Refer to the <a href="#violation-report-source-file"><code>source-file</code></a> property of violation reports for a description of this property.</dd>
<dt>long lineNumber</dt>
<dd>Refer to the <a href="#violation-report-line-number"><code>line-number</code></a> property of violation reports for a description of this property.</dd>
<dt>long columnNumber</dt>
<dd>Refer to the <a href="#violation-report-column-number"><code>line-number</code></a> property of violation reports for a description of this property.</dd>
</dl>
<section>
<h5>Firing events using the <code>SecurityPolicyViolationEvent</code> interface</h5>
<p>To <dfn>fire a violation event</dfn>, the user agent MUST use an algorithm equivalent to
the following:</p>
<ol>
<li>Let <var>report object</var> be the result of
<a href="#dfn-generate-a-violation-report-object">generating a violation report object</a>.</li>
<li><a href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">Queue a task</a>
to <a href="http://dvcs.w3.org/hg/domcore/raw-file/tip/Overview.html#concept-event-fire">fire an event</a>
named <code>securitypolicyviolation</code> using the <code>SecurityPolicyViolationEvent</code> interface
with the following initializations:
<ul>
<li><code>blockedURI</code> MUST be initialized to the value of <var>report object</var>'s <code>blocked-uri</code> key.</li>
<li><code>documentURI</code> MUST be initialized to the value of <var>report object</var>'s <code>document-uri</code> key.</li>
<li><code>effectiveDirective</code> MUST be initialized to the value of <var>report object</var>'s <code>effective-directive</code> key.</li>
<li><code>originalPolicy</code> MUST be initialized to the value of <var>report object</var>'s <code>original-policy</code> key.</li>
<li><code>referrer</code> MUST be initialized to the value of <var>report object</var>'s <code>referrer</code> key.</li>
<li><code>violatedDirective</code> MUST be initialized to the value of <var>report object</var>'s <code>violated-directive</code> key.</li>
<li><code>sourceFile</code> MUST be initialized to the value of <var>report object</var>'s <code>source-file</code> key.</li>
<li><code>lineNumber</code> MUST be initialized to the value of <var>report object</var>'s <code>line-number</code> key.</li>
<li><code>columnNumber</code> MUST be initialized to the value of <var>report object</var>'s <code>column-number</code> key.</li>
</ul>
</li>
</ol>
<p>The <a href="http://www.w3.org/TR/html5/webappapis.html#task-source">task source</a>
for this <a href="http://www.w3.org/TR/html5/webappapis.html#concept-task">task</a>
is the <dfn>Content Security Policy task source</dfn>.</p>
</section>
</section>
</section>
<section>
<h2 id="sec-directives">Directives</h2>
<p>This section describes the content security policy directives
introduced in this specification. Note that directive names are
case insensitive.</p>
<p>In order to protect against Cross-Site Scripting (XSS), web
application authors SHOULD include
<ul>
<li>both the <code>script-src</code> and <code>object-src</code>
directives, or</li>
<li>include a <code>default-src</code> directive, which covers both
scripts and plugins.</li>
</ul>
<p>In either case, authors SHOULD NOT include either
<code>'unsafe-inline'</code> or <code>data:</code> as valid sources in
their policies. Both enable XSS attacks by allowing code to be included
directly in the document itself; they are best avoided completely.</p>
<section>
<h4><code>base-uri</code></h4>
<p>The <code>base-uri</code> directive restricts the URIs that can be
used to specify a <a href="http://www.w3.org/TR/html5/infrastructure.html#document-base-url">document's base URL</a>.
The syntax for the name and value of the directive are described by
the following ABNF grammar:</p>
<pre>
directive-name = "base-uri"
directive-value = source-list
</pre>
<p>The term <dfn>allowed base URIs</dfn> refers to the result of
<a href="#parse-a-source-list">parsing the <code>base-uri</code>
directive's value as a source list</a>.</p>
<p>Step 4 of the algorithm defined in HTML5 to obtain a
<em>document's base URL</em> MUST be changed to:</p>
<ol start="4">
<li>If the previous step was not successful, or the result of the
previous step does not <a href="#matches-a-source-list">match</a>
the <a href="#dfn-allowed-base-uris">allowed base URIs</a>, then
the <a href="http://www.w3.org/TR/html5/infrastructure.html#document-base-url">document base URL</a>
is <var>fallback base URL</var>. Otherwise, it is the result of the
previous step.</li>
</ol>
</section>
<section>
<h4><code>child-src</code></h4>
<p>The <code>child-src</code> governs the creation of
<a href="#dfn-nested-browsing-context">nested</a>
and <a href="#dfn-auxiliary-browsing-context">auxiliary browsing contexts</a>,
as well as Worker execution contexts. The syntax for the name and
value of the directive are described by the following ABNF
grammar:</p>
<pre>
directive-name = "child-src"
directive-value = source-list
</pre>
<p>The term <dfn>allowed child sources</dfn> refers to the result of
<a href="#parse-a-source-list">parsing the <code>child-src</code>
directive's value as a source list</a> if a <code>child-src</code>
directive is explicitly specified, and otherwise to the
<a href="#dfn-default-sources">default sources</a>.</p>
<section>
<h5>Nested Browsing Contexts</h5>
<p>To enforce the <code>child-src</code> directive the user agent MUST
enforce the following directives:</p>
<ul>
<li><a href="#frame-src"><code>frame-src</code></a></li>
</ul>
</section>
<section>
<h5>Auxiliary Browsing Contexts</h5>
<p>Whenever the user agent <a
href="http://www.w3.org/TR/html5/infrastructure.html#fetching-resources">fetches</a>
a URL (including when following redirects) in the course of one of the
following activities, if the URL does not <a href="#matches-a-source-list">match</a>
the <a href="#dfn-allowed-popup-sources">allowed popup sources</a>, the
user agent MUST act as if it had received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP 400 response</a>
<em>and</em> <a href="#dfn-report-a-violation">report a violation</a>:</p>
<ul>
<li>Requesting data for display in an <a href="#dfn-auxiliary-browsing-context">auxiliary browsing context</a>
whose <a href="#dfn-opener-browsing-context">opener browsing context</a>
is the protected resource (for example, a popup window created by a
call to <code>window.open</code>).</li>
<li><a href="http://www.w3.org/TR/html5/browsers.html#navigate">Navigating</a>
such an <a href="#dfn-auxiliary-browsing-context">auxiliary browsing context</a>.</li>
</ul>
</section>
<section>
<h5>Workers</h5>
<p>Whenever the user agent <a
href="http://www.w3.org/TR/html5/infrastructure.html#fetching-resources">fetches</a>
a URL (including when following redirects) while processing the <code>Worker</code>
or <code>SharedWorker</code> constructors [[!WEBWORKERS]], the user
agent MUST act as if it had received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP 400 response</a>
<em>and</em> <a href="#dfn-report-a-violation">report a violation</a>
if the URI does not <a href="#matches-a-source-list">match</a>
the <a href="#dfn-allowed-worker-sources">allowed worker sources</a>.</p>
</section>
</section>
<section>
<h4><code>connect-src</code></h4>
<p>The <code>connect-src</code> directive restricts which URIs the
protected resource can load using script interfaces. The syntax for
the name and value of the directive are described by the following ABNF
grammar:</p>
<pre>
directive-name = "connect-src"
directive-value = source-list
</pre>
<p>The term <dfn>allowed connection targets</dfn> refers to the result of
<a href="#parse-a-source-list">parsing the <code>connect-src</code>
directive's value as a source list</a> if the policy contains an
explicit <code>connect-src</code>, or otherwise to the
<a href="#dfn-default-sources">default sources</a>.</p>
<p>Whenever the user agent <a
href="http://www.w3.org/TR/html5/infrastructure.html#fetching-resources">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a
href="#matches-a-source-list">match</a> the
<a href="#dfn-allowed-connection-targets">allowed connection targets</a>,
the user agent MUST act as if it had received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP 400 response</a>
<em>and</em> <a href="#dfn-report-a-violation">report a violation</a>:</p>
<ul>
<li>Processing the <a
href="http://www.w3.org/TR/XMLHttpRequest/#the-send()-method"><code>send()</code>
method</a> of an <code>XMLHttpRequest</code> object.</li>
<li>Processing the <a
href="http://dev.w3.org/html5/websockets/#websocket"><code>WebSocket</code>
constructor</a>.</li>
<li>Processing the <a
href="http://dev.w3.org/html5/eventsource/#eventsource"><code>EventSource</code>
constructor</a>.</li>
</ul>
<section class="informative">
<h5>Usage</h5>
<p>JavaScript offers a few mechanisms that directly connect to an
external server to send or receive information.
<code>EventSource</code> maintains an open HTTP connection to a server
in order to receive push notifications, <code>WebSockets</code>
open a bidirectional communication channel between your browser and a
server, and <code>XMLHttpRequest</code> makes arbitrary HTTP requests
on your behalf. These are powerful APIs that enable useful
functionality, but also provide tempting avenues for data
exfiltration.
<p>The <code>connect-src</code> directive allows you to ensure that
these sorts of connections are only opened to origins you trust.
Sending a policy that defines a list of source expressions for this
directive is straightforward. For example, to limit connections to
only <code>example.com</code>, send the following header:</p>
<pre>Content-Security-Policy: connect-src example.com</pre>
<p>All of the following will fail with the preceeding directive in
place:</p>
<ul>
<li><code>new WebSocket("wss://evil.com/");</code></li>
<li><code>(new XMLHttpRequest()).open("GET", "https://evil.com/", true);</code></li>
<li><code>new EventSource("https://evil.com");</code></li>
</ul>
</section>
</section>
<section>
<h3><code>default-src</code></h3>
<p>The <code>default-src</code> directive sets a default source list
for a number of directives. The syntax for the name and value of the
directive are described by the following ABNF grammar:</p>
<pre>
directive-name = "default-src"
directive-value = source-list
</pre>
<p>Let the <dfn>default sources</dfn> be the result of <a
href="#parse-a-source-list">parsing the <code>default-src</code>
directive's value as a source list</a> if a <code>default-src</code>
directive is explicitly specified, and otherwise the U+002A ASTERISK
character (*).</p>
<p>To enforce the <code>default-src</code> directive, the user agent
MUST enforce the following directives:</p>
<ul>
<li><a href="#child-src"><code>child-src</code></a></li>
<li><a href="#connect-src"><code>connect-src</code></a></li>
<li><a href="#font-src"><code>font-src</code></a></li>
<li><a href="#img-src"><code>img-src</code></a></li>
<li><a href="#media-src"><code>media-src</code></a></li>
<li><a href="#object-src"><code>object-src</code></a></li>
<li><a href="#script-src"><code>script-src</code></a></li>
<li><a href="#style-src"><code>style-src</code></a></li>
</ul>
<p>If not specified explicitly in the policy, the directives listed
above will use the <a href="#dfn-default-sources">default sources</a>.</p>
<section class="informative">
<h4>Usage</h4>
<p><code>default-src</code>, as the name implies, serves as a default
source list which the other source list-style directives will use as
a fallback if they're not otherwise explicitly set. That is, consider
the following policy declaration:</p>
<pre>Content-Security-Policy: default-src 'self'</pre>
<p>Under this policy, fonts, frames, images, media, objects, scripts,
and styles will all only load from the same origin as the protected
resource, and connections will only be made to the same origin. Adding
a more specific declaration to the policy would completely override
the default source list for that resource type.</p>
<pre>Content-Security-Policy: default-src 'self'; script-src example.com</pre>
<p>Under this new policy, fonts, frames, and etc. continue to be load
from the same origin, but scripts will <em>only</em> load from
<code>example.com</code>. There's no inheritance; the
<code>script-src</code> directive sets the allowed sources of script,
and the default list is not used for that resource type.</p>
<p>Given this behavior, one good way of building a policy for a site
would be to begin with a <code>default-src</code> of
<code>'none'</code>, and to build up a policy from there that contains
only those resource types which are actually in use for the page you'd
like to protect. If you don't use webfonts, for instance, there's no
reason to specify a source list for <code>font-src</code>; specifying
only those resource types a page uses ensures that the possible attack
surface for that page remains as small as possible.</p>
</section>
</section>
<section>
<h4><code>font-src</code></h4>
<p>The <code>font-src</code> directive restricts from where the
protected resource can load fonts. The syntax for the name and value
of the directive are described by the following ABNF grammar:</p>
<pre>
directive-name = "font-src"
directive-value = source-list
</pre>
<p>The term <dfn>allowed font sources</dfn> refers to the result of
<a href="#parse-a-source-list">parsing the <code>font-src</code>
directive's value as a source list</a> if the policy contains an
explicit <code>font-src</code>, or otherwise to the
<a href="#dfn-default-sources">default sources</a>.</p>
<p>Whenever the user agent <a
href="http://www.w3.org/TR/html5/infrastructure.html#fetching-resources">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a
href="#matches-a-source-list">match</a> the <a href="#dfn-allowed-font-sources">allowed font
sources</a>, the user agent MUST act as if it had received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP 400 response</a>
<em>and</em> <a href="#dfn-report-a-violation">report a violation</a>:</p>
<ul>
<li>Requesting data for display in a font, such as when processing
the <code>@font-face</code> Cascading Style Sheets (CSS) rule.</li>
</ul>
</section>
<section>
<h4><code>form-action</code></h4>
<p>The <code>form-action</code> restricts which URIs can be used as the
action of HTML <code>form</code> elements. The syntax for the name and
value of the directive are described by the following ABNF grammar:</p>
<pre>
directive-name = "form-action"
directive-value = source-list
</pre>
<p>The term <dfn>allowed form actions</dfn> refers to the result of
<a href="#parse-a-source-list">parsing the <code>form-action</code>
directive's value as a source list</a>.</p>
<p>Whenever the user agent <a
href="http://www.w3.org/TR/html5/infrastructure.html#fetching-resources">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a
href="#matches-a-source-list">match</a> the <a href="#dfn-allowed-form-actions">allowed form
actions</a>, the user agent MUST act as if it had received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP 400 response</a>
<em>and</em> <a href="#dfn-report-a-violation">report a violation</a>:</p>
<ul>
<li>Processing an HTML <code>form</code> element.
</ul>
<p>Note that <code>form-action</code> does not fall back to the default
source list when the directive is not defined. That is, a policy that
defines <code>default-src 'none'</code> but not
<code>form-action</code> will still allow form submissions to any
target.</p>
</section>
<section>
<h4><code>frame-ancestors</code></h4>
<p>The <code>frame-ancestors</code> directive indicates whether the user agent
should allow embedding the resource using a <code>frame</code>, <code>iframe</code>,
<code>object</code>, <code>embed</code> or <code>applet</code> tag, or equivalent
functionality in non-HTML resources. Resources can use this directive to avoid
many UI Redressing [[UIREDRESS]] attacks by avoiding being embedded into potentially
hostile contexts. </p>
<p>The syntax for the name and value of the directive are described by the
following ABNF grammar:</p>
<pre>
directive-name = "frame-ancestors"
directive-value = source-list
</pre>
<p>The term <dfn>allowed frame ancestors</dfn> refers to the result of
<a href="#parse-a-source-list">parsing the <code>frame-ancestors</code>
directive's value as a source list</a>. Note that this directive is not
influenced by the <a href="#dfn-default-sourcs">default sources</a>. If
a <code>frame-ancestors</code> directive is not explicitly included in
the policy, the <a href="#dfn-allowed-frame-ancestors">allowed frame
ancestors</a> is "<code>*</code>".</p>
<p>To enforce the <code>frame-ancestors</code> directive, whenever the
user agent would load the protected resource into a
<a href="#dfn-nested-browsing-context">nested browsing context</a>, the
user agent MUST perform the following steps:</p>
<ol>
<li>Let <var>nestedContext</var> be the nested browsing context into
which the protected resource is being loaded.</li>
<li>Let <var>ancestorList</var> be the list of all
<a href="http://www.w3.org/TR/html5/browsers.html#ancestor-browsing-context">ancestor browsing contexts</a>
of <var>nestedContext</var>.</li>
<li>For each <var>ancestorContext</var> in <var>ancestorList</var>:
<ol>
<li>Let <var>document</var> be <var>ancestorContext</var>'s
<a href="http://www.w3.org/TR/html5/browsers.html#active-document">active document</a>.</li>
<li>If <var>document</var>'s URL does not <a href="#matches-a-source-list">match</a>
the <a href="#dfn-allowed-frame-ancestors">allowed frame ancestors</a>,
the user agent MUST:
<ol>
<li>Abort loading the protected resource.</li>
<li>Act as if it received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.2.1">HTTP 200 response</a>.</li>
<li><a href="http://www.whatwg.org/specs/web-apps/current-work/#parse-a-sandboxing-directive">Parse the sandboxing directive</a>
using the empty string as the <em>input</em> and the newly
created document's <a href="http://www.whatwg.org/specs/web-apps/current-work/#forced-sandboxing-flag-set">forced sandboxing flag set</a>
as the <em>output</em>.</li>
</ol>
</li>
</ol>
</li>
</ol>
<p>Steps 2.2 and 2.3 ensure that the blocked frame appears to be a
normal cross-origin document's load. If these steps are ignored,
leakage of a document's policy state is possible. The user agent MAY
implement these steps by instead redirecting the user to friendly
error page in a unique origin which provides the option of opening
the blocked page in a new top-level browsing context.</p>
<p>Note that the <code>frame-ancestors</code> directive will be ignored when
<a href="#monitor">monitoring</a> a policy, and when a contained in a
policy defined via a <a href="#html-meta-element"><code>meta</code>
element</a>.</p>
<p>Note that this directive is similar to the non-standard
<code>X-Frame-Options</code> header that several user agents
have implemented. The <code>'none'</code> source expression
is roughly equivilant to that header's <code>DENY</code>,
<code>'self'</code> to <code>SAMEORIGIN</code>, and so on.
The major difference is that many user agents implement
<code>SAMEORIGIN</code> such that it only matches against
the top-level document's location. This directive checks
each ancestor. If any ancestor doesn't match, the load
is cancelled.</p>
<p>When generating a violation report for a <code>frame-ancestors</code> violation,
the user agent MUST NOT include the value of the embedding ancestor as a
<code>blocked-uri</code> value unless it is same-origin with the protected resource,
as disclosing the value of cross-origin ancestors is a violation of the Same-Origin Policy.
</p>
<section id="multiple-host-source-values" class="informative">
<h5>Multiple Host Source Values</h5>
<p>Multiple source-list espressions are allowed in a single policy (in contrast
to <code>X-Frame-Options</code>, which allows only one) to enable
scenarios involving embedded application compoments that are multiple levels
below the top-level browsing context.</p>
<p>Many common scenarios for permissioned embedding (e.g. embeddable payment,
sharing or social apps) involve potentially many hundreds or thousands of
valid <code>source-list</code> expressions, but it is strongly recommended against
accomodating such scenarios with a static <code>frame-ancestors</code> directive
listing mulitple values. In such cases it is beneficial to generate this value
dynamically, based on an HTTP Referer header or an explicitly passed-in value,
to allow only the source(s) necessary for each given embedding of the resource.</p>
<p>Consider a service providing a payments application at
<code>https://payments/makeEmbedded</code>. The service allows this resource
to be embedded by both merchant Alice and merchant Bob, who compete with each
other. Sending:</p>
<pre>
Content-Security-Policy: frame-options https://alice https://bob
</pre>
<p>would allow Bob to re-frame Alice's resource and create fradulent clicks,
perhaps discrediting Alice with her customers or the payments service. If the
payments service used additional information (e.g. as part of a URL like
<code>https://payments/makeEmbedded?merchant=alice</code>) to send
individually-tailored headers listing only the source-list expressions
needed by each merchant, this attack would be eliminated.</p>
</section>
</section>
<section>
<h4><code>frame-src</code></h4>
<p>The <code>frame-src</code> directive is <em>deprecated</em>.
Authors who wish to govern nested browsing contexts SHOULD use the
<code>child-src</code> directive instead.</p>
<p>The <code>frame-src</code> directive restricts from where the
protected resource can embed frames. The syntax for the name
and value of the directive are described by the following ABNF
grammar:</p>
<pre>
directive-name = "frame-src"
directive-value = source-list
</pre>
<p>The term <dfn>allowed frame sources</dfn> refers to the result of
<a href="#parse-a-source-list">parsing the <code>frame-src</code>
directive's value as a source list</a> if the policy contains an
explicit <code>frame-src</code>, or otherwise to the list of
<a href="#dfn-allowed-child-sources">allowed child sources</a>.</p>
<p>Whenever the user agent <a
href="http://www.w3.org/TR/html5/infrastructure.html#fetching-resources">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match</a>
the <a href="#dfn-allowed-frame-sources">allowed frame sources</a>, the
user agent MUST act as if it had received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP 400 response</a>
<em>and</em> <a href="#dfn-report-a-violation">report a violation</a>:</p>
<ul>
<li>Requesting data for display in a <a href="#dfn-nested-browsing-context">nested browsing context</a> in the
protected resource created by an <code>iframe</code> or
a <code>frame</code> element.</li>
<li><a href="http://www.w3.org/TR/html5/browsers.html#navigate">Navigating</a>
such a <a href="#dfn-nested-browsing-context">nested browsing context</a>.</li>
</ul>
</section>
<section>
<h4><code>img-src</code></h4>
<p>The <code>img-src</code> directive restricts from where the
protected resource can load images. The syntax for the name and value
of the directive are described by the following ABNF grammar:</p>
<pre>
directive-name = "img-src"
directive-value = source-list
</pre>
<p>The term <dfn>allowed image sources</dfn> refers to the result of
<a href="#parse-a-source-list">parsing the <code>img-src</code>
directive's value as a source list</a> if the policy contains an
explicit <code>img-src</code>, or otherwise to the
<a href="#dfn-default-sources">default sources</a>.</p>
<p>Whenever the user agent <a
href="http://www.w3.org/TR/html5/infrastructure.html#fetching-resources">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a
href="#matches-a-source-list">match</a> the <a href="#dfn-allowed-image-sources">allowed image
sources</a>, the user agent MUST act as if it had received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP 400 response</a>
<em>and</em> <a href="#dfn-report-a-violation">report a violation</a>:</p>
<ul>
<li>Requesting data for an image, such as when processing the
<code>src</code> or <code>srcset</code> attributes of an <code>img</code> element,
the <code>src</code> attribute of an <code>input</code> element with a type of <code>image</code>,
the <code>poster</code> attribute of a <code>video</code> element,
the <code>url()</code>, <code>image()</code> or <code>image-set()</code> values on any
Cascading Style Sheets (CSS)
property that is capable of loading an image [<em><a
href="http://www.w3.org/TR/css3-images/">CSS3-Images</a></em>], or
the <code>href</code> attribute of a <code>link</code> element with
an image-related <code>rel</code> attribute, such as
<code>icon</code>.</li>
</ul>
</section>
<section>
<h4><code>media-src</code></h4>
<p>The <code>media-src</code> directive restricts from where the
protected resource can load video, audio, and associated text tracks.
The syntax for the name and value of the directive are described by the
following ABNF grammar:</p>
<pre>
directive-name = "media-src"
directive-value = source-list
</pre>
<p>The term <dfn>allowed media sources</dfn> refers to the result of
<a href="#parse-a-source-list">parsing the <code>media-src</code>
directive's value as a source list</a> if the policy contains an
explicit <code>media-src</code>, or otherwise to the
<a href="#dfn-default-sources">default sources</a>.</p>
<p>Whenever the user agent <a
href="http://www.w3.org/TR/html5/infrastructure.html#fetching-resources">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a
href="#matches-a-source-list">match</a> the <a href="#dfn-allowed-media-sources">allowed media
sources</a>, the user agent MUST act as if it had received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP 400 response</a>:</p>
<ul>
<li>Requesting data for a video or audio clip, such as when
processing the <code>src</code> attribute of a <code>video</code>,
<code>audio</code>, <code>source</code>, or <code>track</code>
elements.</li>
</ul>
</section>
<section>
<h3><code>object-src</code></h3>
<p>The <code>object-src</code> directive restricts from where the
protected resource can load plugins. The syntax for the name and value
of the directive are described by the following ABNF grammar:</p>
<pre>
directive-name = "object-src"
directive-value = source-list
</pre>
<p>The term <dfn>allowed object sources</dfn> refers to the result of
<a href="#parse-a-source-list">parsing the <code>object-src</code>
directive's value as a source list</a> if the policy contains an
explicit <code>object-src</code>, or otherwise to the
<a href="#dfn-default-sources">default sources</a>.
<p>Whenever the user agent <a
href="http://www.w3.org/TR/html5/infrastructure.html#fetching-resources">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a href="#matches-a-source-list">match</a>
the <a href="#dfn-allowed-object-sources">allowed object sources</a>,
the user agent MUST act as if it had received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP 400 response</a>
<em>and</em> <a href="#dfn-report-a-violation">report a violation</a>:</p>
<ul>
<li>Requesting data for a plugin, such as when processing the
<code>data</code> attribute of an <code>object</code> element, the
<code>src</code> attribute of an <code>embed</code> elements, or the
<code>code</code> or <code>archive</code> attributes of an
<code>applet</code> element.</li>
<li>Requesting data for display in a
<a href="#dfn-nested-browsing-contexts">nested browsing context</a>
in the protected resource created by an <code>object</code> or an
<code>embed</code> element.</li>
<li>Navigating such a <a href="#dfn-nested-browsing-contexts">nested browsing context</a>.</li>
</ul>
<p>It is not required that the consumer of the element's data be a
plugin in order for the <code>object-src</code> directive to be
enforced. Data for any <code>object</code>, <code>embed</code>,
or <code>applet</code> element MUST match the <a
href="#dfn-allowed-object-sources">allowed object sources</a> in order
to be fetched. This is true even when the
element data is semantically equivalent to content which would otherwise
be restricted by one of the other <a href="#directives">directives</a>,
such as an <code>object</code> element with a <code>text/html</code>
MIME type.</p>
<p>Whenever the user agent would load a plugin without an associated
URI (e.g., because the <code>object</code> element lacked a
<code>data</code> attribute), if the protected resource's URI does not
<a href="#matches-a-source-list">match</a> the
<a href="#dfn-allowed-object-sources">allowed object sources</a>, the
user agent MUST NOT load the plugin.</p>
</section>
<section>
<h4><code>plugin-types</code></h4>
<p>The <code>plugin-types</code> restricts the set of plugins that can
be invoked by the protected resource by limiting the types of resources
that can be embedded. The syntax for the name and value of the
directive are described by the following ABNF grammar:</p>
<pre>
directive-name = "plugin-types"
directive-value = media-type-list
</pre>
<p>The term <dfn>allowed plugin media types</dfn> refers to the result of
<a href="#parse-a-media-type-list">parsing the <code>plugin-types</code>
directive's value as a media type list</a></p>
<p>Whenever the user agent would instantiate a <a
href="http://www.whatwg.org/specs/web-apps/current-work/#plugin">plugin</a>
to handle <var>resource</var> while enforcing the
<code>plugin-types</code> directive, the user agent MUST instead act as
though the plugin reported an error <em>and</em>
<a href="#dfn-report-a-violation">report a violation</a> if any of
the following conditions hold:</p>
<ul>
<li>The plugin is embedded into the protected resource via an
<code>object</code> or <code>embed</code> element that does not
explicitly declare a <a
href="http://www.whatwg.org/specs/web-apps/current-work/#mime-type">MIME type</a>
with a <code>type</code> attribute.</li>
<li><var>resource</var>'s media type does not <a
href="#dfn-matches-a-media-type-list">match</a> the list of <a
href="#dfn-allowed-plugin-media-types">allowed plugin media
types</a>.</li>
<li>The plugin is embedded into the protected resource via an
<code>object</code> or <code>embed</code> element, and the media
type declared in the element's <code>type</code> attribute is not
a case-insensitive match for the <var>resource</var>'s media
type.</li>
<li>The plugin is embedded into the protected resource via an
<code>applet</code> element, and <var>resource</var>'s media type
is not a case-insensitive match for
<code>application/x-java-applet</code>.</li>
</ul>
<p>Note that in any of these cases, acting as though the plugin reported an error
will cause the user agent to display the <a
href="http://www.whatwg.org/specs/web-apps/current-work/#fallback-content">fallback
content</a>.</p>
<p>Whenever the user agent creates a <a
href="http://www.whatwg.org/specs/web-apps/current-work/#plugin-document">plugin
document</a> in a browsing context nested in the protected resource,
if the user agent is enforcing any <code>plugin-types</code>
directives for the protected resource, the user agent MUST <a
href="#enforce">enforce</a> those <code>plugin-types</code>
directives on the plugin document as well.</p>
<p>Whenever the user agent creates a <a
href="http://www.whatwg.org/specs/web-apps/current-work/#plugin-document">plugin
document</a> in a browsing context nested in the protected resource,
if the user agent is monitoring any <code>plugin-types</code>
directives for the protected resource, the user agent MUST <a
href="#monitor">monitor</a> those <code>plugin-types</code>
directives on the plugin document as well.</p>
<section class="informative">
<h5>Usage</h5>
<p>The <code>plugin-types</code> directive whitelists a certain set
of MIME types that can be embedded in a protected resource. For
example, a site might want to ensure that PDF content loads, but that
no other plugins can be instantiated. The following directive would
satisfy that requirement:</p>
<pre>Content-Security-Policy: plugin-types application/pdf;</pre>
<p>Resources embedded via an <code>embed</code> or <code>object</code>
element delivered with an <code>application/pdf</code> content type
would be rendered in the appropriate plugin; resources delivered with
some other content type would be blocked. Multiple types can be
specified, in any order. If the site decided to additionally allow
Flash at some point in the future, it could do so with the following
directive:</p>
<pre>Content-Security-Policy: plugin-types application/pdf application/x-shockwave-flash;</pre>
<p>Note that wildcards are not accepted in the
<code>plugin-types</code> directive. Only the resource types
explicitly listed in the directive will be allowed.</p>
</section>
<section class="informative">
<h5>Predeclaration of expected media types</h5>
<p>Enforcing the <code>plugin-types</code> directive requires that
<code>object</code> and <code>embed</code> elements declare the
expected media type of the resource they include via the
<code>type</code> attribute. If an author expects to load a PDF, she
could specify this as follows:</p>
<pre><object data="<var>resource</var>" type="application/pdf"></object></pre>
<p>If <var>resource</var> isn't actually a PDF file, it won't
load. This prevents certain types of attacks that rely on serving
content that unexpectedly invokes a plugin other than that which the
author intended.</p>
<p>Note that <var>resource</var> will not load in this scenario even
if its media type is otherwise whitelisted: resources will only load
when their media type is whitelisted <em>and</em> matches the
declared type in their containing element.</p>
</section>
</section>
<section>
<h4><code>referrer</code></h4>
<p>The <code>referrer</code> directive specifies a referrer policy
that the user agent applies when determining what refererrer
information should be included with requests made, and
<a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/browsers.html#browsing-context">browsing contexts</a>
created from the context of the protected resource. The syntax for
the name and value of the directive are described by the following
ABNF grammar:</p>
<pre>
directive-name = "referrer"
directive-value = "never" / "default" / "origin" / "always"
</pre>
<p>Note that the directive name does not share the HTTP header's
misspelling.</p>
<p>The term <dfn>referrer policy</dfn> refers to the value of the
<code>referrer</code> directive, or to the empty string if no
<code>referrer</code> directive is present in the protected
resource's policy.</p>
<p>Replace step 7 of the
<a href="http://fetch.spec.whatwg.org/#determine-referrer">"Determine referrer" algorithm defined in Fetch</a>
with the following:</p>
<ol start="7">
<li>If <var>referrer</var> is null, or if the
<a href="#dfn-referrer-policy">referrer policy</a> is
<code>never</code>, return null.</li>
<li>If the <a href="#dfn-referrer-policy">referrer policy</a> is
<code>origin</code>, return the ASCII serialization of
<var>referrer</var>.</li>
<li>If the <a href="#dfn-referrer-policy">referrer policy</a> is
<code>always</code>, return <var>referrer</var>. Note that
this might cause HTTPS referrer information to be sent over the
network as part of unencrypted HTTP requests.</li>
<li>Return null if the scheme component of <var>referrer</var>
represents a protocol that uses transport-layer security and
the scheme component of the resource being fetched does not.</li>
<li>Return <var>referrer</var>.</li>
</ol>
<p>Note: This specification should not be interpreted as limiting
user agents' ability to apply other restrictions to limit referrer
leakage.</p>
<section>
<h5>Processing multiple referrer policies</h5>
<p>If a referrer policy is specified in multiple places (e.g. both a
<a href="http://wiki.whatwg.org/wiki/Meta_referrer"><code>meta</code> element</a>
and a <code>referrer</code> directive), resolve the conflict as
follows:</p>
<ol>
<li>If any referrer policy is <code>never</code>, the protected
resource's <a href="#dfn-referrer-policy">referrer policy</a> is
<code>never</code>.</li>
<li>Otherwise, if any referrer policy is <code>origin</code>, the
protected resource's <a href="#dfn-referrer-policy">referrer policy</a>
is <code>origin</code>.</li>
<li>Otherwise, if any referrer policy is <code>default</code>, the
protected resource's <a href="#dfn-referrer-policy">referrer policy</a>
is <code>default</code>.</li>
<li>Otherwise, if any referrer policy is <code>always</code>, the
protected resource's <a href="#dfn-referrer-policy">referrer policy</a>
is <code>always</code>.</li>
<li>Otherwise, the protected resource's <a href="#dfn-referrer-policy">referrer policy</a>
is <code>default</code>.</li>
</section>
<section class="informative">
<h5>Usage</h5>
<p>A protected resource can prevent referrer leakage by specifying
<code>never</code> as the value of its policy's <code>referrer</code>
directive:</p>
<pre>
Content-Security-Policy: referrer never;
</pre>
<p>This will cause all requests made from the protected resource's
context to have an empty <code>Referer</code> [sic] header.</p>
</section>
</section>
<section>
<h4><code>reflected-xss</code></h4>
<p>The <code>reflected-xss</code> directive instructs a user agent
to active or disactivate any heuristics used to filter or block
reflected cross-site scripting attacks. The syntax for the name and
value of the directive are described by the following ABNF grammar:</p>
<pre>
directive-name = "reflected-xss"
directive-value = "allow" / "block" / "filter"
</pre>
<p>A user agent with support for XSS protection MUST enforce this
directive as follows:</p>
<ul>
<li>If the value of the directive is <code>allow</code>, the user
agent MUST disable its active protections against reflected cross-site
scripting attacks for the protected resource.</li>
<li>If the value of the directive is <code>filter</code>, the user
agent MUST enable its active protections against reflected cross-site
scripting attacks for the protected resource. This might result in
filtering script that is believed to be reflected being filtered or
selectively blocking script execution.</li>
<li>If the value of the directive is <code>block</code>, the user
agent MUST stop rendering the protected resource upon detection of
reflected script, and instead act as though it received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP
400 response</a> for the protected resource itself.</li>
</ul>
<p>If the user agent's active protections against reflected cross-site
scripting attacks detect or prevent script execution, the user agent
MUST <a href="#dfn-report-a-violation">report a violation</a>.</p>
<section class="informative">
<h5>Relationship to <code>X-XSS-Protection</code></h5>
<p>This directive is meant to subsume the functionality provided by
the propriatary <code>X-XSS-Protection</code> HTTP header which is
supported by a number of user agents. Roughly speaking:</p>
<ul>
<li><code>reflected-xss allow</code> is equivalent to
<code>X-XSS-Protection: 0</code></li>
<li><code>reflected-xss filter</code> is equivalent to
<code>X-XSS-Protection: 1</code></li>
<li><code>reflected-xss block</code> is equivalent to
<code>X-XSS-Protection: 1; mode=block</code></li>
</ul>
</section>
</section>
<section>
<h4><code>report-uri</code></h4>
<p>The <code>report-uri</code> directive specifies a URI to which the
user agent sends reports about policy violation. The syntax for the
name and value of the directive are described by the following ABNF
grammar:</p>
<pre>
directive-name = "report-uri"
directive-value = uri-reference *( 1*WSP uri-reference )
uri-reference = <URI-reference from RFC 3986>
</pre>
<p>The <dfn>set of report URIs</dfn> is the value of the
<code>report-uri</code> directive, each resolved relative to the
protected resource's URI.</p>
<p>The process of sending violation reports to the URIs specified in
this directive's value is defined in this document's
<a href="#reporting">Reporting section</a>.</p>
<p>Note that the <code>report-uri</code> directive will be ignored if
contained within a <a href="#html-meta-element"><code>meta</code> element</a>.</p>
</section>
<section>
<h4><code>sandbox</code></h4>
<p>The <code>sandbox</code> directive specifies an HTML sandbox policy
that the user agent applies to the protected resource. The syntax for
the name and value of the directive are described by the following
ABNF grammar:</p>
<pre>
directive-name = "sandbox"
directive-value = token *( 1*WSP token )
token = <token from RFC 2616>
</pre>
<p>When enforcing the <code>sandbox</code> directive, the user agent
MUST <a href="http://www.whatwg.org/specs/web-apps/current-work/#parse-a-sandboxing-directive">parse
the sandboxing directive</a> using the <code>directive-value</code>
as the <em>input</em> and protected resource's
<a href="http://www.whatwg.org/specs/web-apps/current-work/#forced-sandboxing-flag-set">forced sandboxing flag set</a>
as the output. [[!HTML5]]</p>
<p>Note that the <code>sandbox</code> directive will be ignored when
<a href="#monitor">monitoring</a> a policy, and when a contained in a
policy defined via a <a href="#html-meta-element"><code>meta</code>
element</a>.</p>
<section class="informative">
<h5>Usage</h5>
<p>HTML5 defines a
<a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox"><code>sandbox</code> attribute</a>
for <code>iframe</code> elements, intended to allow web authors to
reduce the risk of including potentially untrusted content by imposing
restrictions on that content's abilities. When the attribute is set,
the content is forced into a unique origin, prevented from submitting
forms, running script, creating or navigating other browsing contexts,
and prevented from running plugins. These restrictions can be loosened
by setting certain flags as the attribute's value.</p>
<p>The <code>sandbox</code> directive allows any resource, framed or
not, to ask for the same sorts of restrictions to be applied to
itself.</p>
<p>For example, a message board or email system might provide
downloads of arbitrary attachments provided by other users. Attacks
that rely on tricking a client into rendering one of these attachments
could be mitigated by requesting that resources only be rendered in a
very restrictive sandbox. Sending the <code>sandbox</code> directive
with an empty value establishes such an environment:</p>
<pre>Content-Security-Policy: sandbox</pre>
<p>More trusted resources might be allowed to run in an environment
with fewer restrictions by adding <code>allow-*</code> flags to the
directive's value. For example, you can allow a page that you trust
to run script, while ensuring that it isn't treated as same-origin
with the rest of your site. This can be accomplished by sending the
<code>sandbox</code> directive with the <code>allow-scripts</code>
flag:</p>
<pre>Content-Security-Policy: sandbox allow-scripts</pre>
<p>The set of flags available to the CSP directive should match those
available to the <code>iframe</code> attribute. Currently, those
include:</p>
<ul>
<li><code>allow-forms</code></li>
<li><code>allow-pointer-lock</code></li>
<li><code>allow-popups</code></li>
<li><code>allow-same-origin</code></li>
<li><code>allow-scripts</code>, and</li>
<li><code>allow-top-navigation</code></li>
</ul>
<p>Note as well that, like the rest of Content Security Policy, the
<code>sandbox</code> directive is meant as a defense-in-depth. Web
authors would be well-served to use it <em>in addition to</em>
standard sniffing-mitigation and privilege-reduction techniques.</p>
</section>
</section>
<section>
<h3><code>script-src</code></h3>
<p>The <code>script-src</code> directive restricts which scripts the
protected resource can execute. The directive also controls other
resources, such as XSLT style sheets [[!XSLT]], which can cause the
user agent to execute script. The syntax for the name and value of
the directive are described by the following ABNF grammar:</p>
<pre>
directive-name = "script-src"
directive-value = source-list
</pre>
<p>The term <dfn>allowed script sources</dfn> refers to the result of
<a href="#parse-a-source-list">parsing the <code>script-src</code>
directive's value as a source list</a> if the policy contains an
explicit <code>script-src</code>, or otherwise to the
<a href="#dfn-default-sources">default sources</a>.</p>
<p>If <code>'unsafe-inline'</code> is <strong>not</strong> in the
list of <a href="#dfn-allowed-script-sources">allowed script sources</a>,
or if at least one <code>nonce-source</code> or <code>hash-source</code>
is present in the list of <a href="#dfn-allowed-script-sources">allowed script sources</a>:</p>
<ul>
<li>Whenever the user agent would execute an inline script from a
<code>script</code> element that lacks
<a href="#dfn-a-valid-nonce">a valid nonce</a> <em>and</em> lacks
<a href="#dfn-a-valid-hash">a valid hash</a> for the
<a href="#dfn-allowed-script-sources">allowed script sources</a>,
instead the user agent MUST NOT execute script, <em>and</em> MUST
<a href="#dfn-report-a-violation">report a violation</a>.</li>
<li>Whenever the user agent would execute an inline script from an
inline event handler, instead the user agent MUST NOT execute script,
<em>and</em> MUST <a href="#dfn-report-a-violation">report a
violation</a>.</li>
<li>Whenever the user agent would execute script contained in a
<code>javascript</code> URI, instead the user agent MUST NOT execute
the script, <em>and</em> MUST <a href="#dfn-report-a-violation">report a violation</a>.
(The user agent SHOULD ignore this step when processing script
contained in "bookmarklets").</li>
</ul>
<p>If <code>'unsafe-eval'</code> is <strong>not</strong> in
<a href="#dfn-allowed-script-sources">allowed script sources</a>:</p>
<ul>
<li>Instead of evaluating their arguments, both operator
<code>eval</code> and function <code>eval</code> [[!ECMA-262]]
MUST throw a <code>SecurityError</code> exception. [[!DOM4]]</li>
<li>When called as a constructor, the function <code>Function</code> [[!ECMA-262]]
MUST throw a <code>SecurityError</code> exception. [[!DOM4]]</li>
<li>When called with a first argument that is non-callable (e.g.,
not a function), the
<a href="http://www.w3.org/TR/html5/webappapis.html#dom-windowtimers-settimeout"><code>setTimeout</code></a>
function MUST return zero without creating a timer.</li>
<li>When called with a first argument that is non-callable (e.g.,
not a function), the
<a href="http://www.w3.org/TR/html5/webappapis.html#dom-windowtimers-setinterval"><code>setInterval</code></a>
function MUST return zero without creating a timer.</li>
</ul>
<p>The term <dfn>callable</dfn> refers to an object whose interface
has one or more <dfn>callers</dfn> as defined in the <a
href="http://www.w3.org/TR/2010/WD-WebIDL-20101021/#idl-callers">Web
IDL</a> specification [[!WEBIDL]].</p>
<p>Whenever the user agent <a
href="http://www.w3.org/TR/html5/infrastructure.html#fetching-resources">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a
href="#matches-a-source-list">match</a> the <a
href="#dfn-allowed-script-sources">allowed script sources</a>, the user
agent MUST act as if it had received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP 400 response</a>
<em>and</em> <a href="#dfn-report-a-violation">report a violation</a>:</p>
<ul>
<li>Requesting a script while processing the <code>src</code> attribute
of a <code>script</code> element that lacks
<a href="#dfn-a-valid-nonce">a valid nonce</a> for the
<a href="#dfn-allowed-script-sources">allowed script sources</a>.</li>
<li>Requesting a script while processing the
<code>Worker</code> or <code>SharedWorker</code> constructors. [[!WEBWORKERS]]</li>
<li>Requesting a script while invoking the <code>importScripts</code>
method on a WorkerGlobalScope object. [[!WEBWORKERS]]</li>
<li>Requesting an HTML component, such as
when processing the <code>href</code> attribute of a <code>link</code>
element with a <code>rel</code> attribute containing the token
<code>import</code>. [[!IMPORTS]]</li>
<li>Requesting an Extensible Stylesheet Language Transformations
(XSLT) [[!XSLT]], such as when processing the
<code><?xml-stylesheet?></code> processing directive in an XML
document [[!XML11]], the <code>href</code> attributes on
<code><xsl:include></code> element, or the <code>href</code>
attributes on <code><xsl:import></code> element.</li>
</ul>
<section class="informative">
<h5>Nonce usage for <code>script</code> elements</h5>
<p>The <code>script-src</code> directive lets developers specify exactly
which script elements on a page were intentionally included
for execution. Ideally, developers would avoid inline script entirely
and whitelist scripts by URL. However, in some cases, removing inline
scripts can be difficult or impossible. For those cases, developers can
whitelist scripts using a randomly generated nonce.</p>
<p>Usage is straightforward. For <em>each</em> request, the server
generates a unique value at random, and includes it in the
<code>Content-Security-Policy</code> header:</p>
<pre>
Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'nonce-<em>$RANDOM</em>'
</pre>
<p>This same value is then applied as a <code>nonce</code> attribute
to each <code>script</code> element that ought to be executed. For example,
if the server generated the random value <code>Nc3n83cnSAd3wc3Sasdfn939hc3</code>,
the server would send the following policy:</p>
<pre>
Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3'
</pre>
<p>Script elements can then execute either because their <code>src</code>
URLs are whitelisted or because they have an appropriate nonce:</p>
<pre>
<script>
alert("Blocked because the policy doesn't have 'unsafe-inline'.")
</script>
<script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">
alert("Still blocked because nonce is wrong.")
</script>
<script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3">
alert("Allowed because nonce is valid.")
</script>
<script src="https://example.com/allowed-because-of-src.js"></script>
<script nonce="EDNnf03nceIOfn39fn3e9h3sdfa"
src="https://elsewhere.com/blocked-because-nonce-is-wrong.js"></script>
<script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3"
src="https://elsewhere.com/allowed-because-nonce-is-valid.js"></script>
</pre>
<p>Note that the nonce's value is <em>not</em> a hash or signature
that verifies the contents of the script resources. It's quite simply
a random string that informs the user agent which scripts were
intentionally included in the page.</p>
<p>Script elements with the proper nonce execute, regardless of
whether they're inline or external. Script elements without the
proper nonce don't execute unless their URLs are whitelisted.
Even if an attacker is able to inject markup into the protected
resource, the attack will be blocked by the attacker's inability
to guess the random value.</p>
</section>
<section class="informative">
<h5>Hash usage for <code>script</code> elements</h5>
<p>The <code>script-src</code> directive lets developers whitelist a
particular inline script by specifying its hash as an allowed source
of script.</p>
<p>Usage is straightforward. The server computes the hash of a
particular script block's contents, and includes the base64 encoding
of that value in the <code>Content-Security-Policy</code> header:</p>
<pre>
Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com 'sha256-<var>base64 encoded hash</var>'
</pre>
<p>Each inline script block's contents are hashed, and compared against
the whitelisted value. If there's a match, the script is executed. For
example, the SHA-256 digest of <code>alert('Hello, world.');</code> is
<code>YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo=</code>.
If the server sent the following header:</p>
<pre>
Content-Security-Policy: script-src 'sha256-YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo='
</pre>
<p>Then the following script tag would result in script execution:</p>
<pre>
<script>alert('Hello, world.');</script>
</pre>
<p>Note that whitespace is significant. The following scripts blocks would
not hash to the same value, and would therefore <em>not</em> execute:</p>
<pre>
<script> alert('Hello, world.');</script>
<script>alert('Hello, world.'); </script>
<script> alert('Hello, world.'); </script>
<script>
alert('Hello, world.');
</script>
</pre>
<p>Note also that the hash applies <em>only</em> to inline script. An externalized
script containing the value <code>alert('Hello, world.');</code> would <em>not</em>
execute if its origin was not whitelisted as a valid source of script.</p>
</section>
</section>
<section>
<h4><code>style-src</code></h4>
<p>The <code>style-src</code> directive restricts which styles the
user applies to the protected resource. The syntax for the name and
value of the directive are described by the following ABNF
grammar:</p>
<pre>
directive-name = "style-src"
directive-value = source-list
</pre>
<p>The term <dfn>allowed style sources</dfn> refers to the result of
<a href="#parse-a-source-list">parsing the <code>style-src</code>
directive's value as a source list</a> if the policy contains an
explicit <code>style-src</code>, or otherwise to the
<a href="#dfn-default-sources">default sources</a>.</p>
<p>If <code>'unsafe-inline'</code> is <strong>not</strong> in the
list of <a href="#dfn-allowed-style-sources">allowed style sources</a>,
or if at least one <code>nonce-source</code> or <code>hash-source</code>
is present in the list of <a href="#dfn-allowed-style-sources">allowed style sources</a>:</p>
<ul>
<li>Whenever the user agent would apply style from a
<code>style</code> element that lacks
<a href="#dfn-a-valid-nonce">a valid nonce</a> <em>and</em> lacks
<a href="#dfn-a-valid-hash">a valid hash</a> for the
<a href="#dfn-allowed-script-sources">allowed style sources</a>,
instead the user agent <code>MUST</code> ignore the style,
<em>and</em> MUST <a href="#dfn-report-a-violation">report a
violation</a>.</li>
<li>Whenever the user agent would apply style from a
<code>style</code> attribute, instead the user agent
<code>MUST</code> ignore the style,
<em>and</em> MUST <a href="#dfn-report-a-violation">report a
violation</a>.</li>
</ul>
<p>Note: These restrictions on inline do not prevent the user agent
from applying style from an external stylesheet (e.g., found via
<code><link rel="stylesheet"></code>).</p>
<p>If <code>'unsafe-eval'</code> is <strong>not</strong> in
<a href="#dfn-allowed-style-sources">allowed style sources</a>, then:</p>
<ul>
<li>Whenever the user agent would invoke the Cascading Style Sheets
Object Model algorithms
<a href="http://dev.w3.org/csswg/cssom/#insert-a-css-rule"><code>insert a CSS rule</code></a>,
<a href="http://dev.w3.org/csswg/cssom/#parse-a-css-rule"><code>parse a CSS rule</code></a>,
or <a href="http://dev.w3.org/csswg/cssom/#parse-a-css-declaration-block"><code>parse a CSS declaration block</code></a>,
instead the user agent MUST throw a <code>SecurityError</code>
exception <em>and</em> terminate the algorithm. This would include,
for example, all invocations of CSSOM's various <code>cssText</code>
setters and <code>insertRule</code> methods. [[!CSSOM]] [[!DOM4]]</li>
</ul>
<p>Whenever the user agent <a
href="http://www.w3.org/TR/html5/infrastructure.html#fetching-resources">fetches</a>
a URI (including when following redirects) in the course of one of the
following activities, if the URI does not <a
href="#matches-a-source-list">match</a> the <a
href="#dfn-allowed-style-sources">allowed style sources</a>, the user
agent MUST act as if it had received an empty
<a href="https://tools.ietf.org/html/rfc2616#section-10.4.1">HTTP 400 response</a>
<em>and</em> <a href="#dfn-report-a-violation">report a violation</a>:</p>
<ul>
<li>Requesting external style sheets, such as when processing the
<code>href</code> attribute of a <code>link</code> element with a
<code>rel</code> attribute containing the token
<code>stylesheet</code> or when processing the <code>@import</code>
directive in a stylesheet.</li>
</ul>
<p>Note: The <code>style-src</code> directive does not restrict the
use of XSLT. XSLT is restricted by the <code>script-src</code>
directive because the security consequences of including an untrusted
XSLT stylesheet are similar to those incurred by including an
untrusted script.</p>
<section class="informative">
<h5>Nonce usage for <code>style</code> elements</h5>
<p>See the <a href="#nonce-usage-for-script-elements"><code>script-src</code>
nonce usage information</a> for detail; the application of nonces
to <code>style</code> elements is similar enough to avoid
repetition here.</p>
</section>
<section class="informative">
<h5>Hash usage for <code>style</code> elements</h5>
<p>See the <a href="#hash-usage-for-script-elements"><code>script-src</code>
hash usage information</a> for detail; the application of hashes
to <code>style</code> elements is similar enough to avoid
repetition here.</p>
</section>
</section>
</section>
<section>
<h2>Examples</h2>
<section class="informative">
<h3>Sample Policy Definitions</h3>
<p>This section provides some sample use cases and accompanying security policies.</p>
<p><strong>Example 1:</strong> A server wishes to load resources only
form its own origin:</p>
<pre>Content-Security-Policy: default-src 'self'</pre>
<p><strong>Example 2:</strong> An auction site wishes to load images
from any URI, plugin content from a list of trusted media providers
(including a content distribution network), and scripts only from a
server under its control hosting sanitized ECMAScript:</p>
<pre>Content-Security-Policy: default-src 'self'; img-src *;
object-src media1.example.com media2.example.com *.cdn.example.com;
script-src trustedscripts.example.com</pre>
<p><strong>Example 3:</strong> Online banking site wishes to ensure that all of the content
in its pages is loaded over TLS to prevent attackers from eavesdropping on insecure content
requests:</p>
<pre>Content-Security-Policy: default-src https: 'unsafe-inline' 'unsafe-eval'</pre>
<p>This policy allows inline content (such as inline <code>script</code> elements), use of
<code>eval</code>, and loading resources over <code>https</code>. Note: This policy does
not provide any protection from cross-site scripting vulnerabilities.</p>
<p><strong>Example 4:</strong> A website that relies on inline
<code>script</code> elements wishes to ensure that script is only
executed from its own origin, and those elements it intentionally
inserted inline:</p>
<pre>Content-Security-Policy: script-src 'self' 'nonce-<em>$RANDOM</em>';</pre>
<p>The inline <code>script</code> elements would then only execute if
they contained a matching <code>nonce</code> attribute:</p>
<pre><script nonce="<em>$RANDOM</em>">...</script></pre>
</section>
<section class="informative">
<h3>Sample Violation Report</h3>
<p>This section contains an example violation report the user agent
might sent to a server when the protected resource violations a sample
policy.</p>
<p>In the following example, the user agent rendered a representation
of the resource <code>http://example.org/page.html</code> with the
following policy:</p>
<pre>default-src 'self'; report-uri http://example.org/csp-report.cgi</pre>
<p>The protected resource loaded an image from
<code>http://evil.example.com/image.png</code>, violating the
policy.</p>
<pre>{
"csp-report": {
"document-uri": "http://example.org/page.html",
"referrer": "http://evil.example.com/haxor.html",
"blocked-uri": "http://evil.example.com/image.png",
"violated-directive": "default-src 'self'",
"effective-directive": "img-src",
"original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi"
}
}</pre>
</section>
</section>
<section>
<h2>Security Considerations</h2>
<section>
<h3>Cascading Style Sheet (CSS) Parsing</h3>
<p>The <code>style-src</code> directive restricts the locations from
which the protected resource can load styles. However, if the user agent uses a
lax CSS parsing algorithm, an attacker might be able to trick the user
agent into accepting malicious "style sheets" hosted by an otherwise
trustworthy origin.</p>
<p>These attacks are similar to the <a
href="http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html">CSS
cross-origin data leakage</a> attack described by Chris Evans in 2009.
User agents SHOULD defend against both attacks using the same
mechanism: stricter CSS parsing rules for style sheets with improper
MIME types.</p>
</section>
<section>
<h3>Violation Reports</h3>
<p>The violation reporting mechanism in this document has been
designed to mitigate the risk that a malicious web site could use
violation reports to probe the behavior of other servers. For example,
consider a malicious web site that white lists <code>https://example.com</code>
as a source of images. If the malicious site attempts to load
<code>https://example.com/login</code> as an image, and the
<code>example.com</code> server redirects to an identity provider (e.g.,
<code>idenityprovider.example.net</code>), CSP will block the request.
If violation reports contained the full blocked URI, the violation
report might contain sensitive information contained in the redirected URI,
such as session identifiers or purported identities. For this reason, the
user agent includes only the origin of the blocked URI.</p>
</section>
</section>
<section>
<h2>Implementation Considerations</h2>
<p>The <code>Content-Security-Policy</code> header is an end-to-end
header. It is processed and enforced at the client and, therefore,
SHOULD NOT be modified or removed by proxies or other intermediaries not
in the same administrative domain as the resource.</p>
<p>The originating administrative domain for a resource might wish to
apply a <code>Content-Security-Policy</code> header outside of the
immediate context of an application. For example, a large organization
might have many resources and applications managed by different
individuals or teams but all subject to a uniform organizational
standard. In such situations, a <code>Content-Security-Policy</code>
header might be added or combined with an existing one at a network-edge
security gateway device or web application firewall. To enforce multiple
policies, the administrator SHOULD combine the policy into a single header.
An administrator might wish to use different combination algorithms
depending on his or her intended semantics.</p>
<p>One sensible policy combination algorithm is to start by allowing a
default set of sources and then letting individual upstream resource
owners expand the set of allowed sources by including additional origins.
In this approach, the resultant policy is the union of all allowed
origins in the input policies.</p>
<p>Another sensible policy combination algorithm is to intersect the
given policies. This approach enforces that content comes from a certain
whitelist of origins, for example, preventing developers from including
third-party scripts or content in violation of organizational standards
and practices. In this approach, the combination algorithm forms the
combined policy by removing disallowed hosts from the policies supplied
by upstream resource owners.</p>
<p>Interactions between the <code>default-src</code> and other directives
SHOULD be given special consideration when combining policies. If none
of the policies contains a <code>default-src</code> directive, adding new
src directives results in a more restrictive policy. However, if one or
more of the input policies contain a <code>default-src</code> directive,
adding new src directives might result in a less restrictive policy, for
example, if the more specific directive contains a more permissive set of
allowed origins.</p>
<p>Using a more restrictive policy than the input policy authored by the
resource owner might prevent the resource from rendering or operating as
intended.</p>
<p>Note also that migration to <code>HTTPS</code> from <code>HTTP</code>
may require updates to the policy in order to keep things running as
before. Source expressions like <code>http://example.com</code> do
<em>not</em> match <code>HTTPS</code> resources. For example,
administrators SHOULD carefully examine existing policies before rolling
out <a href="http://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security</a>
headers for an application.</p>
</section>
<section>
<h2>IANA Considerations</h2>
<p>The permanent message header field registry (see [<a
href="http://tools.ietf.org/html/rfc3864">RFC3864</a>]) should be updated
with the following registrations:</p>
<section>
<h2>Content-Security-Policy</h2>
<p>Header field name: Content-Security-Policy</p>
<p>Applicable protocol: http</p>
<p>Status: standard</p>
<p>Author/Change controller: W3C</p>
<p>Specification document: this specification (See <a
href="#content-security-policy-header-field"><code>Content-Security-Policy</code>
Header Field</a>)</p>
</section>
<section>
<h2>Content-Security-Policy-Report-Only</h2>
<p>Header field name: Content-Security-Policy-Report-Only</p>
<p>Applicable protocol: http</p>
<p>Status: standard</p>
<p>Author/Change controller: W3C</p>
<p>Specification document: this specification (See <a
href="#content-security-policy-report-only-header-field"><code>Content-Security-Policy-Report-Only</code>
Header Field</a>)</p>
</section>
</section>
</body>
</html>