-
Notifications
You must be signed in to change notification settings - Fork 22.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Correct CSP source values #35947
base: main
Are you sure you want to change the base?
Correct CSP source values #35947
Conversation
4fa3e40
to
a8257da
Compare
This directive may have either: | ||
|
||
- the single keyword value `'none'`, meaning that no base URI may be set using a `<base>` element | ||
- a list of _source expression_ values, meaning that a `<base>` element may set a base URI if it matches any of the given source expressions. | ||
|
||
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `base-uri`: | ||
|
||
This directive uses the same [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) syntax for arguments as other CSP directives. However, only values that match URLs make sense for `base-uri`, including `<host-source>`, `<scheme-source>`, `'self'`, and `'none'`. | ||
- `<host-source>` | ||
- `<scheme-source>` | ||
- the keyword value `'self'`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is nothing wrong with this, except it feels like a non-standard presentation form.
This can be done in the standard way with sources as shown below. I would prefer that, but obviously up for discussion.
### Sources
- `'none'`
- : A single keyword value, meaning that no base URI may be set using a `<base>` element
- `<source-expression-list>`
- : A list of _source expression_ values, meaning that a `<base>` element may set a base URI if it matches any of the given source expressions.
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).
However, only the following subset of those values apply to (make sense for) `base-uri`:
- `<host-source>`
- `<scheme-source>`
- the keyword value `'self'`.
Either way we should say that the list is space separated?
This applies to the rest too. I won't modify or suggest again - just scan for consistency.
This directive uses the same [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) syntax for arguments as other CSP directives. However, only values that match URLs make sense for `base-uri`, including `<host-source>`, `<scheme-source>`, `'self'`, and `'none'`. | ||
- `<host-source>` | ||
- `<scheme-source>` | ||
- the keyword value `'self'`. | ||
|
||
## Examples |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be great to have one example showing multiple sources, and using the HEADER format - i.e. we show meta format here and some config stuff for apache and nginx, but in all the other cases the HTTP header is shown.
|
||
Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). | ||
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it a syntax, but it might be better to refer to it as permitted or allowed values? Further, down to here we haven't mentioned URL or keyword - just "sources". Does that seem reasonable? At this point I'm already wondering what this list might look like. At least if we mention URL it is a little less abstract.
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). | |
The allowed URL patterns and keyword values for each source expression are given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). |
If not here, it would be good to say this right up in the introduction - .e.g
The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP)
child-src
directive defines the valid URL pattern and keyword sources for ...
@@ -7,8 +7,13 @@ spec-urls: https://w3c.github.io/webappsec-csp/#framework-directive-source-list | |||
|
|||
{{HTTPSidebar}} | |||
|
|||
HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) header directives that specify a `<source>` from which resources may be loaded can use any one of the values listed below. | |||
Relevant directives include the {{Glossary("fetch directive", "fetch directives")}}, along with others [listed below](#relevant_directives). | |||
HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) [fetch directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives) may take as a value a space-separated list of _source expressions_. Each source expression can be any of the values listed below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we still mention none
? It's not a source, but it is important and relevant.
If so, maybe this way [placeholder only]
HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) [fetch directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives) may take as a value a space-separated list of _source expressions_. Each source expression can be any of the values listed below. | |
HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) [fetch directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives) may take as a value a space-separated list of _source expressions_ or `none` (indicating that Xxxxx). Each source expression can be any of the values listed below. |
Otherwise a note at the end of the intro "Not strictly a source, but the value none
..."
Yes/agree to everything you said in the introduction - I wandered the same path through the spec you must have and agree. Not sure about the pattern you adopted though. I would have preferred the more familiar DL list approach (comment above). |
This PR fixes a few errors in the documentation of CSP directive syntax.
sandbox
directive uses the source expression syntax, but I don't think it does: I think this directive just uses keyword values.base-uri
,form-action
, andframe-ancestors
directives use the source expression syntax, which is half true: they can use a subset of it'none'
is one of the source expression values, which implies that you can combine'none'
and other source expression values, but you can't: if you have'none'
, it stands alone: https://w3c.github.io/webappsec-csp/#grammardef-serialized-source-list.The page for
frame-ancestors
does not point to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources, instead redefining the values. I have left this as it is for now, because the definition for this directive does use a different type (https://w3c.github.io/webappsec-csp/#directive-frame-ancestors) although it seems to be functionally identical. I think we should update this to point to the "sources" page, but before doing that I want to check there isn't some subtle reason why the syntax is redefined for this directive.The changes are quite repetitive for the directives pages: I changed/corrected the syntax and removed the
### Sources
heading, as it seemed easier to talk about'none'
without it.In https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources I removed the list of fetch directives, since we already have that in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives, so that's just 2 places we have to maintain it.