Correct CSP source values #35947
Correct CSP source values #35947
Conversation
github-actions
bot
added
Content:HTTP
hamishwillee
force-pushed
the
correct-csp-source-values
branch
from
4fa3e40
to
a8257da
Compare
| This directive may have either: | ||
|
|
||
| - the single keyword value `'none'`, meaning that no base URI may be set using a `<base>` element | ||
| - a list of _source expression_ values, meaning that a `<base>` element may set a base URI if it matches any of the given source expressions. | ||
|
|
||
| The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `base-uri`: | ||
|
|
||
| This directive uses the same [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) syntax for arguments as other CSP directives. However, only values that match URLs make sense for `base-uri`, including `<host-source>`, `<scheme-source>`, `'self'`, and `'none'`. | ||
| - `<host-source>` | ||
| - `<scheme-source>` | ||
| - the keyword value `'self'`. |
There was a problem hiding this comment.
There is nothing wrong with this, except it feels like a non-standard presentation form.
This can be done in the standard way with sources as shown below. I would prefer that, but obviously up for discussion.
### Sources
- `'none'`
- : A single keyword value, meaning that no base URI may be set using a `<base>` element
- `<source-expression-list>`
- : A list of _source expression_ values, meaning that a `<base>` element may set a base URI if it matches any of the given source expressions.
The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).
However, only the following subset of those values apply to (make sense for) `base-uri`:
- `<host-source>`
- `<scheme-source>`
- the keyword value `'self'`.Either way we should say that the list is space separated?
This applies to the rest too. I won't modify or suggest again - just scan for consistency.
| This directive uses the same [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) syntax for arguments as other CSP directives. However, only values that match URLs make sense for `base-uri`, including `<host-source>`, `<scheme-source>`, `'self'`, and `'none'`. | ||
| - `<host-source>` | ||
| - `<scheme-source>` | ||
| - the keyword value `'self'`. | ||
|
|
||
| ## Examples |
There was a problem hiding this comment.
It would be great to have one example showing multiple sources, and using the HEADER format - i.e. we show meta format here and some config stuff for apache and nginx, but in all the other cases the HTTP header is shown.
|
|
||
| Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)). | ||
| The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). |
There was a problem hiding this comment.
Is it a syntax, but it might be better to refer to it as permitted or allowed values? Further, down to here we haven't mentioned URL or keyword - just "sources". Does that seem reasonable? At this point I'm already wondering what this list might look like. At least if we mention URL it is a little less abstract.
| The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). | |
| The allowed URL patterns and keyword values for each source expression are given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). |
If not here, it would be good to say this right up in the introduction - .e.g
The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP)
child-srcdirective defines the valid URL pattern and keyword sources for ...
| @@ -7,8 +7,13 @@ spec-urls: https://w3c.github.io/webappsec-csp/#framework-directive-source-list | |||
|
|
|||
| {{HTTPSidebar}} | |||
|
|
|||
| HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) header directives that specify a `<source>` from which resources may be loaded can use any one of the values listed below. | |||
| Relevant directives include the {{Glossary("fetch directive", "fetch directives")}}, along with others [listed below](#relevant_directives). | |||
| HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) [fetch directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives) may take as a value a space-separated list of _source expressions_. Each source expression can be any of the values listed below. | |||
There was a problem hiding this comment.
Shouldn't we still mention none? It's not a source, but it is important and relevant.
If so, maybe this way [placeholder only]
| HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) [fetch directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives) may take as a value a space-separated list of _source expressions_. Each source expression can be any of the values listed below. | |
| HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) [fetch directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives) may take as a value a space-separated list of _source expressions_ or `none` (indicating that Xxxxx). Each source expression can be any of the values listed below. |
Otherwise a note at the end of the intro "Not strictly a source, but the value none ..."
|
Yes/agree to everything you said in the introduction - I wandered the same path through the spec you must have and agree. Not sure about the pattern you adopted though. I would have preferred the more familiar DL list approach (comment above). |
This PR fixes a few errors in the documentation of CSP directive syntax.
sandboxdirective uses the source expression syntax, but I don't think it does: I think this directive just uses keyword values.base-uri,form-action, andframe-ancestorsdirectives use the source expression syntax, which is half true: they can use a subset of it'none'is one of the source expression values, which implies that you can combine'none'and other source expression values, but you can't: if you have'none', it stands alone: https://w3c.github.io/webappsec-csp/#grammardef-serialized-source-list.The page for
frame-ancestorsdoes not point to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources, instead redefining the values. I have left this as it is for now, because the definition for this directive does use a different type (https://w3c.github.io/webappsec-csp/#directive-frame-ancestors) although it seems to be functionally identical. I think we should update this to point to the "sources" page, but before doing that I want to check there isn't some subtle reason why the syntax is redefined for this directive.The changes are quite repetitive for the directives pages: I changed/corrected the syntax and removed the
### Sourcesheading, as it seemed easier to talk about'none'without it.In https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources I removed the list of fetch directives, since we already have that in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives, so that's just 2 places we have to maintain it.