From d5132f2fd3c4b285affccc515550d91ec618a3ea Mon Sep 17 00:00:00 2001 From: wbamberg Date: Thu, 14 Nov 2024 16:20:59 -0800 Subject: [PATCH] Delete old source values doc; update links --- files/en-us/_redirects.txt | 1 + .../content_security_policy/index.md | 2 +- .../content-security-policy/base-uri/index.md | 10 +- .../form-action/index.md | 10 +- .../content-security-policy/sources/index.md | 102 ------------------ 5 files changed, 10 insertions(+), 115 deletions(-) delete mode 100644 files/en-us/web/http/headers/content-security-policy/sources/index.md diff --git a/files/en-us/_redirects.txt b/files/en-us/_redirects.txt index 4ab8f8dafd91059..6545169f40fff51 100644 --- a/files/en-us/_redirects.txt +++ b/files/en-us/_redirects.txt @@ -12297,6 +12297,7 @@ /en-US/docs/Web/HTTP/Gecko_user_agent_string_reference /en-US/docs/Web/HTTP/Headers/User-Agent/Firefox /en-US/docs/Web/HTTP/HTTP_response_codes /en-US/docs/Web/HTTP/Status /en-US/docs/Web/HTTP/Headers/Cache-Disposition /en-US/docs/Web/HTTP/Headers/Content-Disposition +/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources /en-US/docs/Web/HTTP/Headers/Content-Security-Policy#source_expression_syntax /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/navigate-to /en-US/docs/Web/HTTP/Headers/Content-Security-Policy /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer /en-US/docs/Web/HTTP/Headers/Referrer-Policy /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for /en-US/docs/Web/HTTP/Headers/Content-Security-Policy diff --git a/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md b/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md index ea17687c2c766f3..50be70f84a1fce1 100644 --- a/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md +++ b/files/en-us/mozilla/add-ons/webextensions/manifest.json/content_security_policy/index.md @@ -65,7 +65,7 @@ In Manifest V2, a source for a script directive is considered secure if it meets - Remote sources must not use wildcards for any domains in the [public suffix list](https://publicsuffix.org/list/) (so `*.co.uk` and `*.blogspot.com` are not allowed, although `*.foo.blogspot.com` is permitted). - All sources must specify a host. - The only permitted schemes for sources are `blob:`, `filesystem:`, `moz-extension:`, `https:`, and `wss:`. -- The only permitted [keywords](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) are: `'none'`, `'self'`, `'unsafe-eval'`, and `'wasm-unsafe-eval'`. +- The only permitted [keywords](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#source_expression_syntax) are: `'none'`, `'self'`, `'unsafe-eval'`, and `'wasm-unsafe-eval'`. ## object-src directive diff --git a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md index 4ed60863edfd126..cc1f0010ad57906 100644 --- a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md +++ b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md @@ -39,13 +39,11 @@ This directive may have one of the following values: - : No base URI may be set using a `` element. The single quotes are mandatory. - `` - - : A space-separated list of _source expression_ values. A `` element may set a base URI if its value matches any of the given source expressions. + - : A space-separated list of _source expression_ values. A `` element may set a base URI if its value matches any of the given source expressions. For this directive, the following source expression values are applicable: - Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `base-uri`: - - - `` - - `` - - the keyword value `'self'`. + - [``](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#host-source) + - [``](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#scheme-source) + - [`'self'`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#self) ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/form-action/index.md b/files/en-us/web/http/headers/content-security-policy/form-action/index.md index 053c4024e0398ef..31e4f7f8fa4481b 100644 --- a/files/en-us/web/http/headers/content-security-policy/form-action/index.md +++ b/files/en-us/web/http/headers/content-security-policy/form-action/index.md @@ -42,13 +42,11 @@ This directive may have one of the following values: - : No form submissions may be made. The single quotes are mandatory. - `` - - : A space-separated list of _source expression_ values. Form submissions may be made to URLs that match any of the given source expressions. + - : A space-separated list of _source expression_ values. Form submissions may be made to URLs that match any of the given source expressions. For this directive, the following source expression values are applicable: - Source expressions are specified as keyword values or URL patterns: the syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `form-action`: - - - `` - - `` - - the keyword value `'self'`. + - [``](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#host-source) + - [``](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#scheme-source) + - [`'self'`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#self) ## Examples diff --git a/files/en-us/web/http/headers/content-security-policy/sources/index.md b/files/en-us/web/http/headers/content-security-policy/sources/index.md deleted file mode 100644 index 718568028210b53..000000000000000 --- a/files/en-us/web/http/headers/content-security-policy/sources/index.md +++ /dev/null @@ -1,102 +0,0 @@ ---- -title: CSP source values -slug: Web/HTTP/Headers/Content-Security-Policy/Sources -page-type: http-csp-directive -spec-urls: https://w3c.github.io/webappsec-csp/#framework-directive-source-list ---- - -{{HTTPSidebar}} - -HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) [fetch directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives) may take as a value a space-separated list of _source expressions_. Each source expression can be any of the values listed below. - -As well as fetch directives, some other CSP directives may take as a value a space-separated list of source expressions, each of which may be a subset of the values listed below, namely: one of ``, ``, or the keyword `'self'`. These other directives are: - -- {{CSP("base-uri")}} -- {{CSP("form-action")}} -- {{CSP("frame-ancestors")}} - -Directives that accept a list of source expressions may instead be given the single value `'none'`, indicating that no resources of the given type may be loaded (or, in the case of non-fetch directives, that the associated feature is not allowed). - -## Sources - -- `` - - - : Internet host by name or IP address. The [URL scheme](/en-US/docs/Learn/Common_questions/Web_mechanics/What_is_a_URL), port number, and path are optional. - Wildcards (`'*'`) can be used for subdomains, host address, and port number, indicating that all legal values of each are valid. - When matching schemes, secure upgrades are allowed (e.g. specifying `http://example.com` will match `https://example.com`). - Examples: - - - `http://*.example.com`: Matches all attempts to load from any subdomain of example.com. Also matches `https` resources. - - `mail.example.com:443`: Matches all attempts to load from port 443 on mail.example.com. - - `https://store.example.com`: Matches all attempts to access store.example.com using `https:`. - - `*.example.com`: Matches all attempts to load from any subdomain of example.com. - - `https://*.example.com:12/path/to/file.js`: Matches all attempts to load from any subdomain of example.com using `https:` on port 12, and only if the path is `/path/to/file.js`. - - `ws://example.com`: Matches all attempts to load from example.com using `ws:`. Also matches `wss` resources. - - `https://example.com/subdirectory`: Matches all attempts to load the exact path `https://example.com/subdirectory`. - - `https://example.com/subdirectory/`: Matches all attempts to load files under `subdirectory` directory. For example, `https://example.com/subdirectory/path/to/file.js`. It does not match `https://example.com/path/to/file.js`. - - For more details about how path matching is done refer the [parts matching algorithms](https://w3c.github.io/webappsec-csp/#match-schemes) in the specification. - -- `` - - - : A scheme such as `http:` or `https:`. - The colon is required. - Unlike other values below, single quotes shouldn't be used. - You can also specify data schemes (not recommended). - - - `data:` Allows [`data:` URLs](/en-US/docs/Web/URI/Schemes/data) to be used as a content source. - _This is insecure; an attacker can also inject arbitrary `data:` URLs. Use this sparingly and definitely not for scripts._ - - `mediastream:` Allows [`mediastream:` URIs](/en-US/docs/Web/API/Media_Capture_and_Streams_API) to be used as a content source. - - `blob:` Allows [`blob:` URIs](/en-US/docs/Web/API/Blob) to be used as a content source. - - `filesystem:` Allows [`filesystem:` URIs](/en-US/docs/Web/API/FileSystem) to be used as a content source. - - > [!NOTE] - > If a scheme source is missing, the document origin's scheme is used. - > Secure upgrades are allowed, so if the document is loaded using `https:`, then `example.com` will match `https://example.com` but not `http://example.com`. - > For more information, see [CSP Level 3](https://www.w3.org/TR/CSP3/#match-url-to-source-list). - -- `'self'` - - : Refers to the origin from which the protected document is being served, including the same URL scheme and port number. - You must include the single quotes. Some browsers specifically exclude `blob` and `filesystem` from source directives. - Sites needing to allow these content types can specify them using the Data attribute. -- `'unsafe-eval'` - - : Allows the use of `eval()` and other unsafe methods for creating code from strings. - You must include the single quotes. -- `'wasm-unsafe-eval'` - - : Allows the loading and execution of WebAssembly modules without the need to also allow unsafe JavaScript execution via `'unsafe-eval'`. - The single quotes are required. -- `'unsafe-hashes'` - - : Allows enabling specific inline [event handlers](/en-US/docs/Web/Events/Event_handlers). - If you only need to allow inline event handlers and not inline {{HTMLElement("script")}} elements or [`javascript:` URLs](/en-US/docs/Web/URI/Schemes/javascript), this is a safer method than using the `unsafe-inline` expression. -- `'unsafe-inline'` - - : Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, [`javascript:` URLs](/en-US/docs/Web/URI/Schemes/javascript), inline event handlers, and inline {{HTMLElement("style")}} elements. - The single quotes are required. -- `'nonce-'` - - - : An allowlist for specific scripts using a cryptographic nonce (number used once). - The server must generate a unique nonce value each time it transmits a policy. - It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial. - See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example. - Specifying nonce makes a modern browser ignore `'unsafe-inline'` which could still be set for older browsers without nonce support. - - > [!NOTE] - > The CSP `nonce` source can only be applied to _nonceable_ elements (e.g., as the {{HTMLElement("img")}} element has no `nonce` attribute, there is no way to associate it with this CSP source). - -- `'-'` - - : A sha256, sha384 or sha512 hash of scripts or styles. - This value consists of the algorithm used to create the hash followed by a hyphen and the base64-encoded hash of the script or style. - When generating the hash, exclude \