-
Notifications
You must be signed in to change notification settings - Fork 22.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update CSP source expression reference #36792
Conversation
@@ -146,11 +150,10 @@ Reporting directives control the destination URL for CSP violation reports in `C | |||
### Other directives | |||
|
|||
- {{CSP("require-trusted-types-for")}} {{experimental_inline}} | |||
- : Enforces [Trusted Types](https://w3c.github.io/trusted-types/dist/spec/) at the DOM XSS injection sinks. | |||
- : Enforces [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) at the DOM XSS injection sinks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI updated links here to MDN docs.
|
||
See [Nonces](/en-US/docs/Web/HTTP/CSP#nonces) in the CSP guide for more usage information. | ||
|
||
> [!NOTE] Nonce source expressions are only applicable to {{htmlelement("script")}} and {{htmlelement("style")}} elements. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we forward link to strict dynamic
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would say that's really getting out of "reference" and into "usage".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few minor questions/suggestions. Approving so you can merge if you want to ignore those.
I was going to note the fact that you lose a bit of context when you go from a particular directive to find out what the directive is - i..e you're in a different part of the sidebar, but it's easy enough to go back, and after you've read this a couple of times you'll appreciate that the directive docs are succinct because you'll know what the listed source expressions there mean.
We could consider listing the directives to which each source applies in the corresponding source expression.
Anyway, I like it a lot. Way better than before. A good compromise.
OK I think I addressed all these except one which I argued with. If you are still happy we can merge this! |
Very happy. Another clear improvement. Cheers |
* origin/xss-guide: (284 commits) Add information on default entryPoint property values (mdn#36633) Bump husky from 9.1.6 to 9.1.7 (mdn#36863) fix(performance): Typo '50ms seconds' (mdn#36861) Add spec_url & add note for bcd for `<frequency>` and `<frequency-percentage>` (mdn#36848) addresses 36583: summary icon styles (mdn#36691) Remove "simple" part 3: change to "basic" (mdn#36762) the default option of a select (mdn#36658) docs(css): Add support for `<string>` in `syntax` descriptor of @Property at-rule (mdn#36655) Fix parameter syntax for `Navigation.updateCurrentEntry()` (mdn#36852) Update CSP source expression reference (mdn#36792) chore(http): Refresh headers docs (d-k) (mdn#36075) chore(http): Refresh headers r-s (mdn#36590) Updated index.md (mdn#36845) fix : wrong method name (mdn#36843) Remove all redirects to other locales (mdn#36811) fix typos (mdn#36837) docs: update Accept-Charset status (mdn#36822) updateSelection: make more intuitive (mdn#36834) updateText: Remove false information (mdn#36832) DOMRect instance properties (mdn#36704) ...
This PR implements the proposal in https://github.com/orgs/mdn/discussions/756.
It adds a section to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy that documents all the source expression values, and links to the relevant bits of this section from the fetch directive pages.
For the new section (https://pr36792.content.dev.mdn.mozit.cloud/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#source_expression_syntax) I wasn't sure how to order values. I don't think alphabetical is a good idea.
Commits:
default-src
,script-src*
, andstyle-src*
fenced-frame-src
. I haven't changed what it actually says although I don't really understand it. But I can't find any docs for this directive and it isn't in the CSP spec, so I'm not really able to sort it out.'self'
to note insecure upgrade behavior, part of the fix for CSP: Document http->https, and wss being allowed in'self'
#36168.Fixes #36168.