W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: CSP syntax ABNF

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 01 Mar 2011 15:54:01 -0800
Message-ID: <4D6D8719.6050504@mozilla.com>
To: gaz Heyes <gazheyes@gmail.com>
CC: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
On 03/01/2011 03:06 PM, gaz Heyes wrote:
> On 1 March 2011 22:52, Brandon Sterne <bsterne@mozilla.com
> <mailto:bsterne@mozilla.com>> wrote:
>     3. added the SecurityViolation DOM event
> What info is in here? :) does it apply x-domain?

The same info that is in the violation report (see below).  I made
SecurityViolation use the CustomEvent interface [1] which is nice
because it takes a generic DOMObject to describe "details".  The JSON
object that we were already building for the report body seems to work
in both cases.

As far as the cross-domain piece, I have to think: no, only the document
who has the CSP declared would receive the event, though perhaps I'm
missing something.




3.7 Violation Report Syntax

This section defines the structure of the violation report sent by a
user-agent when a protected resource's security policy is violated.

A user-agent must send a violation report in the following two cases:

1. Whenever ANY policy violation occurs, a user-agent must dispatch a
SecurityViolation event which does not bubble and is not cancelable at
the Document object of the protected resource.

2. Whenever a policy violation occurs and the server's policy contains a
report-uri, a user-agent must send a violation report to all valid
report URIs declared in the policy via an HTTP POST request bearing the
Content-Type application/json.

The SecurityViolation DOM event and the violation report sent by a
user-agent convey the same information regarding the policy violation
and are intended to be utilized by the server for monitoring and logging.

The SecurityViolation event uses the CustomEvent interface defined in
the DOM Level 3 Events specification. [DOM-LEVEL-3-EVENTS].

The report structure defined below is a JSON object used for both the
detail argument to the SecurityViolation event constructor and the
request body of the violation report.

The SecurityViolation event detail and the report body sent by the
user-agent must be comprised of a JSON object having the following

* request: HTTP request line of the protected resource whose policy was
violated including method, URI and HTTP version
* request-headers: HTTP request headers sent with the request for the
protected resource whose policy was violated
* blocked-uri: URI of the resource that was prevented from loading due
to the policy violation
* violated-directive: The policy directive that was violated
* original-policy: The original policy as received by the user-agent.

If the policy was received via more than one Content Security Policy
response header, this field must contain a comma separated list of
original policies.

In the case where a protected resource is not rendered because its
frame-ancestors directive is violated, user-agents must not send
blocked-uri in the report as it is assumed to have the same value as
Received on Tuesday, 1 March 2011 23:53:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC