- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Sat, 29 Jan 2011 19:14:40 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 1/29/11 1:11 AM, gaz Heyes wrote:
> header("X-Content-Security-Policy: allow 'self'; img-src
> www.gmodules.com; script-src *.businessinfo.co.uk;");
>
> In particular the semi colon, it seems to indicate next statement
Yes, it's just a divider. Order of "directives" (semicolon-delimited
chunks) is unimportant.
> yet how are they related to the "allow" statement.
Think of "allow" as "default-src": it provides the value for any
missing directive. Your policy has an explicit img-src and
script-src so those are what will be used for those types (and you
did not specify 'self' for those so you won't be able to load
scripts from your own site). Any other type of content (stylesheets,
plugins, etc) will be limited to 'self'.
> quoted string is confusing why do we need it for allow when we
> have protocols?
You don't need to use 'self', you can use unquoted mydomain.tld
instead; it's just a shortcut. It's quoted to distinguish it from an
actual machine called self, in the unlikely case there is one. We
toyed with other ways to distinguish keywords from host names, like
$self, but single quotes is what we settled on.
There's also 'none' if you wish to not have any of a particular type
loaded, e.g. "object-src 'none'"
> c) Having one
> big long line of command is definitely going to introduce errors
If you've got a long/complex policy then an external policyURI is
probably the way to go. If you can get away with the same policy for
your entire site then caching will mitigate the latency issues after
the first page is loaded.
-Dan Veditz
Received on Sunday, 30 January 2011 03:15:51 UTC