Skip to content

Commit

Permalink
Remove macro and cross link
Browse files Browse the repository at this point in the history
  • Loading branch information
@hamishwillee
hamishwillee committed Jan 31, 2022
1 parent 7f8ee32 commit 10140e2
Show file tree
Hide file tree
Showing 20 changed files with 106 additions and 240 deletions.
8 changes: 4 additions & 4 deletions files/en-us/web/http/headers/content-security-policy/base-uri/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,18 +32,18 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} **`base-uri`** directive rest

## Syntax

One or more*sources* can be allowed for the base-uri policy:
One or more *sources* can be allowed for the base-uri policy:

```
```http
Content-Security-Policy: base-uri <source>;
Content-Security-Policy: base-uri <source> <source>;
```

### Sources

While this directive uses the same arguments as other CSP directives, some of them don’t make sense for \`\<base>\`, such as the keywords `'unsafe-inline'` and `'strict-dynamic'`
This directive uses most of the same source values for arguments as other CSP directives: [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
Note however that some of the values don't make sense for `base-uri`, such as the keywords `'unsafe-inline'` and `'strict-dynamic'`.

## Examples

Expand Down
10 changes: 6 additions & 4 deletions files/en-us/web/http/headers/content-security-policy/child-src/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,24 +43,26 @@ network errors by the user agent.

## Syntax

One or more sources can be allowed for the child-src policy:
One or more sources can be allowed for the `child-src` policy:

```
```http
Content-Security-Policy: child-src <source>;
Content-Security-Policy: child-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: child-src https://example.com/
```

Expand Down
8 changes: 5 additions & 3 deletions files/en-us/web/http/headers/content-security-policy/connect-src/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,22 +52,24 @@ loaded using script interfaces. The APIs that are restricted are:

One or more sources can be allowed for the connect-src policy:

```
```http
Content-Security-Policy: connect-src <source>;
Content-Security-Policy: connect-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: connect-src https://example.com/
```

Expand Down
44 changes: 2 additions & 42 deletions files/en-us/web/http/headers/content-security-policy/default-src/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,49 +58,9 @@ Content-Security-Policy: default-src <source> <source>;

### Sources

\<source> can be one of the following:
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

- `<host-source>`

- : Internet hosts by name or IP address, as well as an optional [URL scheme](/en-US/docs/Learn/Common_questions/What_is_a_URL) and/or port number. The site's address may include an optional leading wildcard (the asterisk character, `'*'`), and you may use a wildcard (again, `'*'`) as the port number, indicating that all legal ports are valid for the source.
Examples:

- `http://*.example.com`: Matches all attempts to load from any subdomain of example.com using the `http:` URL scheme.
- `mail.example.com:443`: Matches all attempts to access port 443 on mail.example.com.
- `https://store.example.com`: Matches all attempts to access store.example.com using `https:`.
- `*.example.com`: Matches all attempts to load from any subdomain of example.com using the current protocol.

- `<scheme-source>`

- : A scheme such as `http:` or `https:`. The colon is required. Unlike other values below, single quotes shouldn't be used. You can also specify data schemes (not recommended).

- `data:` Allows [`data:` URIs](/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs) to be used as a content source. _This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts._
- `mediastream:` Allows [`mediastream:` URIs](/en-US/docs/Web/API/Media_Streams_API) to be used as a content source.
- `blob:` Allows [`blob:` URIs](/en-US/docs/Web/API/Blob) to be used as a content source.
- `filesystem:` Allows [`filesystem:` URIs](/en-US/docs/Web/API/FileSystem) to be used as a content source.

- `'self'`
- : Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude `blob` and `filesystem` from source directives. Sites needing to allow these content types can specify them using the Data attribute.
- `'unsafe-eval'`
- : Allows the use of `eval()` and similar methods for creating code from strings. You must include the single quotes.
- `'unsafe-hashes'`
- : Allows enabling specific inline [event handlers](/en-US/docs/Web/Events/Event_handlers). If you only need to allow inline event handlers and not inline {{HTMLElement("script")}} elements or `javascript:` URLs, this is a safer method than using the `unsafe-inline` expression.
- `'unsafe-inline'`
- : Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, `javascript:` URLs, inline event handlers, and inline {{HTMLElement("style")}} elements. The single quotes are required.
- `'none'`
- : Refers to the empty set; that is, no URLs match. The single quotes are required.
- `'nonce-<base64-value>'`

- : An allow-list for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial. See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example. Specifying nonce makes a modern browser ignore `'unsafe-inline'` which could still be set for older browsers without nonce support.

> **Note:** The CSP `nonce` source can only be applied to _nonceable_ elements (e.g., as the {{HTMLElement("img")}} element has no `nonce` attribute, there is no way to associate it with this CSP source).
- `'<hash-algorithm>-<base64-value>'`
- : A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style. When generating the hash, don't include the \<script> or \<style> tags and note that capitalization and whitespace matter, including leading or trailing whitespace. See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example. In CSP 2.0, this is applied only to inline scripts. CSP 3.0 allows it in the case of `script-src` for external scripts.
- `'strict-dynamic'`
- : The `strict-dynamic` source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any allow-list or source expressions such as `'self'` or `'unsafe-inline'` are ignored. See [script-src](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#strict-dynamic) for an example.
- `'report-sample'`
- : Requires a sample of the violating code to be included in the violation report.
Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

Expand Down
8 changes: 5 additions & 3 deletions files/en-us/web/http/headers/content-security-policy/font-src/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,22 +42,24 @@ valid sources for fonts loaded using {{cssxref("@font-face")}}.

One or more sources can be allowed for the `font-src` policy:

```
```http
Content-Security-Policy: font-src <source>;
Content-Security-Policy: font-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: font-src https://example.com/
```

Expand Down
6 changes: 4 additions & 2 deletions files/en-us/web/http/headers/content-security-policy/form-action/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,14 +39,16 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`form-action`** direc

One or more sources can be set for the `form-action` policy:

```
```http
Content-Security-Policy: form-action <source>;
Content-Security-Policy: form-action <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

Expand Down
8 changes: 5 additions & 3 deletions files/en-us/web/http/headers/content-security-policy/frame-src/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,22 +45,24 @@ browsing contexts loading using elements such as {{HTMLElement("frame")}} and

One or more sources can be allowed for the `frame-src` policy:

```
```http
Content-Security-Policy: frame-src <source>;
Content-Security-Policy: frame-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: frame-src https://example.com/
```

Expand Down
12 changes: 6 additions & 6 deletions files/en-us/web/http/headers/content-security-policy/img-src/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,7 @@ browser-compat: http.headers.csp.Content-Security-Policy.img-src
---
{{HTTPSidebar}}

The HTTP {{HTTPHeader("Content-Security-Policy")}}
**`img-src`** directive specifies valid sources of images and
favicons.
The HTTP {{HTTPHeader("Content-Security-Policy")}} **`img-src`** directive specifies valid sources of images and favicons.

<table class="properties">
<tbody>
Expand All @@ -43,22 +41,24 @@ favicons.

One or more sources can be allowed for the `img-src` policy:

```
```http
Content-Security-Policy: img-src <source>;
Content-Security-Policy: img-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: img-src https://example.com/
```

Expand Down
8 changes: 5 additions & 3 deletions files/en-us/web/http/headers/content-security-policy/manifest-src/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,22 +44,24 @@ to the resource.

One or more sources can be allowed for the `manifest-src` policy:

```
```http
Content-Security-Policy: manifest-src <source>;
Content-Security-Policy: manifest-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: manifest-src https://example.com/
```

Expand Down
8 changes: 5 additions & 3 deletions files/en-us/web/http/headers/content-security-policy/media-src/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,22 +43,24 @@ media using the {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements.

One or more sources can be allowed for the `media-src` policy:

```
```http
Content-Security-Policy: media-src <source>;
Content-Security-Policy: media-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: media-src https://example.com/
```

Expand Down
6 changes: 4 additions & 2 deletions files/en-us/web/http/headers/content-security-policy/navigate-to/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,14 +46,16 @@ on what this document is allowed to navigate to.

One or more sources can be set for the `navigate-to` policy:

```
```http
Content-Security-Policy: navigate-to <source>;
Content-Security-Policy: navigate-to <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

Expand Down
10 changes: 6 additions & 4 deletions files/en-us/web/http/headers/content-security-policy/object-src/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,24 +51,26 @@ To set allowed types for {{HTMLElement("object")}}, {{HTMLElement("embed")}}, an

## Syntax

One or more sources can be allowed for the object-src policy:
One or more sources can be allowed for the `object-src` policy:

```
```http
Content-Security-Policy: object-src <source>;
Content-Security-Policy: object-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/connect-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Examples

### Violation cases

Given this CSP header:

```
```http
Content-Security-Policy: object-src https://example.com/
```

Expand Down
8 changes: 5 additions & 3 deletions files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,22 +40,24 @@ be prefetched or prerendered.

One or more sources can be allowed for the `prefetch-src` policy:

```
```http
Content-Security-Policy: prefetch-src <source>;
Content-Security-Policy: prefetch-src <source> <source>;
```

### Sources

{{page("Web/HTTP/Headers/Content-Security-Policy/default-src", "Sources")}}
`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).

Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).

## Example

### Prefetch resources do not match header

Given a page with the following Content Security Policy:

```
```http
Content-Security-Policy: prefetch-src https://example.com/
```

Expand Down
Loading

0 comments on commit 10140e2

Please sign in to comment.