From 2ffe344dd8372010ccec828794072ee4ba06decd Mon Sep 17 00:00:00 2001 From: wiese Date: Wed, 10 Mar 2021 18:21:51 +0100 Subject: [PATCH] csp: script-src: examples: avoid id collision Avoids an id/anchor collision between Example's and Sources's strict-dynamic sections. This document embeds the Sources section from `Web/HTTP/Headers/Content-Security-Policy/default-src` which already sets a `strict-dynamic` id, and both end up in the resulting page[1]. Consequently, the `strict-dynamic` anchor in this document here - the second one in the DOM - was not linkable as desired. This change is a bit desperate as it is only a manual solution for the one problem I spotted. A systemic solution would be preferred. I can envision e.g. consistently tagging the sources - so all of them become linkable - and doing so with a "sources" prefix to limit the likelihood of collisions but that would break existing links/bookmarks. I assume this is not the first time a problem like this popped up in a large project like this and maybe someone has a goto solution which can be applied as a follow-up. [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src --- .../http/headers/content-security-policy/script-src/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/en-us/web/http/headers/content-security-policy/script-src/index.html b/files/en-us/web/http/headers/content-security-policy/script-src/index.html index f3d699051a36cfa..fc6cc81e209d9a6 100644 --- a/files/en-us/web/http/headers/content-security-policy/script-src/index.html +++ b/files/en-us/web/http/headers/content-security-policy/script-src/index.html @@ -118,7 +118,7 @@

Unsafe eval expressions

  • {{domxref("window.execScript")}} {{non-standard_inline}} (IE < 11 only)
    • -

    strict-dynamic

    +

    strict-dynamic

    The 'strict-dynamic' source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as 'self' or 'unsafe-inline' will be ignored. For example, a policy such as script-src 'strict-dynamic' 'nonce-R4nd0m' https://whitelisted.com/ would allow loading of a root script with <script nonce="R4nd0m" src="https://example.com/loader.js"> and propagate that trust to any script loaded by loader.js, but disallow loading scripts from https://whitelisted.com/ unless accompanied by a nonce or loaded from a trusted script.