Update CSP source expression reference#36792
Conversation
|
|
||
| - {{CSP("require-trusted-types-for")}} {{experimental_inline}} | ||
| - : Enforces [Trusted Types](https://w3c.github.io/trusted-types/dist/spec/) at the DOM XSS injection sinks. | ||
| - : Enforces [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) at the DOM XSS injection sinks. |
There was a problem hiding this comment.
FYI updated links here to MDN docs.
|
|
||
| See [Nonces](/en-US/docs/Web/HTTP/CSP#nonces) in the CSP guide for more usage information. | ||
|
|
||
| > [!NOTE] Nonce source expressions are only applicable to {{htmlelement("script")}} and {{htmlelement("style")}} elements. |
There was a problem hiding this comment.
Should we forward link to strict dynamic?
There was a problem hiding this comment.
I would say that's really getting out of "reference" and into "usage".
hamishwillee
left a comment
There was a problem hiding this comment.
A few minor questions/suggestions. Approving so you can merge if you want to ignore those.
I was going to note the fact that you lose a bit of context when you go from a particular directive to find out what the directive is - i..e you're in a different part of the sidebar, but it's easy enough to go back, and after you've read this a couple of times you'll appreciate that the directive docs are succinct because you'll know what the listed source expressions there mean.
We could consider listing the directives to which each source applies in the corresponding source expression.
Anyway, I like it a lot. Way better than before. A good compromise.
|
OK I think I addressed all these except one which I argued with. If you are still happy we can merge this! |
|
Very happy. Another clear improvement. Cheers |
* origin/xss-guide: (284 commits) Add information on default entryPoint property values (mdn#36633) Bump husky from 9.1.6 to 9.1.7 (mdn#36863) fix(performance): Typo '50ms seconds' (mdn#36861) Add spec_url & add note for bcd for `<frequency>` and `<frequency-percentage>` (mdn#36848) addresses 36583: summary icon styles (mdn#36691) Remove "simple" part 3: change to "basic" (mdn#36762) the default option of a select (mdn#36658) docs(css): Add support for `<string>` in `syntax` descriptor of @Property at-rule (mdn#36655) Fix parameter syntax for `Navigation.updateCurrentEntry()` (mdn#36852) Update CSP source expression reference (mdn#36792) chore(http): Refresh headers docs (d-k) (mdn#36075) chore(http): Refresh headers r-s (mdn#36590) Updated index.md (mdn#36845) fix : wrong method name (mdn#36843) Remove all redirects to other locales (mdn#36811) fix typos (mdn#36837) docs: update Accept-Charset status (mdn#36822) updateSelection: make more intuitive (mdn#36834) updateText: Remove false information (mdn#36832) DOMRect instance properties (mdn#36704) ...
This PR implements the proposal in https://github.com/orgs/mdn/discussions/756.
It adds a section to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy that documents all the source expression values, and links to the relevant bits of this section from the fetch directive pages.
For the new section (https://pr36792.content.dev.mdn.mozit.cloud/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#source_expression_syntax) I wasn't sure how to order values. I don't think alphabetical is a good idea.
Commits:
default-src,script-src*, andstyle-src*fenced-frame-src. I haven't changed what it actually says although I don't really understand it. But I can't find any docs for this directive and it isn't in the CSP spec, so I'm not really able to sort it out.'self'to note insecure upgrade behavior, part of the fix for CSP: Document http->https, and wss being allowed in'self'#36168.Fixes #36168.