Clarify that path restrictions are not enforced in 1.0
authorAdam Barth <w3c@adambarth.com>
Wed, 12 Sep 2012 23:32:41 -0700
changeset 158753fefedaf45
parent 157 d6c66fbd6917
child 159 3231a9c53e4f
Clarify that path restrictions are not enforced in 1.0
csp-1.0-specification.html
     1.1 --- a/csp-1.0-specification.html	Wed Sep 12 23:17:00 2012 -0700
     1.2 +++ b/csp-1.0-specification.html	Wed Sep 12 23:32:41 2012 -0700
     1.3 @@ -1136,6 +1136,16 @@
     1.4          <p>This policy allows inline content (such as inline <code>script</code> elements), use of
     1.5          <code>eval</code>, and loading resources over <code>https</code>.  Note: This policy does
     1.6          not provide any protection from cross-site scripting vulnerabilities.
     1.7 +
     1.8 +        <p><strong>Example 4:</strong> A social network wishes to ensure that all scripts are loaded
     1.9 +        from a specific path to prevent user-generated content from being interpreted as script:</p>
    1.10 +
    1.11 +        <pre>Content-Security-Policy: default-src 'self'; script-src https://example.com/js/</pre>
    1.12 +
    1.13 +        <p>Unfortunately, this use case is not supported in CSP 1.0. The user agent will ignore
    1.14 +        the path and act as if the policy contained a <code>script-src</code> directive with value
    1.15 +        <code>https://example.com</code>. A future version of CSP might begin enforcing these path
    1.16 +        restrictions, however.</p>
    1.17        </section>
    1.18  
    1.19        <section class="informative">