Edits addressing ISSUE-16
authorAdam Barth <w3c@adambarth.com>
Wed, 12 Sep 2012 23:17:00 -0700
changeset 157d6c66fbd6917
parent 156 91aebebbb3da
child 158 753fefedaf45
Edits addressing ISSUE-16
csp-1.0-specification.html
     1.1 --- a/csp-1.0-specification.html	Tue Sep 04 15:04:35 2012 +0200
     1.2 +++ b/csp-1.0-specification.html	Wed Sep 12 23:17:00 2012 -0700
     1.3 @@ -111,13 +111,12 @@
     1.4        applications can use to mitigate a broad class of content injection
     1.5        vulnerabilities, such as cross-site scripting (XSS). Content Security
     1.6        Policy is a declarative policy that lets the authors (or server
     1.7 -      administrators) of a web application restrict from where the application
     1.8 -      can load resources.</p>
     1.9 +      administrators) of a web application inform the client from where the
    1.10 +      application expects to load resources.</p>
    1.11  
    1.12 -      <p>To mitigate XSS, for example, a web application can restrict itself
    1.13 -      to loading scripts only from known, trusted URIs, making it difficult
    1.14 -      for an attacker who can inject content into the web application to
    1.15 -      inject malicious script.</p>
    1.16 +      <p>To mitigate XSS, for example, a web application can declare from where
    1.17 +      it expects to load scripts, allowing the client to detect and block
    1.18 +      malicious scripts injected into the application by an attacker.</p>
    1.19  
    1.20        <p>Content Security Policy (CSP) is not intended as a first line of
    1.21        defense against content injection vulnerabilities. Instead, CSP is best
    1.22 @@ -159,8 +158,8 @@
    1.23          simply <dfn>policy</dfn>, for the purposes of this
    1.24          specification refers to either:
    1.25            <ol>
    1.26 -            <li>a set of security preferences for restricting the behavior of
    1.27 -            content within a given resource, or</li>
    1.28 +            <li>a set of security preferences for restrictions within which the
    1.29 +            content can operate, or</li>
    1.30              <li>a fragment of text that codifies these preferences.</li>
    1.31            </ol>
    1.32          </p>
    1.33 @@ -174,9 +173,9 @@
    1.34  
    1.35          <p>A server transmits its security policy for a particular protected
    1.36          resource as a collection of <dfn>directives</dfn>, such as
    1.37 -        <code>default-src 'self'</code>, each of which controls a specific set
    1.38 -        of privileges for that protected resource as instantiated by the user
    1.39 -        agent. More details are provided in the <a href="#directives">directives</a>
    1.40 +        <code>default-src 'self'</code>, each of which declares a specific set
    1.41 +        of restrictions for that resource as instantiated by the user agent.
    1.42 +        More details are provided in the <a href="#directives">directives</a>
    1.43          section.</p>
    1.44  
    1.45          <p>A directive consists of a <dfn>directive name</dfn>, which