CSP - Ambiguities in "allow" directive

Fri, 12 Mar 2010 13:40:01 -0800 

While reading through https://wiki.mozilla.org/Security/CSP/Spec , I noticed
some ambiguities for handling "allow 'none'".

*1) Is "allow" optional or required?*

The allow specification (https://wiki.mozilla.org/Security/CSP/Spec#allow)
indicates that "allow" is an optional field.  Quoting that section:

If the allow directive is not explicitly specified, no content from any
source will be loaded. This is equivalent to the policy "allow 'none'".


However, earlier on that page (
https://wiki.mozilla.org/Security/CSP/Spec#Policy_Language_and_Syntax)
there's the following:

A policy is composed of directives with their corresponding values. Any
number of directives can be defined, but the *allow directive must always be
present*.


In addition, the formal policy syntax seems to require an allow field.

<policy>            ::= <allow-directive>";"<directive-list>

<allow-directive>   ::= allow <source-list>

<source-list>       ::= <source>
                      | <source-list>" "<source>

<source>            ::= "'self'"
                      | <scheme><host><port>

Suggestion: The documentation should be updated to indicate that "allow" is
a required field.

*2) Is "allow 'none'" allowed?*

Throughout the CSP documentation, there are references to allow 'none', for
example:

A policy is composed of directives, such as "allow none". Each directive is
composed ...


or

... raise a CSP console error and enforce the most restrictive ("allow
none") policy.


or

If the allow directive is not explicitly specified, no content from any
source will be loaded. This is equivalent to the policy "allow 'none'".


etc...

However, the formal policy syntax does not seem to allow allow 'none'.

<policy>            ::= <allow-directive>";"<directive-list>

<allow-directive>   ::= allow <source-list>

<source-list>       ::= <source>
                      | <source-list>" "<source>

<source>            ::= "'self'"
                      | <scheme><host><port>

Suggestion: The formal policy syntax should be updated to indicate that allow
'none' is allowed.

Thanks,
-- Nick
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

Reply via email to