While reading through https://wiki.mozilla.org/Security/CSP/Spec , I noticed some ambiguities for handling "allow 'none'".
*1) Is "allow" optional or required?* The allow specification (https://wiki.mozilla.org/Security/CSP/Spec#allow) indicates that "allow" is an optional field. Quoting that section: If the allow directive is not explicitly specified, no content from any source will be loaded. This is equivalent to the policy "allow 'none'". However, earlier on that page ( https://wiki.mozilla.org/Security/CSP/Spec#Policy_Language_and_Syntax) there's the following: A policy is composed of directives with their corresponding values. Any number of directives can be defined, but the *allow directive must always be present*. In addition, the formal policy syntax seems to require an allow field. <policy> ::= <allow-directive>";"<directive-list> <allow-directive> ::= allow <source-list> <source-list> ::= <source> | <source-list>" "<source> <source> ::= "'self'" | <scheme><host><port> Suggestion: The documentation should be updated to indicate that "allow" is a required field. *2) Is "allow 'none'" allowed?* Throughout the CSP documentation, there are references to allow 'none', for example: A policy is composed of directives, such as "allow none". Each directive is composed ... or ... raise a CSP console error and enforce the most restrictive ("allow none") policy. or If the allow directive is not explicitly specified, no content from any source will be loaded. This is equivalent to the policy "allow 'none'". etc... However, the formal policy syntax does not seem to allow allow 'none'. <policy> ::= <allow-directive>";"<directive-list> <allow-directive> ::= allow <source-list> <source-list> ::= <source> | <source-list>" "<source> <source> ::= "'self'" | <scheme><host><port> Suggestion: The formal policy syntax should be updated to indicate that allow 'none' is allowed. Thanks, -- Nick _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security