While support for “standard” Content Security Policy is not really consistent among browsers, elements of CSP 1.1 start to appear in wild. I’ve just realized there are at least three versions of CSP coexisting on the Internet at this moment:
- old CSP, old deprecated Mozilla specification. You can recognize it by usage of
allow
instead ofdefault-src
. - CSP 1.0, the current official W3C standard. But wait, it's not standard but merely "candidate recommendation", dated November 2012.
- CSP 1.1, new work-in-progress spec, with a number of interesting additions. I haven't really looked at the policy syntax, but the reports it sends contain
script-sample
keyword for example. </ul> The last one I've just seen in the following CSP report sent to my server from my Chrome 25:Content Security Policy violation: {'violated-directive': 'inline script base restriction', 'referrer': 'http://webcookies.info/', 'script-sample': '\n window.fbAsyncInit = function() {\n ...', 'source-file': 'http://webcookies.info/scan/2918', 'blocked-uri': 'self', 'line-number': 85, 'document-uri': 'http://webcookies.info/scan/2918'}, reporting IP 78.8.119.139, user agent Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
The script-sample block is from the new CSP 1.1 spec. The rest looks like standard CSP 1.0. Note that reporting IP and user agent are not part of CSP report — they were added by my application using django-security middleware, which recently got brand new CSP support. Note that if you want to actually use CSP on your website, it can be tricky with all these versions. First question would be — which version of syntax to send? Safe bet would be CSP 1.0 as it seems to be most promising. But then you need to decide which header you want to use to publish your policy, as there are now three of them. And here I would also stick to the CSP 1.0 headerContent-Security-Policy
.