Skip to content

Commit

Permalink
CSP guide updates (mdn#36157)
Browse files Browse the repository at this point in the history 
* First commit of new CSP guide

* Add example

* Added clickjacking and upgrade-insecure-requests

* Further clarifications on upgrade-insecure

* Add sections on testing

* Add See also

* Update files/en-us/web/http/csp/index.md

Co-authored-by: Hamish Willee <[email protected]>

* Update files/en-us/web/http/csp/index.md

Co-authored-by: Hamish Willee <[email protected]>

* Update files/en-us/web/http/csp/index.md

Co-authored-by: Hamish Willee <[email protected]>

* Talk more about XSS

* Update files/en-us/web/http/csp/index.md

Co-authored-by: Hamish Willee <[email protected]>

* Warningify unsafe-inline

* Boldify make unguessable nonces

* Explain what directives in the first example are doing

* Update files/en-us/web/http/csp/index.md

Co-authored-by: Hamish Willee <[email protected]>

* Update files/en-us/web/http/csp/index.md

Co-authored-by: Hamish Willee <[email protected]>

* Give example use case for hostname policy

* Update files/en-us/web/http/csp/index.md

Co-authored-by: Hamish Willee <[email protected]>

* Add CSP header name, use http styling

* Use scripts instead oif images

* Talk about when meta tag CSP delivery is a good option

* Update files/en-us/web/http/csp/index.md

Co-authored-by: Hamish Willee <[email protected]>

* Update files/en-us/web/http/csp/index.md

Co-authored-by: Hamish Willee <[email protected]>

* Update files/en-us/web/http/csp/index.md

Co-authored-by: Hamish Willee <[email protected]>

* Update files/en-us/web/http/csp/index.md

Co-authored-by: Hamish Willee <[email protected]>

* Update files/en-us/web/http/csp/index.md

Co-authored-by: Hamish Willee <[email protected]>

* More review comments

* Reorder fetch source expression types

* Clarify that one nonce value is set on all style/script tags

* Clarify 'intend to include'

* Review comment

* Add javascripot: URLs

* Elaborate a little on using hashes for static pages

* Add linebreak

* Correct heading level

* Acknowledge that removing eval() can be hard: Link to trusted types

* Note that report-only policy can't be delivered in a meta element

---------

Co-authored-by: Hamish Willee <[email protected]>
  • Loading branch information
@wbamberg @hamishwillee
wbamberg and hamishwillee authored Oct 28, 2024
1 parent bc37f8e commit a80f7ef
Show file tree
Hide file tree
Showing 3 changed files with 451 additions and 89 deletions.
3 changes: 3 additions & 0 deletions files/en-us/web/http/csp/csp-overview.svg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
3 changes: 3 additions & 0 deletions files/en-us/web/http/csp/csp-source-expressions.svg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit a80f7ef

Please sign in to comment.