diff --git a/features/draft/spec/csp3.yml b/features/csp.yml similarity index 76% rename from features/draft/spec/csp3.yml rename to features/csp.yml index d090f95d0e2..004ee3551a1 100644 --- a/features/draft/spec/csp3.yml +++ b/features/csp.yml @@ -1,8 +1,16 @@ -draft_date: 2024-10-21 -name: Content Security Policy Level 3 -description: TODO +name: Content Security Policy (CSP) +description: Content Security Policy (CSP) helps to mitigate certain security threats, including cross-site scripting (XSS) and clickjacking attacks. It consists of a set of directives from a website to a browser, which instruct the browser to restrict the things that the site is allowed to do. spec: https://w3c.github.io/webappsec-csp/ +caniuse: + - contentsecuritypolicy + - contentsecuritypolicy2 +group: security +status: + compute_from: http.headers.Content-Security-Policy compat_features: + # - http.headers.Content-Security-Policy.block-all-mixed-content (deprecated in BCD) + # - http.headers.Content-Security-Policy.prefetch-src (deprecated in BCD) + # - http.headers.Content-Security-Policy.report-uri (deprecated in BCD) - api.CSPViolationReportBody - api.CSPViolationReportBody.blockedURL - api.CSPViolationReportBody.columnNumber @@ -16,7 +24,9 @@ compat_features: - api.CSPViolationReportBody.sourceFile - api.CSPViolationReportBody.statusCode - api.CSPViolationReportBody.toJSON + - api.Document.securitypolicyviolation_event - api.Element.securitypolicyviolation_event + - api.HTMLIFrameElement.csp - api.SecurityPolicyViolationEvent - api.SecurityPolicyViolationEvent.SecurityPolicyViolationEvent - api.SecurityPolicyViolationEvent.blockedURI @@ -33,6 +43,8 @@ compat_features: - api.SecurityPolicyViolationEvent.violatedDirective - api.SecurityPolicyViolationEvent.worker_support - api.WorkerGlobalScope.securitypolicyviolation_event + - html.elements.iframe.csp + - html.elements.meta.http-equiv.content-security-policy - http.headers.Content-Security-Policy - http.headers.Content-Security-Policy-Report-Only - http.headers.Content-Security-Policy.base-uri @@ -61,5 +73,6 @@ compat_features: - http.headers.Content-Security-Policy.style-src-attr - http.headers.Content-Security-Policy.style-src-elem - http.headers.Content-Security-Policy.unsafe-hashes + - http.headers.Content-Security-Policy.upgrade-insecure-requests - http.headers.Content-Security-Policy.worker-src - http.headers.Content-Security-Policy.worker_support diff --git a/features/draft/spec/csp3.yml.dist b/features/csp.yml.dist similarity index 85% rename from features/draft/spec/csp3.yml.dist rename to features/csp.yml.dist index 134645efa5e..f52ec3db00b 100644 --- a/features/draft/spec/csp3.yml.dist +++ b/features/csp.yml.dist @@ -1,13 +1,20 @@ -# Generated from: csp3.yml +# Generated from: csp.yml # Do not edit this file by hand. Edit the source file instead! status: - baseline: false + baseline: high + baseline_low_date: 2016-08-02 + baseline_high_date: 2019-02-02 support: - chrome: "97" - chrome_android: "97" - edge: "97" + chrome: "25" + chrome_android: "25" + edge: "14" + firefox: "23" + firefox_android: "23" + safari: "7" + safari_ios: "7" compat_features: + # ⬇️ Same status as overall feature ⬇️ # baseline: high # baseline_low_date: 2016-08-02 # baseline_high_date: 2019-02-02 @@ -82,6 +89,19 @@ compat_features: # safari_ios: "9.3" - http.headers.Content-Security-Policy.child-src + # baseline: high + # baseline_low_date: 2017-06-06 + # baseline_high_date: 2019-12-06 + # support: + # chrome: ≤59 + # chrome_android: "59" + # edge: "12" + # firefox: "1" + # firefox_android: "4" + # safari: ≤10.1 + # safari_ios: ≤10.3 + - html.elements.meta.http-equiv.content-security-policy + # baseline: high # baseline_low_date: 2018-01-23 # baseline_high_date: 2020-07-23 @@ -95,6 +115,19 @@ compat_features: # safari_ios: "9.3" - http.headers.Content-Security-Policy.frame-ancestors + # baseline: high + # baseline_low_date: 2018-04-30 + # baseline_high_date: 2020-10-30 + # support: + # chrome: "43" + # chrome_android: "43" + # edge: "17" + # firefox: "42" + # firefox_android: "42" + # safari: "10.1" + # safari_ios: "10.3" + - http.headers.Content-Security-Policy.upgrade-insecure-requests + # baseline: high # baseline_low_date: ≤2018-10-02 # baseline_high_date: ≤2021-04-02 @@ -212,6 +245,19 @@ compat_features: # safari_ios: "15.4" - http.headers.Content-Security-Policy.report-sample + # baseline: high + # baseline_low_date: 2022-03-14 + # baseline_high_date: 2024-09-14 + # support: + # chrome: "76" + # chrome_android: "76" + # edge: "79" + # firefox: "93" + # firefox_android: "93" + # safari: "15.4" + # safari_ios: "15.4" + - api.Document.securitypolicyviolation_event + # baseline: low # baseline_low_date: 2022-05-16 # support: @@ -303,6 +349,14 @@ compat_features: # safari_ios: "16.4" - http.headers.Content-Security-Policy.report-to + # baseline: false + # support: + # chrome: "61" + # chrome_android: "61" + # edge: "79" + - api.HTMLIFrameElement.csp + - html.elements.iframe.csp + # baseline: false # support: # chrome: "74" diff --git a/features/draft/spec/csp-embedded-enforcement.yml b/features/draft/spec/csp-embedded-enforcement.yml deleted file mode 100644 index 1d131cd574e..00000000000 --- a/features/draft/spec/csp-embedded-enforcement.yml +++ /dev/null @@ -1,7 +0,0 @@ -draft_date: 2024-09-09 -name: "Content Security Policy: Embedded Enforcement" -description: TODO -spec: https://w3c.github.io/webappsec-cspee/ -compat_features: - - api.HTMLIFrameElement.csp - - html.elements.iframe.csp diff --git a/features/draft/spec/csp-embedded-enforcement.yml.dist b/features/draft/spec/csp-embedded-enforcement.yml.dist deleted file mode 100644 index e871842b3aa..00000000000 --- a/features/draft/spec/csp-embedded-enforcement.yml.dist +++ /dev/null @@ -1,12 +0,0 @@ -# Generated from: csp-embedded-enforcement.yml -# Do not edit this file by hand. Edit the source file instead! - -status: - baseline: false - support: - chrome: "61" - chrome_android: "61" - edge: "79" -compat_features: - - api.HTMLIFrameElement.csp - - html.elements.iframe.csp diff --git a/groups/security.yml b/groups/security.yml new file mode 100644 index 00000000000..46190ae8ac2 --- /dev/null +++ b/groups/security.yml @@ -0,0 +1,3 @@ +# Features related to web application security +# See also SWAG CG https://github.com/w3c-cg/swag/issues/2 +name: Security