From 0646f0a423e68ac926604c88218e0e270010488b Mon Sep 17 00:00:00 2001 From: Florian Scholz Date: Mon, 14 Oct 2024 14:22:53 +0200 Subject: [PATCH 1/3] Add CSP --- features/{draft/spec/csp3.yml => csp.yml} | 38 ++++- .../spec/csp3.yml.dist => csp.yml.dist} | 161 +++++++++++++++++- .../draft/spec/csp-embedded-enforcement.yml | 7 - .../spec/csp-embedded-enforcement.yml.dist | 12 -- groups/security.yml | 1 + 5 files changed, 187 insertions(+), 32 deletions(-) rename features/{draft/spec/csp3.yml => csp.yml} (61%) rename features/{draft/spec/csp3.yml.dist => csp.yml.dist} (64%) delete mode 100644 features/draft/spec/csp-embedded-enforcement.yml delete mode 100644 features/draft/spec/csp-embedded-enforcement.yml.dist create mode 100644 groups/security.yml diff --git a/features/draft/spec/csp3.yml b/features/csp.yml similarity index 61% rename from features/draft/spec/csp3.yml rename to features/csp.yml index 497915e3ecb..26762bfd5ce 100644 --- a/features/draft/spec/csp3.yml +++ b/features/csp.yml @@ -1,8 +1,17 @@ -draft_date: 2024-10-10 -name: Content Security Policy Level 3 -description: TODO +name: Content Security Policy (CSP) +description: Content-Security-Policy (CSP) controls the resources which a particular page can fetch or execute, as well as a number of security-relevant policy decisions. This helps guard against cross-site scripting attacks (XSS). spec: https://w3c.github.io/webappsec-csp/ +caniuse: + - contentsecuritypolicy + - contentsecuritypolicy2 +group: security +status: + compute_from: http.headers.Content-Security-Policy compat_features: + - api.Document.securitypolicyviolation_event + - api.Element.securitypolicyviolation_event + - api.WorkerGlobalScope.securitypolicyviolation_event + - api.HTMLIFrameElement.csp - api.CSPViolationReportBody - api.CSPViolationReportBody.blockedURL - api.CSPViolationReportBody.columnNumber @@ -16,9 +25,9 @@ compat_features: - api.CSPViolationReportBody.sourceFile - api.CSPViolationReportBody.statusCode - api.CSPViolationReportBody.toJSON - - api.Element.securitypolicyviolation_event - api.SecurityPolicyViolationEvent - api.SecurityPolicyViolationEvent.SecurityPolicyViolationEvent + - api.SecurityPolicyViolationEvent.worker_support - api.SecurityPolicyViolationEvent.blockedURI - api.SecurityPolicyViolationEvent.columnNumber - api.SecurityPolicyViolationEvent.disposition @@ -31,13 +40,17 @@ compat_features: - api.SecurityPolicyViolationEvent.sourceFile - api.SecurityPolicyViolationEvent.statusCode - api.SecurityPolicyViolationEvent.violatedDirective - - api.WorkerGlobalScope.securitypolicyviolation_event - - http.headers.Content-Security-Policy + - html.elements.iframe.csp + - html.elements.meta.http-equiv.content-security-policy - http.headers.Content-Security-Policy-Report-Only + - http.headers.Content-Security-Policy + - http.headers.Content-Security-Policy.worker_support - http.headers.Content-Security-Policy.base-uri + # - http.headers.Content-Security-Policy.block-all-mixed-content (deprecated in BCD) - http.headers.Content-Security-Policy.child-src - http.headers.Content-Security-Policy.connect-src - http.headers.Content-Security-Policy.default-src + - http.headers.Content-Security-Policy.fenced-frame-src # Should be moved to fenced-frame? - http.headers.Content-Security-Policy.font-src - http.headers.Content-Security-Policy.form-action - http.headers.Content-Security-Policy.frame-ancestors @@ -45,14 +58,25 @@ compat_features: - http.headers.Content-Security-Policy.img-src - http.headers.Content-Security-Policy.manifest-src - http.headers.Content-Security-Policy.media-src + - http.headers.Content-Security-Policy.meta-element-support - http.headers.Content-Security-Policy.object-src + # - http.headers.Content-Security-Policy.prefetch-src (deprecated in BCD) + - http.headers.Content-Security-Policy.report-sample - http.headers.Content-Security-Policy.report-to + # - http.headers.Content-Security-Policy.report-uri (deprecated in BCD) + # - http.headers.Content-Security-Policy.require-trusted-types-for (already in trusted-types) - http.headers.Content-Security-Policy.sandbox - http.headers.Content-Security-Policy.script-src + - http.headers.Content-Security-Policy.script-src.external_scripts + - http.headers.Content-Security-Policy.script-src.inline-speculation-rules # Should be moved to speculation-rules? + - http.headers.Content-Security-Policy.script-src.wasm-unsafe-eval - http.headers.Content-Security-Policy.script-src-attr - http.headers.Content-Security-Policy.script-src-elem - - http.headers.Content-Security-Policy.script-src.external_scripts + - http.headers.Content-Security-Policy.strict-dynamic - http.headers.Content-Security-Policy.style-src - http.headers.Content-Security-Policy.style-src-attr - http.headers.Content-Security-Policy.style-src-elem + # - http.headers.Content-Security-Policy.trusted-types (already in trusted-types) + - http.headers.Content-Security-Policy.unsafe-hashes + - http.headers.Content-Security-Policy.upgrade-insecure-requests - http.headers.Content-Security-Policy.worker-src diff --git a/features/draft/spec/csp3.yml.dist b/features/csp.yml.dist similarity index 64% rename from features/draft/spec/csp3.yml.dist rename to features/csp.yml.dist index 94c383b28d8..0790ea89142 100644 --- a/features/draft/spec/csp3.yml.dist +++ b/features/csp.yml.dist @@ -1,13 +1,20 @@ -# Generated from: csp3.yml +# Generated from: csp.yml # Do not edit this file by hand. Edit the source file instead! status: - baseline: false + baseline: high + baseline_low_date: 2016-08-02 + baseline_high_date: 2019-02-02 support: - chrome: "80" - chrome_android: "80" - edge: "80" + chrome: "25" + chrome_android: "25" + edge: "14" + firefox: "23" + firefox_android: "23" + safari: "7" + safari_ios: "7" compat_features: + # ⬇️ Same status as overall feature ⬇️ # baseline: high # baseline_low_date: 2016-08-02 # baseline_high_date: 2019-02-02 @@ -82,6 +89,19 @@ compat_features: # safari_ios: "9.3" - http.headers.Content-Security-Policy.child-src + # baseline: high + # baseline_low_date: 2017-06-06 + # baseline_high_date: 2019-12-06 + # support: + # chrome: ≤59 + # chrome_android: "59" + # edge: "12" + # firefox: "1" + # firefox_android: "4" + # safari: ≤10.1 + # safari_ios: ≤10.3 + - html.elements.meta.http-equiv.content-security-policy + # baseline: high # baseline_low_date: 2018-01-23 # baseline_high_date: 2020-07-23 @@ -95,6 +115,32 @@ compat_features: # safari_ios: "9.3" - http.headers.Content-Security-Policy.frame-ancestors + # baseline: high + # baseline_low_date: 2018-04-30 + # baseline_high_date: 2020-10-30 + # support: + # chrome: "43" + # chrome_android: "43" + # edge: "17" + # firefox: "42" + # firefox_android: "42" + # safari: "10.1" + # safari_ios: "10.3" + - http.headers.Content-Security-Policy.upgrade-insecure-requests + + # baseline: high + # baseline_low_date: ≤2018-10-02 + # baseline_high_date: ≤2021-04-02 + # support: + # chrome: "25" + # chrome_android: "25" + # edge: ≤18 + # firefox: "45" + # firefox_android: "45" + # safari: "7" + # safari_ios: "7" + - http.headers.Content-Security-Policy.meta-element-support + # baseline: high # baseline_low_date: 2018-10-23 # baseline_high_date: 2021-04-23 @@ -147,6 +193,19 @@ compat_features: # safari_ios: "11" - http.headers.Content-Security-Policy.manifest-src + # baseline: high + # baseline_low_date: ≤2020-01-15 + # baseline_high_date: ≤2022-07-15 + # support: + # chrome: "56" + # chrome_android: "56" + # edge: ≤79 + # firefox: "50" + # firefox_android: "50" + # safari: "10" + # safari_ios: "10" + - http.headers.Content-Security-Policy.worker_support + # baseline: high # baseline_low_date: 2021-09-20 # baseline_high_date: 2024-03-20 @@ -173,6 +232,32 @@ compat_features: # safari_ios: "15" - api.SecurityPolicyViolationEvent.sample + # baseline: high + # baseline_low_date: 2022-03-14 + # baseline_high_date: 2024-09-14 + # support: + # chrome: "59" + # chrome_android: "59" + # edge: ≤79 + # firefox: "63" + # firefox_android: "63" + # safari: "15.4" + # safari_ios: "15.4" + - http.headers.Content-Security-Policy.report-sample + + # baseline: high + # baseline_low_date: 2022-03-14 + # baseline_high_date: 2024-09-14 + # support: + # chrome: "76" + # chrome_android: "76" + # edge: "79" + # firefox: "93" + # firefox_android: "93" + # safari: "15.4" + # safari_ios: "15.4" + - api.Document.securitypolicyviolation_event + # baseline: low # baseline_low_date: 2022-05-16 # support: @@ -185,6 +270,18 @@ compat_features: # safari_ios: "15.5" - http.headers.Content-Security-Policy.worker-src + # baseline: low + # baseline_low_date: 2022-09-12 + # support: + # chrome: "97" + # chrome_android: "97" + # edge: "97" + # firefox: "102" + # firefox_android: "102" + # safari: "16" + # safari_ios: "16" + - http.headers.Content-Security-Policy.script-src.wasm-unsafe-eval + # baseline: low # baseline_low_date: 2022-12-13 # support: @@ -200,6 +297,18 @@ compat_features: - http.headers.Content-Security-Policy.style-src-attr - http.headers.Content-Security-Policy.style-src-elem + # baseline: low + # baseline_low_date: 2023-01-17 + # support: + # chrome: "69" + # chrome_android: "69" + # edge: "79" + # firefox: "109" + # firefox_android: "109" + # safari: "15.4" + # safari_ios: "15.4" + - http.headers.Content-Security-Policy.unsafe-hashes + # baseline: low # baseline_low_date: 2023-08-01 # support: @@ -212,6 +321,25 @@ compat_features: # safari_ios: "15.6" - http.headers.Content-Security-Policy.script-src.external_scripts + # baseline: false + # support: + # chrome: "52" + # chrome_android: "52" + # edge: "79" + # firefox: "52" + # safari: "15.4" + # safari_ios: "15.4" + - http.headers.Content-Security-Policy.strict-dynamic + + # baseline: false + # support: + # chrome: "56" + # chrome_android: "56" + # edge: "15" + # firefox: "63" + # firefox_android: "63" + - api.SecurityPolicyViolationEvent.worker_support + # baseline: false # support: # chrome: "70" @@ -221,6 +349,14 @@ compat_features: # safari_ios: "16.4" - http.headers.Content-Security-Policy.report-to + # baseline: false + # support: + # chrome: "61" + # chrome_android: "61" + # edge: "79" + - api.HTMLIFrameElement.csp + - html.elements.iframe.csp + # baseline: false # support: # chrome: "74" @@ -239,10 +375,23 @@ compat_features: - api.CSPViolationReportBody.sourceFile - api.CSPViolationReportBody.statusCode - # ⬇️ Same status as overall feature ⬇️ # baseline: false # support: # chrome: "80" # chrome_android: "80" # edge: "80" - api.CSPViolationReportBody.toJSON + + # baseline: false + # support: + # chrome: "110" + # chrome_android: "110" + # edge: "110" + - http.headers.Content-Security-Policy.script-src.inline-speculation-rules + + # baseline: false + # support: + # chrome: "117" + # chrome_android: "117" + # edge: "117" + - http.headers.Content-Security-Policy.fenced-frame-src diff --git a/features/draft/spec/csp-embedded-enforcement.yml b/features/draft/spec/csp-embedded-enforcement.yml deleted file mode 100644 index 1d131cd574e..00000000000 --- a/features/draft/spec/csp-embedded-enforcement.yml +++ /dev/null @@ -1,7 +0,0 @@ -draft_date: 2024-09-09 -name: "Content Security Policy: Embedded Enforcement" -description: TODO -spec: https://w3c.github.io/webappsec-cspee/ -compat_features: - - api.HTMLIFrameElement.csp - - html.elements.iframe.csp diff --git a/features/draft/spec/csp-embedded-enforcement.yml.dist b/features/draft/spec/csp-embedded-enforcement.yml.dist deleted file mode 100644 index e871842b3aa..00000000000 --- a/features/draft/spec/csp-embedded-enforcement.yml.dist +++ /dev/null @@ -1,12 +0,0 @@ -# Generated from: csp-embedded-enforcement.yml -# Do not edit this file by hand. Edit the source file instead! - -status: - baseline: false - support: - chrome: "61" - chrome_android: "61" - edge: "79" -compat_features: - - api.HTMLIFrameElement.csp - - html.elements.iframe.csp diff --git a/groups/security.yml b/groups/security.yml new file mode 100644 index 00000000000..2b7f2047755 --- /dev/null +++ b/groups/security.yml @@ -0,0 +1 @@ +name: Security From f0531d24f35d31e6bb981a87e03f7968c1993e1c Mon Sep 17 00:00:00 2001 From: Florian Scholz Date: Thu, 17 Oct 2024 13:11:41 +0200 Subject: [PATCH 2/3] Add group desc; update feature desc; remove keys belonging elsewhere --- features/csp.yml | 6 +----- groups/security.yml | 2 ++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/features/csp.yml b/features/csp.yml index 26762bfd5ce..e6f564a3378 100644 --- a/features/csp.yml +++ b/features/csp.yml @@ -1,5 +1,5 @@ name: Content Security Policy (CSP) -description: Content-Security-Policy (CSP) controls the resources which a particular page can fetch or execute, as well as a number of security-relevant policy decisions. This helps guard against cross-site scripting attacks (XSS). +description: Content Security Policy (CSP) helps to mitigate certain security threats, including cross-site scripting (XSS) and clickjacking attacks. It consists of a set of directives from a website to a browser, which instruct the browser to restrict the things that the site is allowed to do. spec: https://w3c.github.io/webappsec-csp/ caniuse: - contentsecuritypolicy @@ -50,7 +50,6 @@ compat_features: - http.headers.Content-Security-Policy.child-src - http.headers.Content-Security-Policy.connect-src - http.headers.Content-Security-Policy.default-src - - http.headers.Content-Security-Policy.fenced-frame-src # Should be moved to fenced-frame? - http.headers.Content-Security-Policy.font-src - http.headers.Content-Security-Policy.form-action - http.headers.Content-Security-Policy.frame-ancestors @@ -64,11 +63,9 @@ compat_features: - http.headers.Content-Security-Policy.report-sample - http.headers.Content-Security-Policy.report-to # - http.headers.Content-Security-Policy.report-uri (deprecated in BCD) - # - http.headers.Content-Security-Policy.require-trusted-types-for (already in trusted-types) - http.headers.Content-Security-Policy.sandbox - http.headers.Content-Security-Policy.script-src - http.headers.Content-Security-Policy.script-src.external_scripts - - http.headers.Content-Security-Policy.script-src.inline-speculation-rules # Should be moved to speculation-rules? - http.headers.Content-Security-Policy.script-src.wasm-unsafe-eval - http.headers.Content-Security-Policy.script-src-attr - http.headers.Content-Security-Policy.script-src-elem @@ -76,7 +73,6 @@ compat_features: - http.headers.Content-Security-Policy.style-src - http.headers.Content-Security-Policy.style-src-attr - http.headers.Content-Security-Policy.style-src-elem - # - http.headers.Content-Security-Policy.trusted-types (already in trusted-types) - http.headers.Content-Security-Policy.unsafe-hashes - http.headers.Content-Security-Policy.upgrade-insecure-requests - http.headers.Content-Security-Policy.worker-src diff --git a/groups/security.yml b/groups/security.yml index 2b7f2047755..46190ae8ac2 100644 --- a/groups/security.yml +++ b/groups/security.yml @@ -1 +1,3 @@ +# Features related to web application security +# See also SWAG CG https://github.com/w3c-cg/swag/issues/2 name: Security From d5bdc9dd54f162fa3895fff6dca5d79a361022d7 Mon Sep 17 00:00:00 2001 From: Florian Scholz Date: Thu, 17 Oct 2024 13:14:08 +0200 Subject: [PATCH 3/3] npm run dist --- features/csp.yml.dist | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/features/csp.yml.dist b/features/csp.yml.dist index 0790ea89142..f52ec3db00b 100644 --- a/features/csp.yml.dist +++ b/features/csp.yml.dist @@ -381,17 +381,3 @@ compat_features: # chrome_android: "80" # edge: "80" - api.CSPViolationReportBody.toJSON - - # baseline: false - # support: - # chrome: "110" - # chrome_android: "110" - # edge: "110" - - http.headers.Content-Security-Policy.script-src.inline-speculation-rules - - # baseline: false - # support: - # chrome: "117" - # chrome_android: "117" - # edge: "117" - - http.headers.Content-Security-Policy.fenced-frame-src