blob: 480165d929b62160ac50602e3f3c4cc3583bf12d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
### dom/security/nsCSPParser.cpp
# tokens
":"
";"
"/"
"+"
"-"
"."
"_"
"~"
"*"
"'"
"#"
"?"
"%"
"!"
"$"
"&"
"("
")"
"="
"@"
### https://www.w3.org/TR/{CSP,CSP2,CSP3}/
# directive names
"default-src"
"script-src"
"object-src"
"style-src"
"img-src"
"media-src"
"frame-src"
"font-src"
"connect-src"
"report-uri"
"frame-ancestors"
"reflected-xss"
"base-uri"
"form-action"
"manifest-src"
"upgrade-insecure-requests"
"child-src"
"block-all-mixed-content"
"sandbox"
"worker-src"
"plugin-types"
"disown-opener"
"report-to"
# directive values
"'self'"
"'unsafe-inline'"
"'unsafe-eval'"
"'none'"
"'strict-dynamic'"
"'unsafe-hashed-attributes'"
"'nonce-AA=='"
"'sha256-fw=='"
"'sha384-/w=='"
"'sha512-//8='"
# subresources
"a"
"audio"
"embed"
"iframe"
"img"
"link"
"object"
"script"
"source"
"style"
"track"
"video"
# sandboxing flags
"allow-forms"
"allow-pointer-lock"
"allow-popups"
"allow-same-origin"
"allow-scripts"
"allow-top-navigation"
"allow-top-navigation-by-user-activation"
# URI components
"https:"
"ws:"
"blob:"
"data:"
"filesystem:"
"javascript:"
"http://"
"selfuri.com"
"127.0.0.1"
"::1"
|
