Skip to main content

Initial Assignment for the Content Security Policy Directives Registry
draft-west-webappsec-csp-reg-04

The information below is for an old version of the document that is already published as an RFC.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 7762.
Author Mike West
Last updated 2016-01-28 (Latest revision 2015-11-20)
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status Informational
Formats
Reviews
Stream WG state (None)
Document shepherd Mark Nottingham
Shepherd write-up Show Last changed 2015-10-11
IESG IESG state Became RFC 7762 (Informational)
Action Holders
(None)
Consensus boilerplate Yes
Telechat date (None)
Responsible AD Barry Leiba
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
draft-west-webappsec-csp-reg-04
Network Working Group                                            M. West
Internet-Draft                                               Google, Inc
Intended status: Informational                         November 20, 2015
Expires: May 23, 2016

  Initial Assignment for a Content Security Policy Directive Registry
                    draft-west-webappsec-csp-reg-04

Abstract

   This document establishes an Internet Assigned Number Authority
   (IANA) registry for Content Security Policy directives, and populates
   that registry with the directives defined in the Content Security
   Policy Level 2 specification.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 23, 2016.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

West                      Expires May 23, 2016                  [Page 1]
Internet-Draft              webappsec-csp-reg              November 2015

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Use of the Registry . . . . . . . . . . . . . . . . . . . . .   2
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   2
     3.1.  Content Security Policy directives Registry . . . . . . .   3
     3.2.  Registration Policy for Content Security Policy
           directives  . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   4
     5.2.  Informative References  . . . . . . . . . . . . . . . . .   5
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   5
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   The Content Security Policy specification [CSP] defines a mechanism
   by which web developers can control the resources which a particular
   page can fetch or execute, as well as a number of security-relevant
   policy decisions.

   The policy language specified in that document consists of an
   extensible set of "directives", each of which controls a specific
   resource type or policy decision.  This specification establishes a
   registry to ensure that extensions to CSP are listed and
   standardized.

2.  Use of the Registry

   Content Security Policy directives must be documented in a readily
   available public specification in order to be registered by IANA.
   This documentation must fully explain the syntax, intended usage, and
   semantics of the directive.  The intent of this requirement is to
   assure interoperable independent implementations, and to prevent
   accidental namespace collisions between implementations of dissimilar
   features.

   Documents defining new Content Security Policy directives must
   register them with IANA, as described in Section 3.  The IANA
   registration policy for such parameters is "Specification Required"
   [RFC5226], and is further discussed in Section 3.2.

3.  IANA Considerations

   This specification creates a new top-level IANA registry named
   "Content Security Policy directives".

West                      Expires May 23, 2016                  [Page 2]
Internet-Draft              webappsec-csp-reg              November 2015

3.1.  Content Security Policy directives Registry

   New Content Security Policy directives, and updates to existing
   directives, must be registered with IANA.

   When registering a new Content Security Policy directive, the
   following information must be provided:

   o  The directive's name, an ASCII string conforming to the
      "directive-name" rule specified in Section 4.1 of [CSP].  The ABNF
      [RFC5234] is as follows:

   directive-name  = 1*( ALPHA / DIGIT / "-" )

   o  A reference to the readily available public specification defining
      the new directive's syntax, usage, and semantics.

   The following table contains the initial values for this registry:

                      +-----------------+-----------+
                      | Directive Name  | Reference |
                      +-----------------+-----------+
                      | base-uri        | [CSP]     |
                      | child-src       | [CSP]     |
                      | connect-src     | [CSP]     |
                      | default-src     | [CSP]     |
                      | font-src        | [CSP]     |
                      | form-action     | [CSP]     |
                      | frame-ancestors | [CSP]     |
                      | frame-src       | [CSP]     |
                      | img-src         | [CSP]     |
                      | media-src       | [CSP]     |
                      | object-src      | [CSP]     |
                      | plugin-types    | [CSP]     |
                      | report-uri      | [CSP]     |
                      | sandbox         | [CSP]     |
                      | script-src      | [CSP]     |
                      | style-src       | [CSP]     |
                      +-----------------+-----------+

3.2.  Registration Policy for Content Security Policy directives

   The registration policy for Content Security Policy directives is
   "Specification Required" [RFC5226], which uses a designated expert to
   review the specification.

West                      Expires May 23, 2016                  [Page 3]
Internet-Draft              webappsec-csp-reg              November 2015

   When appointing an Expert (or Experts), the IESG SHOULD draw from the
   W3C's security community, coordinating through the liaison.

   The designated expert, when deliberating on whether to include a new
   directive in the registry, should consider the following criteria.
   This is not an exhaustive list, but representative of the issues to
   consider when rendering a decision:

   o  Content Security Policy is a restrictive feature, which allows web
      developers to deny themselves access to resources and APIs which
      would otherwise be available.  Deploying Content Security Policy
      is, therefore, a strict reduction in risk.  The expert should
      carefully consider whether proposed directives would violate this
      property.

   o  Granular directives are valuable, but the expert should strive to
      strike a reasonable balance between providing developers with all
      the knobs and switches possible, and providing only those with
      known security implications.

4.  Security Considerations

   The registry in this document does not in itself have security
   implications.  The directives specified, however, certainly do.  The
   documents referenced when registering new directives must contain
   detailed security and privacy considerations sections, and should
   contain usage information which informs web developers as to the
   directive's expected implementation.

5.  References

5.1.  Normative References

   [CSP]      West, M., Barth, A., and D. Veditz, "Content Security
              Policy Level 2", n.d., <https://www.w3.org/TR/CSP2>.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              DOI 10.17487/RFC5226, May 2008,
              <http://www.rfc-editor.org/info/rfc5226>.

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/
              RFC5234, January 2008,
              <http://www.rfc-editor.org/info/rfc5234>.

West                      Expires May 23, 2016                  [Page 4]
Internet-Draft              webappsec-csp-reg              November 2015

5.2.  Informative References

   [RFC5341]  Jennings, C. and V. Gurbani, "The Internet Assigned Number
              Authority (IANA) tel Uniform Resource Identifier (URI)
              Parameter Registry", RFC 5341, DOI 10.17487/RFC5341,
              September 2008, <http://www.rfc-editor.org/info/rfc5341>.

Appendix A.  Acknowledgements

   Much of this document's structure comes from [RFC5341].  Thank you to
   Cullen Jennings and Vijay K.  Gurbani for giving me a reasonable
   template to work within, and to Barry Leiba for his helpful
   commentary and suggestions.

Author's Address

   Mike West
   Google, Inc

   Email: mkwst@google.com
   URI:   https://mikewest.org/

West                      Expires May 23, 2016                  [Page 5]