Cross-Origin Resource Policy (CORP) - HTTP
cross-origin resource policy is a policy set by the cross-origin-resource-policy http header that lets web sites and applications opt in to protection against certain requests from other origins (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel attacks, like spectre, as well as cross-site script inclusion attacks.
... corp is an additional layer of protection beyond the default same-origin policy.
... cross-origin resource policy complements cross-origin read blocking (corb), which is a mechanism to prevent some cross-origin reads by default.
...And 6 more matches

HTMLIFrameElement.referrerPolicy - Web APIs
the htmliframeelement.referrerpolicy property reflects the html referrerpolicy attribute of the <iframe> element defining which referrer is sent when fetching the resource.
... syntax refstr = iframeelt.referrerpolicy; iframeelt.referrerpolicy = refstr; values no-referrer the referer header will be omitted entirely.
... no-referrer-when-downgrade (default) this is the user agent's default behavior if no policy is specified.
...And 5 more matches

Feature-Policy: fullscreen - HTTP
the http feature-policy header fullscreen directive controls whether the current document is allowed to use element.requestfullscreen().
... when this policy is enabled, the returned promise rejects with a typeerror.
... syntax feature-policy: fullscreen <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 5 more matches

FeaturePolicy - Web APIs
the featurepolicy interface of the feature policy api represents the set of policies applied to the current execution context.
... featurepolicy methods featurepolicy.allowsfeature returns a boolean that indicates whether or not a particular feature is enabled in the specified context.
... featurepolicy.features returns a list of names of all features supported by the user agent.
...And 4 more matches

HTMLAnchorElement.referrerPolicy - Web APIs
the htmlanchorelement.referrerpolicy property reflect the html referrerpolicy attribute of the <a> element defining which referrer is sent when fetching the resource.
... syntax refstr = anchorelt.referrerpolicy; anchorelt.referrerpolicy = refstr; values "no-referrer" meaning that the referer: http header will not be sent.
... examples var elt = document.createelement("a"); var linktext = document.createtextnode("my link"); elt.appendchild(linktext); elt.href = "https://developer.mozilla.org/"; elt.referrerpolicy = "no-referrer"; var div = document.getelementbyid("divaround"); div.appendchild(elt); // when clicked, the link will not send a referrer header.
...And 3 more matches

HTMLAreaElement.referrerPolicy - Web APIs
the htmlareaelement.referrerpolicy property reflect the html referrerpolicy attribute of the <area> element defining which referrer is sent when fetching the resource.
... syntax refstr = areaelt.referrerpolicy; areaelt.referrerpolicy = refstr; values "no-referrer" meaning that the referer: http header will not be sent.
... examples <img usemap="#maparound" width="100" height="100" src="/img/logo@2x.png" /> <map id="mymap" name="maparound" />> var elt = document.createelement("area"); elt.href = "/img2.png"; elt.shape = "rect"; elt.referrerpolicy = "no-referrer"; elt.coords = "0,0,100,100"; var map = document.getelementbyid("mymap"); map.appendchild(elt); // when clicked, the area's link will not send a referrer header.
...And 3 more matches

Cross-Origin-Embedder-Policy - HTTP
the http cross-origin-embedder-policy (coep) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using corp or cors).
... header type response header forbidden header name no syntax cross-origin-embedder-policy: unsafe-none | require-corp directives unsafe-none this is the default value.
... allows the document to fetch cross-origin resources without giving explicit permission through the cors protocol or the cross-origin-resource-policy header.
...And 3 more matches

Feature-Policy: encrypted-media - HTTP
the http feature-policy header encrypted-media directive controls whether the current document is allowed to use the encrypted media extensions api (eme).
... when this policy is enabled, the promise returned by navigator.requestmediakeysystemaccess() will reject with a domexception.
... syntax feature-policy: encrypted-media <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 3 more matches

Feature-Policy: geolocation - HTTP
the http feature-policy header geolocation directive controls whether the current document is allowed to use the geolocation interface.
... when this policy is enabled, calls to getcurrentposition() and watchposition() will cause those functions' callbacks to be invoked with a positionerror code of permission_denied.
... syntax feature-policy: geolocation <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 3 more matches

Feature-Policy: payment - HTTP
the http feature-policy header field's payment directive controls whether the current document is allowed to use the payment request api.
... when this policy is disabled, the paymentrequest() constructor will throw a syntaxerror.
... syntax feature-policy: payment <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 3 more matches

FeaturePolicy.features() - Web APIs
the features() method of the featurepolicy interface returns a list of names of all features supported by the user agent.
... feature whose name appears on the list might not be allowed by the feature policy of the current execution context and/or might not be accessible because of user's permissions.
... syntax const supportedfeatures = featurepolicy.features() parameters none.
...And 2 more matches

FeaturePolicy.getAllowlistForFeature() - Web APIs
the getallowlistforfeature() method of the featurepolicy allows query of the allow list for a specific feature for the current feature policy.
... syntax const allowlist = featurepolicy.getallowlistforfeature(<feature>) parameter feature name a specific feature name must be specified.
... errors the function will raise a warning if the specified feature policy directive name is not known.
...And 2 more matches

HTMLImageElement.referrerPolicy - Web APIs
the htmlimageelement.referrerpolicy property reflects the html referrerpolicy attribute of the <img> element defining which referrer is sent when fetching the resource.
... syntax refstr = imgelt.referrerpolicy; imgelt.referrerpolicy = refstr; values a domstring representing the referrer policy.
... examples var img = new image(); img.src = 'img/logo.png'; img.referrerpolicy = 'origin'; var div = document.getelementbyid('divaround'); div.appendchild(img); // fetch the image using the origin as the referrer specifications specification status comment referrer policythe definition of 'referrerpolicy attribute' in that specification.
...And 2 more matches

Feature-Policy: autoplay - HTTP
the http feature-policy header autoplay directive controls whether the current document is allowed to autoplay media requested through the htmlmediaelement interface.
... when this policy is enabled and there were no user gestures, the promise returned by htmlmediaelement.play() will reject with a domexception.
... syntax feature-policy: autoplay <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 2 more matches

Feature-Policy: battery - HTTP
the http feature-policy header battery directive controls whether the current document is allowed to gather information about the acceleration of the device through the batterymanager interface obtained via navigator.getbattery().
... syntax feature-policy: battery <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default policy the default value is 'self'.
...And 2 more matches

Feature-Policy: camera - HTTP
the http feature-policy header camera directive controls whether the current document is allowed to use video input devices.
... when this policy is enabled, the promise returned by mediadevices.getusermedia() will reject with a notallowederror.
... syntax feature-policy: camera <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 2 more matches

Feature-Policy: display-capture - HTTP
the http feature-policy header display-capture directive controls whether or not the document is permitted to use screen capture api, i.e.,getdisplaymedia() to capture the screen's contents.
... syntax feature-policy: display-capture <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default policy the default alowlist is 'self'.
...And 2 more matches

Feature-Policy: midi - HTTP
the http feature-policy header midi directive controls whether the current document is allowed to use the web midi api.
... when this policy is enabled, the promise returned by navigator.requestmidiaccess() will reject with a domexception.
... syntax feature-policy: midi <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 2 more matches

Feature-Policy: publickey-credentials-get - HTTP
the http feature-policy header publickey-credentials-get directive controls whether the current document is allowed to access web authentcation api to create new public-key credentials, i.e, via navigator.credentials.get({publickey: ..., ...}).
... when this policy is enabled, any attempt to query public key credentials will result in an error.
... syntax feature-policy: publickey-credentials-get <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 2 more matches

Feature-Policy: sync-xhr - HTTP
the http feature-policy header sync-xhr directive controls whether the current document is allowed to make synchronous xmlhttprequest requests.
... syntax feature-policy: sync-xhr <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default policy by default the policy is set to *, which means synchronous requests are allowed in all frames.
...And 2 more matches

Feature-Policy: usb - HTTP
the http feature-policy header usb directive controls whether the current document is allowed to use the webusb api.
... syntax feature-policy: usb <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default policy the default value is 'self'.
...And 2 more matches

Feature-Policy: xr-spatial-tracking - HTTP
the http feature-policy header xr-spatial-tracking directive controls whether the current document is allowed to use the webxr device api.
... this policy controls whether navigator.xr.requestsession() can return xrsession that requires spatial tracking and whether user agent can indicate support for sessions supporting spatial tracking via navigator.xr.issessionsupported() and devicechange event on navigator.xr object.
... syntax feature-policy: xr-spatial-tracking <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 2 more matches

nsIChannelPolicy
netwerk/base/public/nsichannelpolicy.idlscriptable a container for policy information to be used during channel creation.
... 1.0 66 introduced gecko 2.0 inherits from: nsisupports last changed in gecko 2.0 (firefox 4 / thunderbird 3.3 / seamonkey 2.1) this interface exists to allow the content policy mechanism to function properly during channel redirects.
...attributes attribute type description contentsecuritypolicy nsisupports a nsicontentsecuritypolicy object to determine if the load should be allowed.
... loadtype unsigned long indicates what type of content is being loaded, for example nsicontentpolicy::type_image.

FeaturePolicy.allowedFeatures() - Web APIs
the allowedfeatures() method of the featurepolicy interface returns a list of directive names of all features allowed by the feature policy.enables introspection of individual directives of the feature policy it is run on.
... syntax const allowed = featurepolicy.allowedfeatures() parameters none.
... return value an array of strings representing the feature policy directive names that are allowed by the feature policy this method is called on.
... // first, get the feature policy object const featurepolicy = document.featurepolicy // then query feature for specific const allowed = featurepolicy.allowedfeatures() for (const directive of allowed){ console.log(directive) } specifications specification status comment feature policythe definition of 'allowsfeature' in that specification.

FeaturePolicy.allowsFeature() - Web APIs
the allowsfeature() method of the featurepolicy interface enables introspection of individual directives of the feature policy it is run on.
... syntax const allowed = featurepolicy.allowsfeature(<feature>) or const allowed = featurepolicy.allowsfeature(<feature>, <origin>) parameters feature name a specific feature name must be specified.
... example the following example queries whether or not the document is allowed to use camera api by the feature policy.
... // first, get the feature policy object const featurepolicy = document.featurepolicy // then query feature for specific const allowed = featurepolicy.allowsfeature("camera") if (allowed){ console.log("fp allows camera.") } else { console.log("fp does not allows camera.") } specifications specification status comment feature policythe definition of 'allowsfeature' in that specification.

RTCConfiguration.iceTransportPolicy - Web APIs
the webrtc device api dictionary rtcconfiguration's icetransportpolicy property is a string indicating the transport selection policy the ice agent should use during negotiation of connections.
... its value must come from the rtcicetransportpolicy enumerated type.
... syntax let rtcconfiguration = { icetransportpolicy: policy }; rtcconfiguration.icetransportpolicy = policy; let policy = rtcconfiguration.icetransportpolicy; value a domstring which indicates what ice candidate policy the ice agent should use during the negotiation process, per the jsep standard.
... let config = { iceservers: [ { urls: [ "stun:stun.example.com" ] }, ], icetransportpolicy: "relay" }; let pc = new rtcpeerconnection(config); specifications specification status comment webrtc 1.0: real-time communication between browsersthe definition of 'rtccandidate.icetransportpolicy' in that specification.

Request.referrerPolicy - Web APIs
the referrerpolicy read-only property of the request interface returns the referrer policy, which governs what referrer information, sent in the referer header, should be included with the request.
... syntax var myreferrerpolicy = request.referrerpolicy; value a domstring representing the request's referrerpolicy.
... for more information and possible values, see the referrer-policy http header page.
... example in the following snippet, we create a new request using the request.request() constructor (for an image file in the same directory as the script), then save the request referrer policy in a variable: var myrequest = new request('flowers.jpg'); var myreferrer = myrequest.referrerpolicy; // returns "" by default specifications specification status comment fetchthe definition of 'referrerpolicy' in that specification.

Cross-Origin-Opener-Policy - HTTP
the http cross-origin-opener-policy (coop) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
... header type response header forbidden header name no syntax cross-origin-opener-policy: unsafe-none | same-origin-allow-popups | same-origin directives unsafe-none this is the default value.
... cross-origin-opener-policy: same-origin cross-origin-embedder-policy: require-corp see also the cross-origin-embedder-policy header which you'll need to set as well.
... to check if cross-origin isolation has been successful, you can test against the crossoriginisolated property available to window and worker contexts: if (crossoriginisolated) { // post sharedarraybuffer } else { // do something else } specifications specification html living standardthe definition of 'cross-origin-opener-policy header' in that specification.

Cross-Origin-Resource-Policy - HTTP
note: due to a bug in chrome, setting cross-origin-resource-policy can break pdf rendering, preventing visitors from being able to read past the first page of some pdfs.
... due to a bug in firefox, setting cross-origin-resource-policy can prevent some resources (such as pdfs) from being downloaded in some circumstances.
... the http cross-origin-resource-policy response header conveys a desire that the browser blocks no-cors cross-origin/cross-site requests to the given resource.
... header type response header forbidden header name no syntax cross-origin-resource-policy: same-site | same-origin | cross-origin examples the response header below will cause compatible user agents to disallow cross-origin no-cors requests: cross-origin-resource-policy: same-origin for more examples, see https://resourcepolicy.fyi/.

Feature-Policy: accelerometer - HTTP
the http feature-policy header accelerometer directive controls whether the current document is allowed to gather information about the acceleration of the device through the accelerometer interface.
... syntax feature-policy: accelerometer <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default policy the default value is 'self'.
... specifications specification status comment feature policy editor's draft initial definition.

Feature-Policy: ambient-light-sensor - HTTP
the http feature-policy header ambient-light-sensor directive controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the ambientlightsensor interface.
... syntax feature-policy: ambient-light-sensor <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default policy the default value is 'self'.
... specification specification status comment feature policy editor's draft initial definition.

Feature-Policy: document-domain - HTTP
the http feature-policy header document-domain directive controls whether the current document is allowed to set document.domain.
... when this policy is enabled, attempting to set document.domain will fail and cause a securityerror domexception to be be thrown.
... syntax feature-policy: document-domain <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default policy the default value is *.

Feature-Policy: microphone - HTTP
the http feature-policy header microphone directive controls whether the current document is allowed to use audio input devices.
... when this policy is enabled, the promise returned by mediadevices.getusermedia() will reject with a notallowederror.
... syntax feature-policy: microphone <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature policy editor's draft initial definition.

Feature-Policy: picture-in-picture - HTTP
the http feature-policy header picture-in-picture directive controls whether the current document is allowed to play a video in a picture-in-picture mode via the corresponding api.
... syntax feature-policy: picture-in-picture <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default policy as of june 2019, the spec draft and google chrome set default allow list to *.
... specifications specification status comment feature policy editor's draft initial definition.

Feature-Policy: screen-wake-lock - HTTP
the http feature-policy header screen-wake-lock directive controls whether the current document is allowed to use screen wake lock api to indicate that device should not dim or turn off the screen.
... syntax feature-policy: screen-wake-lock <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default policy default allow list for screen-wake-lock is 'self'.
... specifications specification status comment feature policy editor's draft initial definition.

Feature-Policy: wake-lock - HTTP
the http feature-policy header wake-lock directive controls whether the current document is allowed to use wake lock api to indicate that device should not enter power-saving mode.
... syntax feature-policy: wake-lock <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default policy default allow list for wake-lock is 'self'.
... specifications specification status comment feature policy editor's draft initial definition.

Same-origin policy for file: URIs - Archive of obsolete content
this policy affects anything that does same-origin checks, including xmlhttprequest, xslt, and xbl.
... for cross-window dom access, each file is treated as a separate origin, with one exception: if a file is loaded from another file that would otherwise be able to load it following this same-origin policy, they are considered to have the same origin.
...the new security.fileuri.strict_origin_policy preference, which defaults to true, can be set to false if the user doesn't want to strictly enforce the same origin policy on file: uris.

Same origin policy for XBL - Archive of obsolete content
the same origin policy used for xbl documents is different from the policy used for other content.
... this article provides a description of how the same origin policy for xbl works.
...a content policy check is performed.

Document.featurePolicy - Web APIs
the featurepolicy read-only property of the document interface returns the featurepolicy interface which provides a simple api for inspecting the feature policies applied to a specific document.
... syntax var policy = iframeelement.featurepolicy value a featurepolicy object that can be used to inspect the feature policy settings applied to the document.
... specification specification status comment feature policy editor's draft initial definition.

HTMLIFrameElement.featurePolicy - Web APIs
the featurepolicy read-only property of the htmliframeelement interface returns the featurepolicy interface which provides a simple api for introspecting the feature policies applied to a specific frame.
... syntax var policy = htmliframeelement.featurepolicy value a featurepolicy object that can be used to inspect the feature policy settings applied to the frame.
... specification specification status comment feature policy editor's draft initial definition.

HTMLLinkElement.referrerPolicy - Web APIs
the htmllinkelement.referrerpolicy property reflect the html referrerpolicy attribute of the <link> element defining which referrer is sent when fetching the resource.
... see the http referrer-policy header for details.
... syntax domstring htmllinkelement.referrerpolicy example var links = document.getelementsbytagname("link"); links[0].referrerpolicy; // "no-referrer" specifications specification status comment referrer policythe definition of 'referrerpolicy attribute' in that specification.

SecurityPolicyViolationEvent.disposition - Web APIs
the disposition read-only property of the securitypolicyviolationevent interface indicates how the violated policy is configured to be treated by the user agent.
... syntax let disposition = violationeventinstance.disposition; value a value defined in the securitypolicyviolationeventdisposition enum representing the uri of the blocked resource.
... possible values are "enforce" or "report" example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.disposition); }); specifications specification status comment content security policy level 3the definition of 'disposition' in that specification.

Feature-Policy: gyroscope - HTTP
the http feature-policy header gyroscope directive controls whether the current document is allowed to gather information about the orientation of the device through the gyroscope interface.
... syntax feature-policy: gyroscope <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature policy editor's draft initial definition.

Feature-Policy: layout-animations - HTTP
the http feature-policy header layout-animations directive controls whether the current document is allowed to show layout animations.
... syntax feature-policy: layout-animations <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature policy editor's draft initial definition.

Feature-Policy: legacy-image-formats - HTTP
the http feature-policy header legacy-image-formats directive controls whether the current document is allowed to display images in legacy formats.
... syntax feature-policy: legacy-image-formats <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature policy editor's draft initial definition.

Feature-Policy: magnetometer - HTTP
the http feature-policy header magnetometer directive controls whether the current document is allowed to gather information about the orientation of the device through the magnetometer interface.
... syntax feature-policy: magnetometer <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature policy editor's draft initial definition.

Feature-Policy: oversized-images - HTTP
the http feature-policy header oversized-images directive controls whether the current document is allowed to download and display large images.
... syntax feature-policy: oversized-images <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specification specification status comment feature policy editor's draft initial definition.

Feature-Policy: unoptimized-images - HTTP
the http feature-policy header unoptimized-images directive controls whether the current document is allowed to download and display unoptimized images.
... syntax feature-policy: unoptimized-images <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature policy editor's draft initial definition.

Feature-Policy: unsized-media - HTTP
the http feature-policy header unsized-media directive controls whether the current document is allowed to change the size of media elements after the initial layout is complete.
... syntax feature-policy: unsized-media <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature policy editor's draft initial definition.

Feature-Policy: vibrate - HTTP
the http feature-policy header vibrate directive controls whether the current document is allowed to trigger device vibrations via navigator.vibrate() method of vibration api.
... syntax feature-policy: vibrate <allowlist>; <vibrate> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature policy editor's draft initial definition.

Same-origin policy - Web security
the same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin.
... exceptions in internet explorer internet explorer has two major exceptions to the same-origin policy: trust zones if both domains are in the highly trusted zone (e.g.
... cross-origin network access the same-origin policy controls interactions between two different origins, such as when you use xmlhttprequest or an <img> element.

JSSecurityCallbacks.contentSecurityPolicyAllows
the jssecuritycallbacks.contentsecuritypolicyallows callback is called when a script attempts to access an object property.
...jssecuritycallbacks.contentsecuritypolicyallows is invoked once per global object upon the first attempt to evaluate js code from a string (either through eval or the function constructor).

SecurityPolicyViolationEvent.blockedURI - Web APIs
the blockeduri read-only property of the securitypolicyviolationevent interface is a usvstring representing the uri of the resource that was blocked because it violates a policy.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.blockeduri); }); specifications specification status comment content security policy level 3the definition of 'blockeduri' in that specification.

SecurityPolicyViolationEvent.columnNumber - Web APIs
the columnnumber read-only property of the securitypolicyviolationevent interface is the column number in the document or worker at which the violation occurred.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.columnnumber); }); specifications specification status comment content security policy level 3the definition of 'columnnumber' in that specification.

SecurityPolicyViolationEvent.documentURI - Web APIs
the documenturi read-only property of the securitypolicyviolationevent interface is a usvstring representing the uri of the document or worker in which the violation was found.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.documenturi); }); specifications specification status comment content security policy level 3the definition of 'documenturi' in that specification.

SecurityPolicyViolationEvent.effectiveDirective - Web APIs
the effectivedirective read-only property of the securitypolicyviolationevent interface is a domstring representing the directive whose enforcement uncovered the violation.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.effectivedirective); }); specifications specification status comment content security policy level 3the definition of 'effectivedirective' in that specification.

SecurityPolicyViolationEvent.lineNumber - Web APIs
the linenumber read-only property of the securitypolicyviolationevent interface is the line number in the document or worker at which the violation occurred.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.linenumber); }); specifications specification status comment content security policy level 3the definition of 'linenumber' in that specification.

SecurityPolicyViolationEvent.referrer - Web APIs
the referrer read-only property of the securitypolicyviolationevent interface is a usvstring representing the referrer of the resources whose policy was violated.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.referrer); }); specifications specification status comment content security policy level 3the definition of 'referrer' in that specification.

SecurityPolicyViolationEvent.sample - Web APIs
the sample read-only property of the securitypolicyviolationevent interface is a domstring representing a sample of the resource that caused the violation.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.sample); }); specifications specification status comment content security policy level 3the definition of 'sample' in that specification.

SecurityPolicyViolationEvent.sourceFile - Web APIs
the sourcefile read-only property of the securitypolicyviolationevent interface is a usvstring representing the uri of the document or worker in which the violation was found.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.sourcefile); }); specifications specification status comment content security policy level 3the definition of 'sourcefile' in that specification.

SecurityPolicyViolationEvent.statusCode - Web APIs
the statuscode read-only property of the securitypolicyviolationevent interface is a number representing the http status code of the document or worker in which the violation occurred.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.statuscode); }); specifications specification status comment content security policy level 3the definition of 'statuscode' in that specification.

SecurityPolicyViolationEvent.violatedDirective - Web APIs
the violateddirective read-only property of the securitypolicyviolationevent interface is a domstring representing the directive whose enforcement uncovered the violation.
... example document.addeventlistener("securitypolicyviolation", (e) => { console.log(e.violateddirective); }); specifications specification status comment content security policy level 3the definition of 'violateddirective' in that specification.

Same-origin policy - MDN Web Docs Glossary: Definitions of Web-related terms
the same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin.

Feature-Policy: xr - HTTP
this feature policy directive was at one point defined as xr (but implemented in chrome as vr), use xr-spatial-tracking instead.

HTTP Index - HTTP
16 content security policy (csp) csp, content security policy, reference, security content security policy (csp) is an added layer of security that helps to detect and mitigate certain types of attacks, including cross site scripting (xss) and data injection attacks.
... 19 cross-origin resource policy (corp) http, reference, security cross-origin resource policy is an opt-in mechanism that allows web applications to protect against certain cross-origin requests, such as those issued by the browser when resources are embedded using elements such as <script> and <img>.
... this serves as an additional layer of protection above and beyond the same-origin policy which can mitigate speculative side channel attacks as well as cross-site script inclusion attacks.
...And 84 more matches

sslfnc.html
ssl initialization functions ssl export policy functions ssl configuration functions ssl communication functions ssl functions used by callbacks ssl handshake functions nss shutdown function deprecated functions ssl initialization functions this section describes the initialization functions that are specific to ssl.
... note that at least one of the functions listed in ssl export policy functions must also be called during nss initialization.
... the policy flags for all cipher suites are turned off by default, disallowing all cipher suites.
...And 81 more matches

Index - HTTP
28 content-security-policy csp, http, reference, security, header the http content-security-policy response header allows web site administrators to control resources the user agent is allowed to load for a given page.
... 29 csp: base-uri csp, directive, document directive, http, security the http content-security-policy base-uri directive restricts the urls which can be used in a document's <base> element.
... 30 csp: block-all-mixed-content csp, directive, http, mixed content, reference, security the http content-security-policy (csp) block-all-mixed-content directive prevents loading any assets using http when the page is loaded using https.
...And 43 more matches

Index - Web APIs
904 document.domain api, document, html dom, property, reference the domain property of the document interface gets/sets the domain portion of the origin of the current document, as used by the same origin policy.
... 911 document.featurepolicy api, document, feature policy, feature-policy, reference the featurepolicy read-only property of the document interface returns the featurepolicy interface which provides a simple api for inspecting the feature policies applied to a specific document.
... 1289 featurepolicy feature policy, feature-policy, reference no summary!
...And 35 more matches

Finishing the Component
the interface that we need for this project is something called nsicontentpolicy.
...(for weblock, all you need are the headers for nsicontentpolicy and the nsicontentpolicy.idl.) then, using the same steps you used to create the weblock.h, create a header from this idl file using the xpidl compiler.
... once you have these interface and header files, you can modify the weblock class to implement the nsicontentpolicy interface.
...And 15 more matches

HTTP headers - HTTP
referrer-policy governs which referrer information sent in the referer header should be included with requests made.
... security cross-origin-embedder-policy (coep) allows a server to declare an embedder policy for a given document.
... cross-origin-opener-policy (coop) prevents other domains from opening/controlling a window.
...And 10 more matches

nsIIOService
andler(in string ascheme); nsichannel newchannel(in autf8string aspec, in string aorigincharset, in nsiuri abaseuri); obsolete since gecko 48 nsichannel newchannel2(in autf8string aspec, in string aorigincharset, in nsiuri abaseuri, in nsidomnode aloadingnode, in nsiprincipal aloadingprincipal, in nsiprincipal atriggeringprincipal, in uint32_t asecurityflags, in uint32_t acontentpolicytype); nsichannel newchannelfromuri(in nsiuri auri); obsolete since gecko 48 nsichannel newchannelfromuri2(in nsiuri auri, in nsidomnode aloadingnode, in nsiprincipal aloadingprincipal, in nsiprincipal atriggeringprincipal, in unsigned long asecurityflags, in unsigned long acontentpolicytype); nsichannel newchannelfromuriwithloadinfo(in nsiuri auri, in nsiloadinfo aload...
...info); nsichannel newchannelfromuriwithproxyflags2(in nsiuri auri, in nsiuri aproxyuri, in uint32_t aproxyflags,in nsidomnode aloadingnode, in nsiprincipal aloadingprincipal, in nsiprincipal atriggeringprincipal, in uint32_t asecurityflags, in uint32_t acontentpolicytype); nsiuri newfileuri(in nsifile afile); nsiuri newuri(in autf8string aspec, in string aorigincharset, in nsiuri abaseuri); attributes attribute type description offline boolean returns true if networking is in "offline" mode.
...this gives the protocol handler ultimate control over its own security policy while ensuring reasonable, default protection.
...And 9 more matches

CSP: script-src - HTTP
the http content-security-policy (csp) script-src directive specifies valid sources for javascript.
... syntax one or more sources can be allowed for the script-src policy: content-security-policy: script-src <source>; content-security-policy: script-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 8 more matches

Autoplay guide for media and Web Audio APIs - Web media technologies
that means that both of the following are considered autoplay behavior, and are therefore subject to the browser's autoplay blocking policy: <audio src="/music.mp4" autoplay> and audioelement.play(); the following web features and apis may be affected by autoplay blocking: the html <audio> and <video> elements the web audio api from the user's perspective, a web page or app that spontaneously starts making noise without warning can be jarring, inconvenient, or off-putting.
...least one of the following is true: the audio is muted or its volume is set to 0 the user has interacted with the site (by clicking, tapping, pressing keys, etc.) if the site has been whitelisted; this may happen either automatically if the browser determines that the user engages with media frequently, or manually through preferences or other user interface features if the autoplay feature policy is used to grant autoplay support to an <iframe> and its document.
... the autoplay feature policy in addition to the browser-side management and control over autoplay functionality described above, a web server can also express its willingness to allow autoplay to function.
...And 8 more matches

Index
on an organizational level the contents of the set are managed according to the mozilla ca policy.
...for example: certificates were valid at the time the signature was made, name in certificates matches the expected signer (check subject name, common name, email, based on application), the trust restrictions recorded inside the certificate (extensions) permit the use (e.g., encryption might be allowed, but not signing), and based on environment/application policy it might be required to perform a revocation check (ocsp or crl), that asks the issuer(s) of the certificates whether there have been events that made it necessary to revoke the trust (revoke the validity of the cert).
...in order to distinguish an ev certificate, cas will embed a policy oid in the certificate, and the browser is expected to verify that a trust chain permits the end entity (ee) certificate to make use of the policy.
...And 7 more matches

NSS_3.12_release_notes.html
3.12 3 new shared library are shipped with nss 3.12: nssutil sqlite nssdbm 1 new include file is shipped with nss3.12: utilrename.h new functions in the nss shared library: cert_checknamespace (see cert.h) cert_encodecertpoliciesextension (see cert.h) cert_encodeinfoaccessextension (see cert.h) cert_encodeinhibitanyextension (see cert.h) cert_encodenoticereference (see cert.h) cert_encodepolicyconstraintsextension (see cert.h) cert_encodepolicymappingextension (see cert.h) cert_encodesubjectkeyid (see certdb/cert.h) cert_encodeusernotice (see cert.h) cert_findcrlentryreasonexten (see cert.h) cert_findcrlnumberexten (see cert.h) cert_findnameconstraintsexten (see cert.h) cert_getclassicocspdisabledpolicy (see cert.h) cert_getclassicocspenabledhardfailurepolicy (see cert.h) cert_getclassi...
...cocspenabledsoftfailurepolicy (see cert.h) cert_getpkixverifynistrevocationpolicy (see cert.h) cert_getusepkixforvalidation (see cert.h) cert_getvaliddnspatternsfromcert (see cert.h) cert_newtempcertificate (see cert.h) cert_setocsptimeout (see certhigh/ocsp.h) cert_setusepkixforvalidation (see cert.h) cert_pkixverifycert (see cert.h) hash_gettype (see sechash.h) nss_initwithmerge (see nss.h) pk11_createmergelog (see pk11pub.h) pk11_creategenericobject (see pk11pub.h) pk11_createpbev2algorithmid (see pk11pub.h) pk11_destroymergelog (see pk11pub.h) pk11_generatekeypairwithopflags (see pk11pub.h) pk11_getpbecryptomechanism (see pk11pub.h) pk11_isremovable (see pk11pub.h) pk11_mergetokens (see pk11pub.h) pk11_writerawattribute (see pk11pub.h) seckey_ecparamstobasepointorderlen (see keyhi.h) seckey_...
...kip_test_on_missing_source cert_rev_m_require_info_on_missing_source cert_rev_m_ignore_missing_fresh_info cert_rev_m_fail_on_missing_fresh_info cert_rev_m_stop_testing_on_fresh_info cert_rev_m_continue_testing_on_fresh_info cert_rev_mi_test_each_method_separately cert_rev_mi_test_all_local_information_first cert_rev_mi_no_overall_info_requirement cert_rev_mi_require_some_fresh_info_available cert_policy_flag_no_mapping cert_policy_flag_explicit cert_policy_flag_no_any cert_enable_ldap_fetch cert_enable_http_fetch new macro in utilrename.h: smime_aes_cbc_128 the nssckbi pkcs #11 module's version changed to 1.70.
...And 7 more matches

RTCConfiguration - Web APIs
properties bundlepolicy optional specifies how to handle negotiation of candidates when the remote peer is not compatible with the sdp bundle standard.
... this must be one of the values from the enum rtcbundlepolicy.
... icetransportpolicy optional the current ice transport policy; this must be one of the values from the rtcicetransportpolicy enumeration.
...And 7 more matches

nsICacheService
method overview nsicachesession createsession(in string clientid, in nscachestoragepolicy storagepolicy, in boolean streambased); acstring createtemporaryclientid(in nscachestoragepolicy storagepolicy); obsolete since gecko 1.9.2 void evictentries(in nscachestoragepolicy storagepolicy); void init(); obsolete since gecko 1.8 void shutdown(); obsolete since gecko 1.8 void visitentries(in nsicachevisitor visitor); attributes ...
... nsicachesession createsession( in string clientid, in nscachestoragepolicy storagepolicy, in boolean streambased ); parameters clientid specifies the name of the client using the cache.
... storagepolicy limits the storage policy for all entries accessed via the returned session.
...And 6 more matches

<iframe>: The Inline Frame element - HTML: Hypertext Markup Language
allow specifies a feature policy for the <iframe>.
... see the article privacy, permissions, and information security for details on security issues and how <iframe> works with feature policy to keep systems safe.
... csp a content security policy enforced for the embedded resource.
...And 6 more matches

CSP: report-uri - HTTP
the deprecated http content-security-policy (csp) report-uri directive instructs the user agent to report attempts to violate the content security policy.
...so for compatibility with current browsers while also adding forward compatibility when browsers get report-to support, you can specify both report-uri and report-to: content-security-policy: ...; report-uri https://endpoint.com; report-to groupname in browsers that support report-to, the report-uri directive will be ignored.
... syntax content-security-policy: report-uri <uri>; content-security-policy: report-uri <uri> <uri>; <uri> a uri where to post the report to.
...And 6 more matches

CSP: style-src - HTTP
the http content-security-policy (csp) style-src directive specifies valid sources for stylesheets.
... syntax one or more sources can be allowed for the style-src policy: content-security-policy: style-src <source>; content-security-policy: style-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 6 more matches

MediaDevices.getUserMedia() - Web APIs
on browsers that support managing media permissions with feature policy, this error is returned if feature policy is not configured to allow access to the input source(s).
...only a window's top-level document context for a valid origin can even request permission to use getusermedia(), unless the top-level context expressly grants permission for a given <iframe> to do so using feature policy.
...the originally-designed security mechanism is in the process of being replaced with feature policy, so various browsers have different levels of security support, using different mechanisms.
...And 5 more matches

CSP: form-action - HTTP
the http content-security-policy (csp) form-action directive restricts the urls which can be used as the target of a form submissions from a given context.
... syntax one or more sources can be set for the form-action policy: content-security-policy: form-action <source>; content-security-policy: form-action <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 5 more matches

Planned changes to shared memory - JavaScript
for top-level documents, two headers will need to be set: cross-origin-opener-policy with same-origin as value (protects your origin from attackers) cross-origin-embedder-policy with require-corp as value (protects victims from your origin) with these two headers set, postmessage() will no longer throw for sharedarraybuffer objects and shared memory across threads is therefore available.
... nested documents and dedicated workers will need to set the cross-origin-embedder-policy header as well with the same value.
...same-site (but cross-origin) nested documents and subresources will need to set the cross-origin-resource-policy header with same-site as value.
...And 5 more matches

nsICookie
policy nscookiepolicy holds the sites compact policy value.
... policy_unknown 0 the cookie collected in a previous session, and its information no longer available.
... policy_none 1 the site did not send a compact policy along with the cookie.
...And 4 more matches

nsIHttpChannel
inalresponseheader(in acstring aheader, in nsihttpheadervisitor avisitor); acstring getrequestheader(in acstring aheader); acstring getresponseheader(in acstring header); boolean isnocacheresponse(); boolean isnostoreresponse(); void redirectto(in nsiuri anewuri); void setemptyrequestheader(in acstring aheader); void setreferrerwithpolicy(in nsiuri referrer, in unsigned long referrerpolicy); void setrequestheader(in acstring aheader, in acstring avalue, in boolean amerge); void setresponseheader(in acstring header, in acstring value, in boolean merge); void visitoriginalresponseheaders(in nsihttpheadervisitor avisitor); void visitrequestheaders(in nsihttpheadervisitor avisitor); void ...
...visitresponseheaders(in nsihttpheadervisitor avisitor); constants constant description referrer_policy_no_referrer_when_downgrade default; indicates not to pass on the referrer when downgrading from https to http referrer_policy_no_referrer indicates no referrer will be sent referrer_policy_origin only send the origin of the referring uri referrer_policy_origin_when_xorigin same as the default; only send the origin of the referring uri for cross-origin requests referrer_policy_unsafe_url always send the referrer, even when downgrading from https to http attributes attribute type description allowpipelining boolean this attribute is a hint to the channel to indicate whether o...
... referrerpolicy read only unsigned long the referrer policy in use for this channel, indicated by one of the constants listed above methods getoriginalresponseheader() get the value of a particular original response header, that is, in the same form as it came from the network.
...And 4 more matches

<script>: The Script element - HTML: Hypertext Markup Language
nonce a cryptographic nonce (number used once) to whitelist scripts in a script-src content-security-policy.
... the server must generate a unique nonce value each time it transmits a policy.
... it is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.
...And 4 more matches

CSP: base-uri - HTTP
the http content-security-policy base-uri directive restricts the urls which can be used in a document's <base> element.
... syntax one or more sources can be allowed for the base-uri policy: content-security-policy: base-uri <source>; content-security-policy: base-uri <source> <source>; sources while this directive uses the same arguments as other csp directives, some of them don’t make sense for `<base>`, such as the keywords 'unsafe-inline' and 'strict-dynamic' <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 4 more matches

CSP: connect-src - HTTP
the http content-security-policy (csp) connect-src directive restricts the urls which can be loaded using script interfaces.
... syntax one or more sources can be allowed for the connect-src policy: content-security-policy: connect-src <source>; content-security-policy: connect-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 4 more matches

CSP: default-src - HTTP
the http content-security-policy (csp) default-src directive serves as a fallback for the other csp fetch directives.
... default-src directive and uses this value for it: child-src connect-src font-src frame-src img-src manifest-src media-src object-src prefetch-src script-src script-src-elem script-src-attr style-src style-src-elem style-src-attr worker-src csp version 1 directive type fetch directive syntax one or more sources can be allowed for the default-src policy: content-security-policy: default-src <source>; content-security-policy: default-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 4 more matches

Intercepting Page Loads - Archive of obsolete content
content policy finally, there is the option of implementing nsicontentpolicy.
... you can create an xpcom component that extends nsicontentpolicy and register it to the "content-policy" category using the nsicategorymanager.
... the nsicontentpolicy.shouldload() method is the only one in this interface that is really useful.
...And 3 more matches

Index - MDN Web Docs Glossary: Definitions of Web-related terms
53 csp glossary, http, infrastructure a csp (content security policy) is used to detect and mitigate certain types of website related attacks like xss and data injections.
... 117 document directive csp, directive, document, glossary, http, security csp document directives are used in a content-security-policy header and govern the properties of a document or worker environment to which a policy applies.
... 143 fetch directive csp, http, security csp fetch directives are used in a content-security-policy header and control locations from which certain resource types may be loaded.
...And 3 more matches

Script security
the security model for web content is based on the same-origin policy, in which code gets full access to objects from its origin but highly restricted access to objects from a different origin.
... security policy gecko implements the following security policy: objects that are same-origin are able to access each other freely.
... objects that are cross-origin get highly restricted access to each other, according to the same-origin policy.
...And 3 more matches

An overview of NSS Internals
on an organizational level the contents of the set are managed according to the mozilla ca policy.
...for example: certificates were valid at the time the signature was made, name in certificates matches the expected signer (check subject name, common name, email, based on application), the trust restrictions recorded inside the certificate (extensions) permit the use (e.g., encryption might be allowed, but not signing), and based on environment/application policy it might be required to perform a revocation check (ocsp or crl), that asks the issuer(s) of the certificates whether there have been events that made it necessary to revoke the trust (revoke the validity of the cert).
...in order to distinguish an ev certificate, cas will embed a policy oid in the certificate, and the browser is expected to verify that a trust chain permits the end entity (ee) certificate to make use of the policy.
...And 3 more matches

NSS Tools sslstrength
synopsis 1) sslstrength ciphers 2) sslstrength hostname[:port] [ciphers=xyz] [debug] [verbose] [policy=export|domestic] description the first form simple lists out the possible ciphers.
... restricting ciphers by default, sslstrength assumes that all the preferences are on, so it will use any preferences in your policy.
...firstly, you can set policy to be either domestic or export.
...And 3 more matches

NSS functions
function name/documentation source code nss versions nss_getclientauthdata mxr 3.2 and later nss_setdomesticpolicy mxr 3.2 and later nss_setexportpolicy mxr 3.2 and later nss_setfrancepolicy mxr 3.2 and later nssssl_versioncheck mxr 3.2.1 and later ssl_authcertificate mxr 3.2 and later ssl_authcertificatehook mxr 3.2 and later ssl_badcerthook mxr 3.2 and later ssl_certdbhandleset mxr 3.2 and later ...
... ssl_canbypass mxr 3.11.7 and later ssl_cipherpolicyget mxr 3.2 and later ssl_cipherpolicyset mxr 3.2 and later ssl_cipherprefget mxr 3.2 and later ssl_cipherprefgetdefault mxr 3.2 and later ssl_cipherprefset mxr 3.2 and later ssl_cipherprefsetdefault mxr 3.2 and later ssl_clearsessioncache mxr 3.2 and later ssl_configmpserversidcache mxr 3.2 and later ssl_configsecureserver mxr 3.2 and later ssl_configserversessionidcache mxr 3.2 and later ssl_datapending mxr 3.2 and later ssl_forcehandshake mxr 3.2 and later ssl_forcehandshakewithtimeout mxr 3.11.4 and later ssl_getchannelinfo m...
... function name/documentation source code replacement in nss 3.2 ssl_enable mxr ssl_optionset ssl_enablecipher mxr ssl_cipherprefsetdefault ssl_enabledefault mxr ssl_optionsetdefault ssl_redohandshake mxr ssl_rehandshake ssl_setpolicy mxr ssl_cipherpolicyset certificate functions the public functions listed here are used to interact with certificate databases.
...And 3 more matches

NSS Tools sslstrength
synopsis 1) sslstrength ciphers 2) sslstrength hostname[:port] [ciphers=xyz] [debug] [verbose] [policy=export|domestic] description the first form simple lists out the possible ciphers.
...restricting ciphers by default, sslstrength assumes that all the preferences are on, so it will use any preferences in your policy.
...firstly, you can set policy to be either domestic or export.
...And 3 more matches

Console messages - Firefox Developer Tools
this site specified both an x-content-security-policy/report-only header and a content-security-policy/report-only header.
... the x-content-security-policy/report-only header(s) will be ignored.
... see content security policy for more details.
...And 3 more matches

Sensor APIs - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.
... if (error.name === 'securityerror') { // see the note above about feature policy.
...And 3 more matches

CSP: child-src - HTTP
the http content-security-policy (csp) child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.
... syntax one or more sources can be allowed for the child-src policy: content-security-policy: child-src <source>; content-security-policy: child-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 3 more matches

CSP: font-src - HTTP
the http content-security-policy (csp) font-src directive specifies valid sources for fonts loaded using @font-face.
... syntax one or more sources can be allowed for the font-src policy: content-security-policy: font-src <source>; content-security-policy: font-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 3 more matches

CSP: frame-src - HTTP
the http content-security-policy (csp) frame-src directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
... syntax one or more sources can be allowed for the frame-src policy: content-security-policy: frame-src <source>; content-security-policy: frame-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 3 more matches

CSP: img-src - HTTP
the http content-security-policy img-src directive specifies valid sources of images and favicons.
... syntax one or more sources can be allowed for the img-src policy: content-security-policy: img-src <source>; content-security-policy: img-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 3 more matches

CSP: media-src - HTTP
the http content-security-policy (csp) media-src directive specifies valid sources for loading media using the <audio> and <video> elements.
... syntax one or more sources can be allowed for the media-src policy: content-security-policy: media-src <source>; content-security-policy: media-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 3 more matches

CSP: navigate-to - HTTP
the http content-security-policy (csp) navigate-to directive restricts the urls to which a document can initiate navigations by any means including <form> (if form-action is not specified), <a>, window.location, window.open, etc.
... syntax one or more sources can be set for the navigate-to policy: content-security-policy: navigate-to <source>; content-security-policy: navigate-to <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 3 more matches

CSP: object-src - HTTP
the http content-security-policy object-src directive specifies valid sources for the <object>, <embed>, and <applet> elements.
... syntax one or more sources can be allowed for the object-src policy: content-security-policy: object-src <source>; content-security-policy: object-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 3 more matches

CSP: referrer - HTTP
the http content-security-policy (csp) referrer directive used to specify information in the referer header (with a single r as this was a typo in the original spec) for links away from a page.
... use the referrer-policy header instead.
... syntax content-security-policy: referrer <referrer-policy>; where <referrer-policy> can be one of the following values: "no-referrer" the referer header will be omitted entirely.
...And 3 more matches

CSP: sandbox - HTTP
the http content-security-policy (csp) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute.
... it applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
... csp version 1.1 / 2 directive type document directive this directive is not supported in the <meta> element or by the content-security-policy-report-only header field.
...And 3 more matches

CSP: worker-src - HTTP
the http content-security-policy (csp) worker-src directive specifies valid sources for worker, sharedworker, or serviceworker scripts.
... syntax one or more sources can be allowed for the worker-src policy: content-security-policy: worker-src <source>; content-security-policy: worker-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 3 more matches

Index - Archive of obsolete content
634 same origin policy for xbl same-origin policy, security, xbl the same origin policy used for xbl documents is different from the policy used for other content.
... this article provides a description of how the same origin policy for xbl works.
... 1997 mozilla.dev.platform faq faq for questions asked on mozilla.dev.platform 1998 nsicontentpolicy interfaces, interfaces:scriptable, needsmarkupwork, reference, xpcom, xpcom interface reference you can observe content that is being loaded into your browser by implementing nsicontentpolicy.
...And 2 more matches

Limitations of chrome scripts
nsicontentpolicy without the shim in multiprocess firefox, if you register the nsicontentpolicy in the chrome process then it will never see any attempts to load web content, because they happen in the content process.
...it transparently registers an nsicontentpolicy in the content process, whose shouldload just forwards to the chrome process.
...the chrome process then checks the content against the policy supplied by the add-on, and forwards the response back to the child to be enforced.
...And 2 more matches

OS.File for the main thread
winshare (ignored under non-windows platforms) if specified, a sharing policy, as per windows function createfile.
... if unspecified, files are opened with a default sharing policy (file is not protected against being read/written/removed by another process or another use in the same process).
... you can build this policy from constants os.constants.win.file_share_*.
...And 2 more matches

NSS Config Options
nss config options format the specified ciphers will be allowed by policy, but an application may allow more by policy explicitly: config="allow=curve1:curve2:hash1:hash2:rsa-1024..." only the specified hashes and curves will be allowed: config="disallow=all allow=sha1:sha256:secp256r1:secp384r1" only the specified hashes and curves will be allowed, and rsa keys of 2048 or more will be accepted, and dh key exchange with 1024-bit primes or more: config="disallow=all allow=sha1:sha256:secp256r1:secp384r1:min-rsa=2048:min-dh=1024" a policy that enables the aes ciphersuites and the secp256/384 curves: config="allow=aes128-cbc:aes128-gcm::hmac-sha1:sha1:sha256:sha384:rsa:ecdhe-rsa:secp256r1:secp384r1" turn off md5 config="disallow=md5" turn off md5 and sha1 only for ssl config...
...disable: turn off ciphersuites by default without disallowing them by policy.
... flags: turn on the following flags: ssl-lock: turn off the ability for applications to change policy with the ssl_setcipherpolicy (or ssl_setpolicy).
...And 2 more matches

nsICache
store_anywhere 0 the storage policy of a cache entry determines the device(s) to which it belongs.
...the cache service decides which cache device to use based on "some resource management calculation." store_in_memory 1 the storage policy of a cache entry determines the device(s) to which it belongs.
... store_on_disk 2 the storage policy of a cache entry determines the device(s) to which it belongs.
...And 2 more matches

nsIWebBrowserPersist
void cancelsave(); void savechannel(in nsichannel achannel, in nsisupports afile); void savedocument(in nsidomdocument adocument, in nsisupports afile, in nsisupports adatapath, in string aoutputcontenttype, in unsigned long aencodingflags, in unsigned long awrapcolumn); void saveuri(in nsiuri auri, in nsisupports acachekey, in nsiuri areferrer, in long areferrerpolicy, in nsiinputstream apostdata, in string aextraheaders, in nsisupports afile, in nsiloadcontext aprivacycontext); void saveprivacyawareuri(in nsiuri auri, in nsisupports acachekey, in nsiuri areferrer, in long areferrerpolicy, in nsiinputstream apostdata, in string aextraheaders, in nsisupports afile, in boolean aisprivate); attributes attribute type description ...
... as of firefox 36, a new parameter areferrerpolicy was added as the fourth argument, changing the number of parameters from 7 to 8 and shifting the order of the parameters in a backwards incompatible way.
... void saveuri( in nsiuri auri, in nsisupports acachekey, in nsiuri areferrer, in long areferrerpolicy, in nsiinputstream apostdata, in string aextraheaders, in nsisupports afile, in nsiloadcontext aprivacycontext ); parameters auri uri to save to file.
...And 2 more matches

RTCDtlsTransport - Web APIs
to be able to negotiate with such endpoints (or to exclude them entirely), the rtcconfiguration property bundlepolicy may be provided when creating the connection.
... the bundlepolicy lets you control how to negotiate with these legacy endpoints.
... the default policy is "balanced", which provides a balance between performance and compatibility.
...And 2 more matches

RTCPeerConnection() - Web APIs
rtcconfiguration dictionary bundlepolicy optional specifies how to handle negotiation of candidates when the remote peer is not compatible with the sdp bundle standard.
... this must be one of the values from the enum rtcbundlepolicy.
... icetransportpolicy optional the current ice transport policy; this must be one of the values from the rtcicetransportpolicy enum.
...And 2 more matches

<img>: The Image Embed element - HTML: Hypertext Markup Language
there are many other attributes to achieve various purposes: referrer/cors control for security and privacy: see crossorigin and referrerpolicy.
... referrerpolicy a string indicating which referrer to use when fetching the resource: no-referrer: the referer header will not be sent.
...this is the default if no policy is otherwise specified.
...And 2 more matches

<link>: The External Resource Link element - HTML: Hypertext Markup Language
when using <link> to establish a favicon for a site, and your site uses a content security policy (csp) to enhance its security, the policy applies to the favicon.
... if you encounter problems with the favicon not loading, verify that the content-security-policy header's img-src directive is not preventing access to it.
...it specifies the type of content being loaded by the <link>, which is necessary for request matching, application of correct content security policy, and setting of correct accept request header.
...And 2 more matches

CSP: manifest-src - HTTP
the http content-security-policy: manifest-src directive specifies which manifest can be applied to the resource.
... syntax one or more sources can be allowed for the manifest-src policy: content-security-policy: manifest-src <source>; content-security-policy: manifest-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 2 more matches

CSP: prefetch-src - HTTP
the http content-security-policy (csp) prefetch-src directive specifies valid resources that may be prefetched or prerendered.
... syntax one or more sources can be allowed for the prefetch-src policy: content-security-policy: prefetch-src <source>; content-security-policy: prefetch-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 2 more matches

CSP: script-src-attr - HTTP
the http content-security-policy (csp) script-src-attr directive specifies valid sources for javascript inline event handlers.
... syntax one or more sources can be allowed for the script-src-attr policy: content-security-policy: script-src-attr <source>; content-security-policy: script-src-attr <source> <source>; script-src-attr can be used in conjunction with script-src: content-security-policy: script-src <source>; content-security-policy: script-src-attr <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an option...
...the server must generate a unique nonce value each time it transmits a policy.
...And 2 more matches

CSP: script-src-elem - HTTP
the http content-security-policy (csp) script-src-elem directive specifies valid sources for javascript <script> elements, but not inline script event handlers like onclick.
... syntax one or more sources can be allowed for the script-src-elem policy: content-security-policy: script-src-elem <source>; content-security-policy: script-src-elem <source> <source>; script-src-elem can be used in conjunction with script-src: content-security-policy: script-src <source>; content-security-policy: script-src-elem <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 2 more matches

CSP: style-src-attr - HTTP
the http content-security-policy (csp) style-src-attr directive specifies valid sources for inline styles applied to individual dom elements.
... syntax one or more sources can be allowed for the style-src-attr policy: content-security-policy: style-src-attr <source>; content-security-policy: style-src-attr <source> <source>; style-src-attr can be used in conjunction with style-src: content-security-policy: style-src <source>; content-security-policy: style-src-attr <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 2 more matches

CSP: style-src-elem - HTTP
the http content-security-policy (csp) style-src-elem directive specifies valid sources for stylesheets <style> elements and <link> elements with rel="stylesheet".
... syntax one or more sources can be allowed for the style-src-elem policy: content-security-policy: style-src-elem <source>; content-security-policy: style-src-elem <source> <source>; style-src-elem can be used in conjunction with style-src: content-security-policy: style-src <source>; content-security-policy: style-src-elem <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a policy.
...And 2 more matches

Expect-CT - HTTP
when present with the enforce directive, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the certificate transparency policy should be enforced and that violations should be reported.
... enforce optional signals to the user agent that compliance with the certificate transparency policy should be enforced (rather than only reporting compliance) and that the user agent should refuse future connections that violate its certificate transparency policy.
... when both the enforce directive and the report-uri directive are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the certificate transparency policy should be enforced and that violations should be reported.
...And 2 more matches

Privacy, permissions, and information security
web technologies and features used to enforce security and privacy technology or feature description certificate transparency an open standard for monitoring and auditing certificates, creating a database of public logs that can be used to help identify incorrect or malicious certificates content security policy provides the ability to define the extent to which a document's content can be accessed by other devices over the web; used in particular to prevent or mitigate attacks on the server feature policy lets web developers selectively enable, disable, and modify the behavior of certain features and apis both for a document and for subdocuments loaded in <iframe>s <iframe>'s al...
...low attribute technically part of feature policy, the allow attribute on an <iframe> specifies which web features the document in the frame should be allowed to access http public key pinning (hpkp) hpkp is used by servers to instruct a client to associate a specific public key with the server going forward in order to decrease the likelihood of man-in-the-middle attacks http strict transport security (hsts) hsts is used by servers to let them protect themselves from protocol downgrade and cookie hijack attacks by letting sites tell clients that they can only use https to communicate with the server http/2 while http/2 technically does not have to use encryption, most browser developers are only supporting it when used with https, so it can be thought of in...
...this is the technology behind the https (hypertext transport protocol secured) protocol not all of these are generally directly used within code; notably, the permissions api, feature policy, and the allow attribute on <iframe> elements are primary tools directly used by code to help secure a site and its content.
...And 2 more matches

Referer header: privacy and security concerns - Web security
you can also mitigate such risks using: the referrer-policy header on your server to control what information is sent through the referer header.
... the referrerpolicy attribute on html elements that are in danger of leaking such information (such as <img> and <a>).
... helmetjs referrer-policy — middleware for setting referrer-policy in node.js/express apps (see also helmetjs for more security provisions).
...And 2 more matches

Web security
content security content security policy (csp) content security policy (csp) is an added layer of security that helps to detect and mitigate certain types of attacks, including cross-site scripting (xss) and data injection attacks.
... information leakage referer header policy: privacy and security concerns there are privacy and security risks associated with the referer http header.
... robots.txt to be written site maps to be written integrity same-origin policy the same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin.
...And 2 more matches

Mozilla Crypto FAQ - Archive of obsolete content
the cryptography policy page maintained by the electronic privacy information center (epic).
...encryption policy and related topics.
... building in big brother: the cryptographic policy debate, by lance hoffman (ed.).
... cryptography & liberty 2000: an international survey of encryption policy, by the electronic privacy information center.

Index
170 storage access policy: block cookies from trackers privacy, storage access policy, tracking protection firefox includes a new storage access policy that blocks cookies and other site data from third-party tracking resources.
... this new policy is designed as an alternative to the current policies, which have been available in firefox for many years.
... the new policy protects against cross-site tracking while minimizing the site breakage associated with traditional cookie blocking.
... this article explains how the new policy works and how you can test it.

JSS FAQ
if i don't call setcipherpolicy, is the domestic policy used by default?
... org/mozilla/jss/pkix/crmf/certreqmsg.java org/mozilla/jss/pkix/crmf/certtemplate.java org/mozilla/jss/pkix/primitive/name.java org/mozilla/jss/provider/javax/crypto/jsssecretkeyfactoryspi.java org/mozilla/jss/util/utf8converter.java org/mozilla/jss/util/base64inputstream.java jss/samples/pqggen.java jss/samples/pkcs12.java if i don't call setcipherpolicy, is the domestic policy used by default?
... yes, domestic is the default because we call nss_setdomesticpolicy() during cryptomanager.initialize().
... setcipherpolicy does not need to be called by a jss app unless that app wants to limit itself to export-allowed cipher suites.

NSS 3.22 release notes
enforce an external policy on nss from a config file (bug 1009429) you can now add a config= line to pkcs11.txt (assuming you are using sql databases), which will force nss to restrict the application to certain cryptographic algorithms and protocols.
..._rsa sec_oid_tls_dh_dss sec_oid_tls_dh_anon sec_oid_tls_ecdhe_ecdsa sec_oid_tls_ecdhe_rsa sec_oid_tls_ecdh_ecdsa sec_oid_tls_ecdh_rsa sec_oid_tls_ecdh_anon sec_oid_tls_rsa_export sec_oid_tls_dhe_rsa_export sec_oid_tls_dhe_dss_export sec_oid_tls_dh_rsa_export sec_oid_tls_dh_dss_export sec_oid_tls_dh_anon_export sec_oid_apply_ssl_policy in sslt.h ssl_signed_cert_timestamp_xtn is added to sslextensiontype.
... new macros in nss.h nss_rsa_min_key_size nss_dh_min_key_size nss_dsa_min_key_size nss_tls_version_min_policy nss_tls_version_max_policy nss_dtls_version_min_policy nss_dtls_version_max_policy in pkcs11t.h ckp_pkcs5_pbkd2_hmac_gostr3411 - prf based on hmac with gostr3411 for pbkdf (not supported) ckp_pkcs5_pbkd2_hmac_sha224 - prf based on hmac with sha-224 for pbkdf ckp_pkcs5_pbkd2_hmac_sha256 - prf based on hmac with sha-256 for pbkdf ckp_pkcs5_pbkd2_hmac_sha384 - prf based on hmac with sha-256 for pbkdf ckp_pkcs5_pbkd2_hmac_sha512 - prf based on hmac with sha-256 for pbkdf ckp_pkcs5_pbkd2_hmac_sha512_224 - prf based on hmac with sha-512 truncated to 224 bits for pbkdf (not supported) ckp_pkcs5_pbkd2_hmac_sha512_256 - prf based on ...
...hmac with sha-512 truncated to 256 bits for pbkdf (not supported) in secoidt.h nss_use_alg_in_ssl nss_use_policy_in_ssl in ssl.h ssl_enable_signed_cert_timestamps in sslt.h ssl_max_extensions is updated to 13 notable changes in nss 3.22 nss c++ tests are built by default, requiring a c++11 compiler.

NSS 3.31 release notes
notable changes in nss 3.31 the apis that set a tls version range have been changed to trim the requested range to the overlap with a systemwide crypto policy, if configured.
... ssl_versionrangegetsupported can be used to query the overlap between the library's supported range of tls versions and the systemwide policy.
... previously, ssl_versionrangeset and ssl_versionrangesetdefault returned a failure if the requested version range wasn't fully allowed by the systemwide crypto policy.
... they have been changed to return success, if at least one tls version overlaps between the requested range and the systemwide policy.

Handling Mozilla Security Bugs
this list will act as a forum for discussing group policy and the addition of new members, as described below.
... changing this policy this policy is not set in stone.
... it is our hope that any disputes that arise over membership, disclosure, or any other issue addressed by this policy can be resolved by consensus among the mozilla security module owner, the module owner's peers, and other security bug group members through discussions on the private security bug group mailing list.
... as with other mozilla project issues, mozilla.org staff will have the final authority to make changes to this policy, and will do so only after consulting with the various parties involved and with the public mozilla community, in order to ensure that all views are taken into account.

nsICookieConsent
last changed in gecko 1.9 (firefox 3) inherits from: nsisupports method overview void getconsent(); methods getconsent() gives a decision on what should be done with a cookie, based on a site's p3p policy and the user's preferences.
... the policy for the given uri and channel is also returned.
... nscookiestatus getconsent( in nsiuri uri, in nsihttpchannel httpchannel, in boolean isforeign, out nscookiepolicy policy ); parameters uri the uri to find the policy for.
... policy the policy for the given uri, or nsicookie::policy_unknown if one cannot be found.

Network request details - Firefox Developer Tools
referrer policy: the value of the referrer-policy header.
... version: the http version used transferred: the amount of data transferred with the request the referrer policy, which governs which referrer information, sent in the referer header, should be included with requests.
... (see referrer-policy for a description of possible values) blocking: if the request is to a site that is associated with a known tracker, an icon and a message are shown; otherwise, this field is not shown.
...: "content-length", "value": "673" }, { "name": "content-type", "value": "text/javascript; charset=utf-8" }, { "name": "date", "value": "tue, 11 jun 2019 13:01:39 gmt" }, { "name": "mediawiki-login-suppressed", "value": "true" }, { "name": "p3p", "value": "cp=\"this is not a p3p policy!

RTCPeerConnection - Web APIs
constants rtcbundlepolicy enum the rtcbundlepolicy enum defines string constants which are used to request a specific policy for gathering ice candidates if the remote peer isn't "bundle-aware" (compatible with the sdp bundle standard for bundling multiple media streams on a single transport link).
... if the remote endpoint is bundle-aware, all media tracks and data channels are bundled onto a single transport at the completion of negotiation, regardless of policy used, and any superfluous transports that were created initially are closed at that point.
... rtcicetransportpolicy enum the rtcicetransportpolicy enum defines string constants which can be used to limit the transport policies of the ice candidates to be considered during the connection process.
... rtcrtcpmuxpolicy enum the rtcrtcpmuxpolicy enum defines string constants which specify what ice candidates are gathered to support non-multiplexed rtcp.

Using Web Workers - Web APIs
content security policy workers are considered to have their own execution context, distinct from the document that created them.
... for this reason they are, in general, not governed by the content security policy of the document (or parent worker) that created them.
... so for example, suppose a document is served with the following header: content-security-policy: script-src 'self' among other things, this will prevent any scripts it includes from using eval().
... to specify a content security policy for the worker, set a content-security-policy response header for the request which delivered the worker script itself.

<a>: The Anchor element - HTML: Hypertext Markup Language
referrerpolicy how much of the referrer to send when following the link.
... see referrer-policy for possible values and their effects.
... hand tremors and the giant-button-problem specifications specification status comment referrer policythe definition of 'referrer attribute' in that specification.
... candidate recommendation added the referrerpolicy attribute.

<area> - HTML: Hypertext Markup Language
referrerpolicy a string indicating which referrer to use when fetching the resource: "no-referrer" meaning that the referer: header will not be sent.
...this is a user agent’s default behavior, if no policy is otherwise specified.
...ples <map name="primary"> <area shape="circle" coords="75,75,75" href="left.html" alt="click to go left"> <area shape="circle" coords="275,75,75" href="right.html" alt="click to go right"> </map> <img usemap="#primary" src="https://udn.realityripple.com/samples/6a/7e559101b3.png" alt="350 x 150 pic"> result specifications specification status comment referrer policythe definition of 'referrerpolicy attribute' in that specification.
... candidate recommendation added the referrerpolicy attribute.

CSP: frame-ancestors - HTTP
the http content-security-policy (csp) frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.
... syntax one or more sources can be set for the frame-ancestors policy: content-security-policy: frame-ancestors <source>; content-security-policy: frame-ancestors <source> <source>; sources <source> can be one of the following: the frame-ancestors directive’s syntax is similar to a source list of other directives (e.g.
... examples content-security-policy: frame-ancestors 'none'; content-security-policy: frame-ancestors 'self' https://www.example.org; specifications specification status comment content security policy level 3the definition of 'frame-ancestors' in that specification.
... content security policy level 2the definition of 'frame-ancestors' in that specification.

CSP: plugin-types - HTTP
the http content-security-policy (csp) plugin-types directive restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.
... syntax one or more mime types can be set for the plugin-types policy: content-security-policy: plugin-types <type>/<subtype>; content-security-policy: plugin-types <type>/<subtype> <type>/<subtype>; <type>/<subtype> a valid mime type.
... <meta http-equiv="content-security-policy" content="object-src 'none'"> allowing flash content the content security policy content-security-policy: plugin-types application/x-shockwave-flash will allow to load flash objects: <object data="https://example.com/flash" type="application/x-shockwave-flash"></object> allowing java applets to load an <applet> you must specify application/x-java-applet: content-security-policy: plugin-types application/x-java-applet specifications specification status comment content security policy level 3...
... content security policy level 2the definition of 'plugin-types' in that specification.

CSP: report-to - HTTP
the content-security-policy report-to http response header field instructs the user agent to store reporting endpoints for an origin.
... content-security-policy: ...; report-to groupname the directive has no effect in and of itself, but only gains meaning in combination with other directives.
... syntax content-security-policy: report-to <json-field-value>; examples see content-security-policy-report-only for more information and examples.
... report-to: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/csp-reports" } ] }, { "group": "hpkp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/hpkp-reports" } ] } content-security-policy: ...; report-to csp-endpoint report-to: { "group": "endpoint-1", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/reports" }, { "url": "https://backup.com/reports" } ] } content-security-policy: ...; report-to endpoint-1 ...

web-share - HTTP
the http feature-policy header web-share directive controls controls whether the current document is allowed to use the navigator.share() of web share api to share text, links, images, and other content to arbitrary destiations of user's choice.
... syntax feature-policy: web-share <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default policy the default value is 'self'.
... specifications specification status comment feature policy editor's draft initial definition.

Java in Firefox Extensions - Archive of obsolete content
ository/jav...xtensionutils/ ) build and add references leading to this jar and all other jars in your extension within an array of java.net.url's, pass to java.net.urlclassloader to get a class loader, and finally pass the classloader and array to a function which gives the necessary privileges: // this function will be called to give the necessary privileges to your jar files // however, the policy never comes into play, because // (1) adding permissions doesn't add to the policy itself, and // (2) addurl alone does not set the grant codebase function policyadd (loader, urls) { try { //if have trouble with the policy try changing it to //edu.mit.simile.javafirefoxextensionutils.urlsetpolicy var str = 'edu.mit.simile.javafirefoxextensionutils.urlsetpo...
...licy'; var policyclass = java.lang.class.forname( str, true, loader ); var policy = policyclass.newinstance(); policy.setouterpolicy(java.security.policy.getpolicy()); java.security.policy.setpolicy(policy); policy.addpermission(new java.security.allpermission()); for (var j=0; j < urls.length; j++) { policy.addurl(urls[j]); } }catch(e) { alert(e+'::'+e.linenumber); } } //get extension folder installation path...
...va/testjava.jar"; // seems you don't actually have to replace the backslashes as they work as well var urlarray = []; // build a regular javascript array (liveconnect will auto-convert to a java array) urlarray[0] = new java.net.url(myjarpath); urlarray[1] = new java.net.url(classloaderjarpath); var cl = java.net.urlclassloader.newinstance(urlarray); //set security policies using the above policyadd() function policyadd(cl, urlarray); now you can begin using liveconnect, including referencing the classes in your jars.

Safely loading URIs - Archive of obsolete content
changes in gecko 1.9 a key security change in gecko 1.9 is the addition of the new security.fileuri.strict_origin_policy preference.
... this boolean preference, which defaults to true, can be set to false if the user doesn't want to strictly enforce the same origin policy on file: uris.
... see same-origin policy for file: uris for details.

Supporting private browsing mode - Archive of obsolete content
amo policy and private browsing in order to publicly list an add-on on addons.mozilla.org, the add-on must properly respect private browsing mode by not recording sensitive data while private browsing mode is active.
... this is a new policy that is just being implemented (as of february, 2010).
... note: during the transition period as this policy is put into effect, there is some leeway as well as a grace period.

The new nsString class implementation (1999) - Archive of obsolete content
the deficiencies of the current implementation are: class based -- making it unsuitable for cross-dll usage due to fragility little intrinsic i18n support few efficiencies, notably a lack of support for narrow (1-byte) character strings no support for external memory management policy lack of xpcom interface notable features of the new nsstrimpl implementation are: intrinsic support for 1 and 2 byte character widths provides automatic conversion between strings with different character sizes inviolate base structure eliminates class fragility problem; safe across dll boundaries offers c-style function api to manipulate nsstrimpl offers simple memory allocator api for s...
...pecialized memory policy shares binary format with bstring coming soon: a new xpcom (nsistring) interface non-templatized; this is a requirement for gecko very efficient buffer manipulation architecture the fundamental data type in the new architecture is struct nsstrimpl, given below: struct nsstrimpl { print32 mlength; void* mbuffer; print32 mcapacity; char mcharsize; char munused; // and now for the nsstrimpl api...
...our nsstrimpl uses an allocator pattern so that programmers can install their own policy, but this may also make allocation simpler in a multiprocess environment.

Security Controls - Archive of obsolete content
for example, a security policy is a management control, but its security requirements are implemented by people (operational controls) and systems (technical controls).
...an organization may have an acceptable use policy that specifies the conduct of users, including not visiting malicious websites.
... security controls to help thwart phishing, besides the management control of the acceptable use policy itself, include operational controls, such as training users not to fall for phishing scams, and technical controls that monitor emails and web site usage for signs of phishing activity.

Audio for Web games - Game development
autoplay browser autoplay policy now affects desktop and mobile browsers.
...you can find out more about best practises with the autoplay policy here.
...tton'); // load file loadfile(anchor.href).then((track) => { // set loading to false el.dataset.loading = 'false'; // hide loading text loadtext.style.display = 'none'; // show button playbutton.style.display = 'inline-block'; // allow play on click playbutton.addeventlistener('click', function() { // check if context is in suspended state (autoplay policy) if (audioctx.state === 'suspended') { audioctx.resume(); } playtrack(track); playbutton.dataset.playing = true; }) }) }) note: you can see this demo in action here and view the source code here.

CSP - MDN Web Docs Glossary: Definitions of Web-related terms
a csp (content security policy) is used to detect and mitigate certain types of website related attacks like xss and data injections.
... the implementation is based on an http header called content-security-policy.
... learn more general knowledge content security policy on wikipedia technical knowledge content security policy documentation on mdn ...

Introduction to web APIs - Learn web development
lume'); const audiosource = audioctx.createmediaelementsource(audioelement); next up we include a couple of event handlers that serve to toggle between play and pause when the button is pressed and reset the display back to the beginning when the song has finished playing: // play/pause audio playbtn.addeventlistener('click', function() { // check if context is in suspended state (autoplay policy) if (audioctx.state === 'suspended') { audioctx.resume(); } // if track is stopped, play it if (this.getattribute('class') === 'paused') { audioelement.play(); this.setattribute('class', 'playing'); this.textcontent = 'pause' // if track is playing, stop it } else if (this.getattribute('class') === 'playing') { audioelement.pause(); ...
... they have additional security mechanisms where appropriate webapi features are subject to the same security considerations as javascript and other web technologies (for example same-origin policy), but they sometimes have additional security mechanisms in place.
...as an example, the notifications api asks for permission using a pop-up dialogue box: the web audio and htmlmediaelement apis are subject to a security mechanism called autoplay policy — this basically means that you can't automatically play audio when a page loads — you've got to allow your users to initiate audio play through a control like a button.

Performance
beam down information in advance to avoid synchronous calls to the parent bad: // processscript.js function contentpolicy() { // ...
... } object.assign(contentypolicy.prototype, { classdescription: ..., classid: ..., contractid: ..., queryinterface: xpcomutils.generateqi([ci.nsicontentpolicy]), shouldload: function(type, location, origin, context) { let resultlist = services.cpmm.sendsyncmessage("my-addon:check-load", {destination: location, source: origin}) // <=== sync message!
... if(resultlist.every((r) => r == true)) return ci.nsicontentpolicy.accept; return ci.nsicontentpolicy.reject_request; } }); // more boilerplate code here this example is a (somewhat condensed) content policy which gets triggered for every network request in a child process to either allow or deny the request.

Midas editor module security preferences
add these lines to user.js: user_pref("capability.policy.policynames", "allowclipboard"); user_pref("capability.policy.allowclipboard.sites", "https://www-archive.mozilla.org"); user_pref("capability.policy.allowclipboard.clipboard.cutcopy", "allaccess"); user_pref("capability.policy.allowclipboard.clipboard.paste", "allaccess"); change the url https://www.mozilla.org to the site for which you want to enable this function.
...for example: user_pref("capability.policy.allowclipboard.sites", "http://www-archive.mozilla.org") is not the same as: user_pref("capability.policy.allowclipboard.sites", "https://www-archive.mozilla.org") this is because the first uses http while the second uses https.
...for example: user_pref("capability.policy.allowclipboard.sites", "https://www-archive.mozilla.org https://developer.mozilla.org") again, keep in mind the security risks involved here and be sure to remove permission to access the clipboard once you no longer need it enabled.

Certificate functions
and later cert_encodecrldistributionpoints mxr 3.5 and later cert_encodegeneralname mxr 3.4 and later cert_encodeinfoaccessextension mxr 3.12 and later cert_encodeinhibitanyextension mxr 3.12 and later cert_encodenoticereference mxr 3.12 and later cert_encodeocsprequest mxr 3.6 and later cert_encodepolicyconstraintsextension mxr 3.12 and later cert_encodepolicymappingextension mxr 3.12 and later cert_encodesubjectkeyid mxr 3.12 and later cert_encodeusernotice mxr 3.12 and later cert_extractpublickey mxr 3.2 and later cert_findcertbyname mxr 3.2 and later cert_findcrlentryreasonexten mxr 3.12 and later ...
... mxr 3.2 and later cert_getcertificatenames mxr 3.10 and later cert_getcertificaterequestextensions mxr 3.10 and later cert_getcertissuerandsn mxr 3.2 and later cert_getcertnicknames mxr 3.2 and later cert_getcerttrust mxr 3.2 and later cert_getcertuid mxr 3.2 and later cert_getclassicocspdisabledpolicy mxr 3.12 and later cert_getclassicocspenabledhardfailurepolicy mxr 3.12 and later cert_getclassicocspenabledsoftfailurepolicy mxr 3.12 and later cert_getcommonname mxr 3.2 and later cert_getcountryname mxr 3.2 and later cert_getdbcontentversion mxr 3.2 and later cert_getdefaultcertdb mxr 3.2 and later ...
...0 and later cert_getocspresponsestatus mxr 3.6 and later cert_getocspstatusforcertid mxr 3.6 and later cert_getoidstring mxr 3.9 and later cert_getorgname mxr 3.2 and later cert_getorgunitname mxr 3.2 and later cert_getocspauthorityinfoaccesslocation mxr 3.4 and later cert_getpkixverifynistrevocationpolicy mxr 3.12 and later cert_getprevgeneralname mxr 3.10 and later cert_getprevnameconstraint mxr 3.10 and later cert_getsloptime mxr 3.2 and later cert_getsslcacerts mxr 3.2 and later cert_getstatename mxr 3.2 and later cert_getusepkixforvalidation mxr 3.12 and later cert_getvaliddnspatternsfromce...

NSS tools : certutil
--extpm add the policy mappings extension to the certificate.
... --extpc add the policy constraints extension to the certificate.
... --extia add the inhibit any policy access extension to the certificate.

sslintro.html
nss_setdomesticpolicy, nss_setexportpolicy, nss_setfrancepolicy, or ssl_cipherpolicyset.
... these functions tell the library which cipher suites are permitted by policy (for example, to comply with export restrictions).
... cipher suites disabled by policy cannot be enabled by user preference.

certutil
--extpm add the policy mappings extension to the certificate.
... --extpc add the policy constraints extension to the certificate.
... --extia add the inhibit any policy access extension to the certificate.

JSAPI User Guide
the same origin policy governs a script's access to data and functions from other web pages.
... to use spidermonkey's fine-grained security features: decide what security policy you want to enforce.
...(some security checks are also built into the javascript engine; you must decide what security policy to enforce for each of these checks.) implement one or more jsprincipals objects in your application.

imgILoader
mage/loader;1"] .getservice(components.interfaces.imgiloader); method overview imgirequest loadimage(in nsiuri auri, in nsiuri ainitialdocumenturl, in nsiuri areferreruri, in nsiprincipal aloadingprincipal, in nsiloadgroup aloadgroup, in imgidecoderobserver aobserver, in nsisupports acx, in nsloadflags aloadflags, in nsisupports cachekey, in imgirequest arequest, in nsichannelpolicy channelpolicy); imgirequest loadimagewithchannel(in nsichannel achannel, in imgidecoderobserver aobserver, in nsisupports cx, out nsistreamlistener alistener); boolean supportimagewithmimetype(in string mimetype); constants constant value description load_cors_anonymous 1 << 16 load_cors_use_credentials 1 << 17 methods loadimage() start the load and decode of an image.
... imgirequest loadimage( in nsiuri auri, in nsiuri ainitialdocumenturl, in nsiuri areferreruri, in nsiprincipal aloadingprincipal, in nsiloadgroup aloadgroup, in imgidecoderobserver aobserver, in nsisupports acx, in nsloadflags aloadflags, in nsisupports cachekey, in imgirequest arequest, in nsichannelpolicy channelpolicy ); parameters auri the uri to load.
...channelpolicy return value loadimagewithchannel() start the load and decode of an image.

nsICacheSession
evictentries() this method evicts all entries for this session's clientid according to its storagepolicy.
...isstorageenabled() this method checks if the cache devices implied by the session storage policy are currently enabled for instantiation if they don't already exist.
...return value returns whether any of the cache devices implied by the session storage policy are currently enabled for instantiation or not, depending on their existence.

nsIPrincipal
obsolete since gecko 1.8 csp nsicontentsecuritypolicy a content security policy associated with this principal.
... securitypolicy voidptr the domain security policy of the principal.
...d 4 methods native code only!canenablecapability short canenablecapability( in string capability ); parameters capability missing description return value missing description exceptions thrown missing exception missing description checkmayload() checks whether this principal is allowed to load the network resource located at the given uri under the same-origin policy.

Using Fetch - Web APIs
the spec changed the default credentials policy to same-origin.
... fetch requests are controlled by the connect-src directive of content security policy rather than the directive of the resources it's retrieving.
... mode: 'cors', // no-cors, *cors, same-origin cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached credentials: 'same-origin', // include, *same-origin, omit headers: { 'content-type': 'application/json' // 'content-type': 'application/x-www-form-urlencoded', }, redirect: 'follow', // manual, *follow, error referrerpolicy: 'no-referrer', // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url body: json.stringify(data) // body data type must match "content-type" header }); return response.json(); // parses json response into native javascript objects } postdata('https://example.com/answer', { answer: 42 }) .th...

HTMLIFrameElement.csp - Web APIs
the csp property of the htmliframeelement interface specifies the content security policy that an embedded document must agree to enforce upon itself.
... syntax var csp = htmliframeelement.csp htmliframeelement.csp = csp value a content security policy.
... specifications specification status comment content security policy: embedded enforcementthe definition of 'csp' in that specification.

HTMLIFrameElement - Web APIs
htmliframeelement.csp specifies the content security policy that an embedded document must agree to enforce upon itself.
... htmliframeelement.featurepolicy read only returns the featurepolicy interface which provides a simple api for introspecting the feature policies applied to a specific document.
... htmliframeelement.referrerpolicy is a domstring that reflects the referrerpolicy html attribute indicating which referrer to use when fetching the linked resource.

Reporting API - Web APIs
the reporting api provides a generic reporting mechanism for web applications to use to make reports available based on various platform features (for example content security policy, feature-policy, or feature deprecation reports) in a consistent manner.
...such information can include: content security policy violations.
... feature-policy violations.

Using the Screen Capture API - Web APIs
security in order to function when feature policy is enabled, you will need the display-capture permission.
... this can be done using the feature-policy http header or—if you're using the screen capture api in an <iframe>, the <iframe> element's allow attribute.
... for example, this line in the http headers will enable screen capture api for the document and any embedded <iframe> elements that are loaded from the same origin: feature-policy: display-capture 'self' if you're performing screen capture within an <iframe>, you can request permission just for that frame, which is clearly more secure than requesting a more general permission: <iframe src="https://mycode.example.net/etc" allow="display-capture"> </iframe> ...

SharedWorker() - Web APIs
this script must obey the same-origin policy.
...it must obey the same-origin policy.
... exceptions a securityerror is raised if the document is not allowed to start workers, for example if the url has an invalid syntax or if the same-origin policy is violated.

Storage Access API - Web APIs
in the case of breakage, site owners have often encouraged users to add their site as an exception or to disable the policy entirely.
... as a consequence, users who wish to continue to interact with embedded content are forced to greatly relax their blocking policy for resources loaded from all embedded origins and possibly across all websites.
... documentation for firefox's new storage access policy for blocking tracking cookies includes a detailed description of the scope of storage access grants.

Worker() - Web APIs
this script must obey the same-origin policy.
...it must obey the same-origin policy.
...if the url has an invalid syntax or if the same-origin policy is violated.

HTML attribute reference - HTML: Hypertext Markup Language
allow <iframe> specifies a feature-policy for the iframe.
... crossorigin <audio>, <img>, <link>, <script>, <video> how the element handles cross-origin requests csp <iframe> specifies the content security policy that an embedded document must agree to enforce upon itself.
... referrerpolicy <a>, <area>, <iframe>, <img>, <link>, <script> specifies which referrer is sent when fetching the resource.

<style>: The Style Information element - HTML: Hypertext Markup Language
nonce a cryptographic nonce (number used once) used to whitelist inline styles in a style-src content-security-policy.
... the server must generate a unique nonce value each time it transmits a policy.
... it is critical to provide a nonce that cannot be guessed as bypassing a resource’s policy is otherwise trivial.

Evolution of HTTP - HTTP
relaxing the security-model of the web http is independent of the security model of the web, the same-origin policy.
...over the years, it has proved useful to be able to be more lenient, by allowing under certain constraints to lift some of the restriction of this policy.
...these are defined in specifications like cross-origin resource sharing (cors) or the content security policy (csp).

CORS errors - HTTP
cross-origin resource sharing (cors) is a standard that allows a server to relax the same-origin policy.
... if the cors configuration isn't setup correctly, the browser console will present an error like "cross-origin request blocked: the same origin policy disallows reading the remote resource at $somesite" indicating that the request was blocked due to violating the cors security rules.
...it will probably look like this: the text of the error message will be something similar to the following: cross-origin request blocked: the same origin policy disallows reading the remote resource at https://some-url-here.

CSP: block-all-mixed-content - HTTP
the http content-security-policy (csp) block-all-mixed-content directive prevents loading any assets over http when the page uses https.
... syntax content-security-policy: block-all-mixed-content; examples content-security-policy: block-all-mixed-content; <meta http-equiv="content-security-policy" content="block-all-mixed-content"> to disallow http assets on a more granular level, you can also set individual directives to https:.
... for example, to disallow nonsecure http images: content-security-policy: img-src https: specifications specification status comment mixed contentthe definition of 'block-all-mixed-content' in that specification.

CSP: require-sri-for - HTTP
the http content-security-policy require-sri-for directive instructs the client to require the use of subresource integrity for scripts or styles on the page.
... syntax content-security-policy: require-sri-for script; content-security-policy: require-sri-for style; content-security-policy: require-sri-for script style; script requires sri for scripts.
... examples if you set your site to require sri for script and styles using this directive: content-security-policy: require-sri-for script style <script> elements like the following will be loaded as they use a valid integrity attribute.

CSP: trusted-types - HTTP
the http content-security-policy (csp) trusted-types directive instructs user agents to restrict usage of known dom xss sinks to a predefined set of functions that only accept non-spoofable, typed values in place of strings.
...this directive declares a white-list of trusted type policy names created with trustedtypes.createpolicy from trusted types api.
... syntax content-security-policy: trusted-types; content-security-policy: trusted-types <policyname>; content-security-policy: trusted-types <policyname> <policyname> 'allow-duplicates'; <domstring> any string can be a trusted type policy name.

CSP: upgrade-insecure-requests - HTTP
the http content-security-policy (csp) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure urls (those served over http) as though they have been replaced with secure urls (those served over https).
... syntax content-security-policy: upgrade-insecure-requests; examples // header content-security-policy: upgrade-insecure-requests; // meta tag <meta http-equiv="content-security-policy" content="upgrade-insecure-requests"> with the above header set on a domain example.com that wants to migrate from http to https, non-navigational insecure resource requests are automatically upgraded (first-party as well as third-party requ...
... <img src="https://example.com/image.png"> <img src="https://not-example.com/image.png"> navigational upgrades to third-party resources brings a significantly higher potential for breakage, these are not upgraded: <a href="https://example.com/">home</a> <a href="http://not-example.com/">home</a> finding insecure requests with the help of the content-security-policy-report-only header and the report-uri directive, you can set-up an enforced policy and a reported policy like this: content-security-policy: upgrade-insecure-requests; default-src https: content-security-policy-report-only: default-src https:; report-uri /endpoint that way, you still upgrade insecure requests on your secure site, but the only monitoring policy is violated and reports insecure r...

Network Error Logging - HTTP
max_age specifies the lifetime of the policy, in seconds (in a similar way to e.g.
...the referenced reporting group should have a lifetime at least as long as the nel policy.
... include_subdomains if true, the policy applies to all subdomains under the origin that the policy header is set.

XPCOM Objects - Archive of obsolete content
one common use for this service is registering a component as a content policy.
...nregisterself methods: registerself : function(acompmgr, alocation, aloaderstr, atype) { let categorymanager = cc[@mozilla.org/categorymanager;1].getservice(ci.nsicategorymanager); acompmgr.queryinterface(ci.nsicomponentregistrar); acompmgr.registerfactorylocation( class_id, class_name, contract_id, alocation, aloaderstr, atype); categorymanager.addcategoryentry( "content-policy", "xulschool hello world", contract_id, true, true); }, in this case the component would need to implement nsicontentpolicy.

Index of archived content - Archive of obsolete content
pydom rdf api rdf datasource how-to reading textual data remote xul remote debugging rsyncing the cvs repository running windows debug builds downloaded from tinderbox sxsw 2007 presentations safe browsing safe browsing: design documentation safely loading uris same origin policy for xbl space manager detailed design space manager high level design standalone xpcom standard makefile header static analysis for windows code under linux stress testing string quick reference string rosetta stone structure of an installable bundle supporting per-window private browsing ...
... cross-browser tooltips environment variables affecting crash reporting io guide images, tables, and mysterious gaps installing plugins to gecko embedding browsers on windows mcd, mission control desktop, aka autoconfig monitoring wifi access points no proxy for configuration notes on html reflow same-origin policy for file: uris source navigator source code directories overview using xml data islands in mozilla using content preferences visualizing an audio spectrum working with bfcache cert_override.txt mozilla release faq newsgroup summaries format mozilla.dev.a...

2006-10-20 - Archive of obsolete content
method shouldload in "content-policy" category problem ?
... a student learning xpcom is having issues with the method shouldload in the interface nslcontentpolicy.

Navigation directive - MDN Web Docs Glossary: Definitions of Web-related terms
csp navigation directives are used in a content-security-policy header and govern to which location a user can navigate to or submit a form to, for example.
... learn more https://www.w3.org/tr/csp/#directives-navigation other kinds of directives: fetch directive document directive reporting directive block-all-mixed-content upgrade-insecure-requests require-sri-for trusted-types content-security-policy ...

What’s in the head? Metadata in HTML - Learn web development
note: if your site uses a content security policy (csp) to enhance its security, the policy applies to the favicon.
... if you encounter problems with the favicon not loading, verify that the content-security-policy header's img-src directive is not preventing access to it.

From object to iframe — other embedding technologies - Learn web development
one important note is that you should never add both allow-scripts and allow-same-origin to your sandbox attribute — in that case, the embedded content could bypass the same-origin policy that stops sites from executing scripts, and use javascript to turn off sandboxing altogether.
... configure csp directives csp stands for content security policy and provides a set of http headers (metadata sent along with your web pages when they are served from a web server) designed to improve the security of your html document.

Index
683 source code submission add-ons, extensions, review policy, distribution to complete the review process at addons.mozilla.org (amo), reviewers must be able to read the code in your extension.
... 688 third party library usage add-ons, extensions, review policy to complete the review process at addons.mozilla.org (amo), reviewers must be able to verify the code in your extension.

Cookies Preferences in Mozilla
network.cookie.cookiebehavior default value: 0 0 = accept all cookies by default 1 = only accept from the originating site (block third party cookies) 2 = block all cookies by default 3 = use p3p settings (note: this is only applicable to older mozilla suite and seamonkey versions.) 4 = storage access policy: block cookies from trackers network.cookie.lifetimepolicy default value: 0 0 = accept cookies normally 1 = prompt for each cookie (prompting was removed in firefox 44) 2 = accept for current session only 3 = accept for n days network.cookie.lifetime.days default value: 90 only used if network.cookie.lifetimepolicy is set to 3 sets the number of days that the lifetime of cookies should ...
... network.cookie.alwaysacceptsessioncookies default value: false only used if network.cookie.lifetimepolicy is set to 1 true = accepts session cookies without prompting false = prompts for session cookies network.cookie.thirdparty.sessiononly default value: false true = restrict third party cookies to the session only false = no restrictions on third party cookies network.cookie.maxnumber default value: 1000 configures the maximum amount of cookies to be stored valid range is from 0-65535, rfc 2109 and 2965 require this to be at least 300 network.cookie.maxperhost default value: 50 configures the maximum amount of cookies to be stored per host valid range is from 0-65535, rfc 2109 and 2965 require this to be at least 20 network.cookie.disablecookieformailnews defa...

Experimental features in Firefox
nightly 33 no developer edition 33 no beta 33 no release 33 no preference name media.track.enabled dom document property: autoplaypolicy the document property autoplaypolicy returns a string indicating how the browser handles requests to automatically play media (either using the autoplay property on a media element or by attempting to trigger playback from javascript code.
... nightly 66 no developer edition 66 no beta 66 no release 66 no preference name dom.media.autoplay.autoplay-policy-api geometryutils methods: convertpointfromnode(), convertrectfromnode(), and convertquadfromnode() the geometryutils methods convertpointfromnode(), convertrectfromnode(), and convertquadfromnode() map the given point, rectangle, or quadruple from the node on which they're called to another node.

Message manager overview
process scripts are most likely to be useful when an extension wants to run some code only once in the content process, to access some global service: for example, to register an observer or a content policy.
...this is the recommended way to load a script that executes just once per child process, which is something you might want to do if you are interacting with some global service (for example, adding listeners to observer notifications or registering a content policy).

Process scripts
for example, in multiprocess firefox, if you need to use nsicontentpolicy to register a content policy, you must do this in the content process.
... but if you register it in a frame script, and the frame script is loaded more than once, you'll register the content policy more than once, which probably isn't what you intend.

Creating localizable web applications
bad: <a href="http://www.mozilla.com/privacy-policy.html"><?= _('privacy policy'); ?></a> snippet 2.
... good: css: a[hreflang="en"]::after { content: " [en]" } html/php: <a href="http://www.mozilla.com/privacy-policy.html" hreflang="en"><?= _('privacy policy'); ?></a> don't mingle app logic and localizable content when using pure html if you decide not to use gettext on some pages (e.g.

NSS 3.15.2 release notes
bug 848384 - deprecate the ssl cipher policy code, as it's no longer relevant.
... it is no longer necessary to call nss_setdomesticpolicy because all cipher suites are now allowed by default.

NSS 3.30 release notes
nss 3.30 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_30_rtm/src/ new in nss 3.30 new functionality in the pkcs#11 root ca module (nssckbi), cas with positive trust are marked with a new boolean attribute, cka_nss_mozilla_ca_policy, set to true.
... new macros in ciferfam.h pkcs12_aes_cbc_128, pkcs12_aes_cbc_192, pkcs12_aes_cbc_256 - cipher family identifiers corresponding to the pkcs#5 v2.1 aes based encryption schemes used in the pkcs#12 support in nss in pkcs11n.h cka_nss_mozilla_ca_policy - identifier for a boolean pkcs#11 attribute, that should be set to true, if a ca is present because of it's acceptance according to the mozilla ca policy notable changes in nss 3.30 the tls server code has been enhanced to support session tickets when no rsa certificate (e.g.

OLD SSL Reference
etdefault ssl_cipherprefsetdefault ssl_cipherprefgetdefault ssl_clearsessioncache ssl_configserversessionidcache initializing multi-processing with a shared ssl server cache ssl_configmpserversidcache ssl_inheritmpserversidcache ssl export policy functions nss_setdomesticpolicy nss_setexportpolicy nss_setfrancepolicy ssl_cipherpolicyset ssl_cipherpolicyget ssl configuration functions ssl configuration ssl_importfd ssl_optionset ...
...ions ssl_forcehandshake ssl_rehandshake ssl_resethandshake nss shutdown function nss_shutdown deprecated functions ssl_enabledefault ssl_enable ssl_enablecipher ssl_setpolicy ssl_redohandshake chapter 5 certificate functions this chapter describes the functions and related types used to work with a certificate database such as the cert7.db database provided with communicator.

sslerr.html
ssl_error_no_ciphers_supported -12265 "no cipher suites are present and enabled in this program." possible causes: (a) all cipher suites have been configured to be disabled, (b) the only cipher suites that are configured to be enabled are those that are disallowed by cipher export policy, (c) the socket is configured to handshake as a server, but the certificate associated with that socket is inappropriate for the key exchange algorithm selected.
... failed because the pkcs#11 token is not logged in." sec_error_ocsp_responder_cert_invalid -8036 "the configured ocsp responder's certificate is invalid." sec_error_ocsp_bad_signature -8035 "ocsp response has an invalid signature." sec_error_out_of_search_limits -8034 "certification validation search is out of search limits." sec_error_invalid_policy_mapping -8033 "policy mapping contains any-policy." sec_error_policy_validation_failed -8032 "certificate chain fails policy validation." sec_error_unknown_aia_location_type -8031 "unknown location type in certificate aia extension." sec_error_bad_http_response -8030 "server returned a bad http response." sec_error_bad_ldap_response -...

SSL functions
function name/documentation source code nss versions nss_getclientauthdata mxr 3.2 and later nss_setdomesticpolicy mxr 3.2 and later nss_setexportpolicy mxr 3.2 and later nss_setfrancepolicy mxr 3.2 and later nssssl_versioncheck mxr 3.2.1 and later ssl_authcertificate mxr 3.2 and later ssl_authcertificatehook mxr 3.2 and later ssl_badcerthook mxr 3.2 and later ssl_certdbhandleset mxr 3.2 and later ...
... ssl_canbypass mxr 3.11.7 and later ssl_cipherpolicyget mxr 3.2 and later ssl_cipherpolicyset mxr 3.2 and later ssl_cipherprefget mxr 3.2 and later ssl_cipherprefgetdefault mxr 3.2 and later ssl_cipherprefset mxr 3.2 and later ssl_cipherprefsetdefault mxr 3.2 and later ssl_clearsessioncache mxr 3.2 and later ssl_configmpserversidcache mxr 3.2 and later ssl_configsecureserver mxr 3.2 and later ssl_configserversessionidcache mxr 3.2 and later ssl_datapending mxr 3.2 and later ssl_forcehandshake mxr 3.2 and later ssl_forcehandshakewithtimeout mxr 3.11.4 and later ssl_getchannelinfo m...

JSCheckAccessOp
jscheckaccessop implementations generally work by using jsdbgapi functions such as js_frameiterator and js_stackframeprincipals to obtain the principals of the code attempting the checked operation, then examining those principals and comparing them with the system's security policy.
... the nature of principals and the security policy are entirely up to the application.

JS_GetSecurityCallbacks
callback structure struct jssecuritycallbacks { jscspevalchecker contentsecuritypolicyallows; // added in spidermonkey 1.8.5 jssubsumesop subsumes; // added in spidermonkey 31 jscheckaccessop checkobjectaccess; // obsolete since jsapi 29 jsprincipalstranscoder principalstranscoder; // obsolete since jsapi 13 jsobjectprincipalsfinder findobjectprincipals; // obsolete since jsapi 13 }; name type description ...
... contentsecuritypolicyallows jscspevalchecker a pointer to the function which checks if a csp instance wants to disable eval() and friends.

Shell global objects
serialize(data, [transferables, [policy]]) serialize data using js_writestructuredclone.
...policy must be an object.

Setting up an update server
this can be done most reliably with an enterprise policy.
... the policy file location depends on the operating system you are using.

Gecko object attributes
other possible values are "polite", "assertive", and "rude", which is a suggestion for the policy when interrupting the user for changes to this region.
... container-live interruption policy.

Starting WebLock
void lock(); void unlock(); this interface does not enforce any policy with respect to how the user enables or disables this feature.
...there is no policy applied to what sites get added or removed to this list, or who can remove a site.

Index
388 nsichannelpolicy interfaces, interfaces:scriptable, xpcom, xpcom interface reference this interface exists to allow the content policy mechanism to function properly during channel redirects.
...(see nsicontentpref below.) 439 nsicontentsecuritypolicy interfaces, interfaces:scriptable, needscontent, xpcom, xpcom interface reference verifies ancestry as permitted by the policy.

nsICacheEntryDescriptor
this fails if the storage policy is not store_in_memory.
... storagepolicy nscachestoragepolicy get or set the storage policy of the cache entry.

XPCOM Interface Reference
inputstreamnsibinaryoutputstreamnsiblocklistpromptnsiblocklistservicensiboxobjectnsibrowserboxobjectnsibrowserhistorynsibrowsersearchservicensicrlinfonsicrlmanagernsicachensicachedeviceinfonsicacheentrydescriptornsicacheentryinfonsicachelistenernsicachemetadatavisitornsicacheservicensicachesessionnsicachevisitornsicachingchannelnsicancelablensicategorymanagernsichannelnsichanneleventsinknsichannelpolicynsicharsetresolvernsichromeframemessagemanagernsichromeregistrynsiclassinfonsiclipboardnsiclipboardcommandsnsiclipboarddragdrophooklistnsiclipboarddragdrophooksnsiclipboardhelpernsiclipboardownernsicollectionnsicommandcontrollernsicommandlinensicommandlinehandlernsicommandlinerunnernsicomponentmanagernsicomponentregistrarnsicompositionstringsynthesizernsiconsolelistenernsiconsolemessagensiconsoles...
...ervicensicontainerboxobjectnsicontentframemessagemanagernsicontentprefnsicontentprefcallback2nsicontentprefobservernsicontentprefservicensicontentprefservice2nsicontentsecuritypolicynsicontentsniffernsicontentviewnsicontentviewmanagernsicontentviewernsicontrollernsicontrollersnsiconverterinputstreamnsiconverteroutputstreamnsicookiensicookie2nsicookieacceptdialognsicookieconsentnsicookiemanagernsicookiemanager2nsicookiepermissionnsicookiepromptservicensicookieservicensicookiestoragensicrashreporternsicryptohmacnsicryptohashnsicurrentcharsetlistenernsicyclecollectorlistenernsidbchangelistenernsidbfolderinfonsidnslistenernsidnsrecordnsidnsrequestnsidnsservicensidomcanvasrenderingcontext2dnsidomchromewindownsidomclientrectnsidomdesktopnotificationnsidomdesktopnotificationcenternsidomelementnsidomeve...

Index
18 cookies in thunderbird cookies, guide, thunderbird in versions of thunderbird prior to 3 the cookie policy was very restrictive (to rss only).
... thunderbird 3 uses the gecko cookie policy with some changes.

AbsoluteOrientationSensor - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

AbsoluteOrientationSensor - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Accelerometer.Accelerometer() - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Accelerometer.x - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Accelerometer.y - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Accelerometer.z - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Accelerometer - Web APIs
if a feature policy blocks the use of a feature, it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

AmbientLightSensor.AmbientLightSensor() - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

AmbientLightSensor.illuminance - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation insfructions.

AmbientLightSensor - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Document.domain - Web APIs
the domain property of the document interface gets/sets the domain portion of the origin of the current document, as used by the same origin policy.
... exceptions securityerror an attempt has been made to set domain under one of the following conditions: the document is inside a sandboxed <iframe> the document has no browsing context the document's effective domain is null the given value is not equal to the document's effective domain (or it is not a registerable domain suffix of it) the document-domain feature-policy is enabled examples getting the domain for the uri http://developer.mozilla.org/docs/web, this example sets currentdomain to the string "developer.mozilla.org".

Element.requestFullscreen() - Web APIs
the element is not permitted to use the "fullscreen" feature, either because of feature policy configuration or other access control features.
... additionally, of course, the feature policy "fullscreen" permission must be granted.

Fullscreen API - Web APIs
controlling access the availability of full-screen mode can be controlled using feature policy.
... see using feature policy to learn more about using feature policy to control access to an api.

Gyroscope.Gyroscope() - Web APIs
if a feature policy blocks use of a feature, it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Gyroscope.x - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Gyroscope.y - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Gyroscope.z - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Gyroscope - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

HTMLLinkElement - Web APIs
htmllinkelement.referrerpolicy is a domstring that reflects the referrerpolicy html attribute indicating which referrer to use.
... living standard adds the following properties: crossorigin, referrerpolicy, and as.

Basic concepts - Web APIs
like most web storage solutions, indexeddb follows a same-origin policy.
... indexeddb adheres to a same-origin policy.

Browser storage limits and eviction criteria - Web APIs
this will be evicted under a least recently used (lru policy) when storage limits are reached.
... lru policy when the available disk space is filled up, the quota manager will start clearing out data based on an lru policy — the least recently used origin will be deleted first, then the next one, until the browser is no longer over the limit.

LinearAccelerationSensor.LinearAccelerationSensor() - Web APIs
if a feature policy blocks use of a feature, it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

LinearAccelerationSensor.x - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

LinearAccelerationSensor.y - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

LinearAccelerationSensor.z - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

LinearAccelerationSensor - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Magnetometer.Magnetometer() - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Magnetometer.x - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Magnetometer.y - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Magnetometer.z - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Magnetometer - Web APIs
if a feature policy blocks use of a feature, it's because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Navigator.getBattery() - Web APIs
note: in some browsers access to this feature is controlled by feature-policy directive battery.
...for example, it might not be explicitly allowed or restricted via feature-policy battery feature.

Navigator - Web APIs
navigator.securitypolicy returns an empty string.
... in netscape 4.7x, returns "us & ca domestic policy" or "export policy".

OrientationSensor.populateMatrix() - Web APIs
where: w = cos(θ/2) x = vx * sin(θ/2) y = vy * sin(θ/2) z = vz * sin(θ/2) if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

OrientationSensor - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

RelativeOrientationSensor.RelativeOrientationSensor() - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

RelativeOrientationSensor - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Screen Capture API - Web APIs
feature policy validation user agents that support feature policy (either using http's feature-policy header or the <iframe> attribute allow) can specify a desire to use the screen capture api using the policy control directive display-capture: <iframe allow="display-capture" src="/some-other-document.html"> the default allow list is self, which lets the any content within the document use screen capture.
... see using feature policy for a more in-depth explanation of how feature policy is used.

Screen Wake Lock API - Web APIs
feature policy integration access to screen wake lock api is controlled by feature policy directive screen-wake-lock.
... refer to using feature policy for reference how to use it.

Sensor - Web APIs
if a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-policy for implementation instructions.

Using the Storage Access API - Web APIs
since embedded content won’t know which storage policy is in use by the user, it’s best to always check whether the embedded frame has storage access before attempting to read or write from storage.
... accessing a user's cookies in an embedded cross-origin iframe in this example we show how an embedded cross-origin <iframe> can access a user’s cookies under a storage access policy that blocks third-party cookies.

WebXR permissions and security - Web APIs
the webxr device api has several areas of security to contend with, from establishing feature-policy to ensuring the user intends to use the mixed reality presentation before activating it.
...this permission comes from the xr-spatial-tracking feature policy.

Starting up and shutting down a WebXR session - Web APIs
first among these is that use of immersive-vr mode—which entirely replaces the user's view of the world—requires that the xr-spatial-tracking feature policy be in place.
... if the session couldn't be created for some reason—such as feature policy disallowing its use or the user declining to grant permission to use the headset—the promise gets rejected.

Web Audio API best practices - Web APIs
autoplay policy browsers have started to implement an autoplay policy, which in general can be summed up as: "create or resume context from inside a user gesture".
... const audioctx = new audiocontext(); const button = document.queryselector('button'); button.addeventlistener('click', function() { // check if context is in suspended state (autoplay policy) if (audioctx.state === 'suspended') { audioctx.resume(); } }, false); you might instead be working with an offlineaudiocontext, in which case you can resume the suspended audio context with the startrendering() method.

Background audio processing using AudioWorklet - Web APIs
in general, the lifetime policy of any audio node is simple: if the node is still considered to be actively processing audio, it will continue to be used.
...in other words, true overrides the api's logic and gives you control over your processor's lifetime policy, keeping the processor's owning audioworkletnode running even when it would otherwise decide to shut down the node.

Window.open() - Web APIs
the returned reference can be used to access properties and methods of the new window as long as it complies with same-origin policy security requirements.
... it is because of the cross-domain script security restriction (also referred as the "same origin policy").

window.postMessage() - Web APIs
normally, scripts on different pages are allowed to access each other if and only if the pages they originate from share the same protocol, port number, and host (also known as the "same-origin policy").
...shared memory is gated behind two http headers: cross-origin-opener-policy with same-origin as value (protects your origin from attackers) cross-origin-embedder-policy with require-corp as value (protects victims from your origin) cross-origin-opener-policy: same-origin cross-origin-embedder-policy: require-corp to check if cross origin isolation has been successful, you can test against the crossoriginisolated property available to window and worker contexts: if ...

WindowOrWorkerGlobalScope.fetch() - Web APIs
the fetch() method is controlled by the connect-src directive of content security policy rather than the directive of the resources it's retrieving.
... referrerpolicy specifies the referrer policy to use for the request.

Web APIs
imer_query ext_float_blend ext_frag_depth ext_srgb ext_shader_texture_lod ext_texture_compression_bptc ext_texture_compression_rgtc ext_texture_filter_anisotropic eckeygenparams eckeyimportparams ecdhkeyderiveparams ecdsaparams effecttiming element elementcssinlinestyle elementtraversal errorevent event eventlistener eventsource eventtarget extendableevent extendablemessageevent f featurepolicy federatedcredential fetchevent file fileentrysync fileerror fileexception filelist filereader filereadersync filerequest filesystem filesystemdirectoryentry filesystemdirectoryreader filesystementry filesystementrysync filesystemfileentry filesystemflags filesystemsync focusevent fontface fontfaceset fontfacesetloadevent formdata formdataentryvalue formdataevent full...
...e svgstyleelement svgswitchelement svgsymbolelement svgtrefelement svgtspanelement svgtests svgtextcontentelement svgtextelement svgtextpathelement svgtextpositioningelement svgtitleelement svgtransform svgtransformlist svgtransformable svgurireference svgunittypes svguseelement svgvkernelement svgviewelement svgzoomandpan screen screenorientation scriptprocessornode scrolltooptions securitypolicyviolationevent selection sensor sensorerrorevent serviceworker serviceworkercontainer serviceworkerglobalscope serviceworkermessageevent serviceworkerregistration serviceworkerstate shadowroot sharedworker sharedworkerglobalscope slottable sourcebuffer sourcebufferlist speechgrammar speechgrammarlist speechrecognition speechrecognitionalternative speechrecognitionerror speech...

Standard metadata names - HTML: Hypertext Markup Language
when several conflicting policies are defined, the no-referrer policy is applied.
... referrer policythe definition of 'the "referrer" metadata name' in that specification.

Cross-Origin Resource Sharing (CORS) - HTTP
for example, xmlhttprequest and the fetch api follow the same-origin policy.
...modern browsers handle the client side of cross-origin sharing, including headers and policy enforcement.

SameSite cookies - HTTP
cookie “mycookie” has “samesite” policy set to “lax” because it is missing a “samesite” attribute, and “samesite=lax” is the default value for this attribute.
... the warning appears because the samesite policy for a cookie has not specified explicitly: set-cookie: flavor=choco while you could rely on modern browsers to apply samesite=lax automatically, you should rather specify it explicitly to clearly communicate your intent which samesite policy applies to your cookie.

X-Frame-Options - HTTP
note: the content-security-policy http header has a frame-ancestors directive which obsoletes this header for supporting browsers.
...the content-security-policy http header has a frame-ancestors directive which you can use instead.

X-XSS-Protection - HTTP
although these protections are largely unnecessary in modern browsers when sites implement a strong content-security-policy that disables the use of inline javascript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support csp.
... chrome has removed their xss auditor firefox have not, and will not implement x-xss-protection edge have retired their xss filter this means that if you do not need to support legacy browsers, it is recommended that you use content-security-policy without allowing unsafe-inline scripts instead.

<use> - SVG: Scalable Vector Graphics
for security reasons, browsers may apply the same-origin policy on use elements and may refuse to load a cross-origin url in the href attribute.
... there is currently no defined way to set a cross-origin policy for use elements.

preferences/service - Archive of obsolete content
example: require("sdk/preferences/service").set("general.useragent.locale", "chrome://global/locale/intl.properties"); example: setting global preferences var { get, set } = require("sdk/preferences/service"); var { when: unload } = require("sdk/system/unload"); var oldvalue = get("browser.urlbar.autofill"); set("browser.urlbar.autofill", true); // by amo policy global preferences must be changed back to their original value unload(function() { set("browser.urlbar.autofill", oldvalue); }); ...

Miscellaneous - Archive of obsolete content
if you wish to block selected scripts based on their uri, implement nsicontentpolicy.

Getting the page URL in NPAPI plugin - Archive of obsolete content
or whenever you make network requests yourself, you almost always need to enforce same-origin policy.

Images, Tables, and Mysterious Gaps - Archive of obsolete content
should this property be adopted, then any browser supporting it could emulate traditional "shrinkwrap" behavior without risking other layout upset with the following rule: td {line-box-contain: font replaced;} /* proposed for css3 */ there are other possible fixes contained within the current css3 working drafts, such as line-height-policy.

Misc top level - Archive of obsolete content
back in the early days, this approach worked, because browsers would usually make a table cell exactly as wide and tall as an image it contained.no proxy for configurationthis document provides a comprehensive discussion of the manual proxy feature "no proxy for:", including configuration issues, testing and bugs.same-origin policy for file: urisin gecko 1.8 or earlier, any two file: uris are considered to be same-origin.

JavaScript Client API - Archive of obsolete content
further, you agree (a) to maintain and link to (including on websites from which your third party client may be downloaded) a separate, conspicuous, and reasonably detailed privacy policy detailing how data collected or transmitted by your third party client is managed and protected; (b) that your third party client will only store data in encrypted form on the firefox sync servers operated by mozilla; (c) that you and your third party client will use the firefox sync apis solely for their intended purpose; (d) that your third party client will not hide or mask its identity as it ...

New Security Model for Web Services - Archive of obsolete content
this policy has generally been successful in sandboxing javascript and java applets across the web.

Elements - Archive of obsolete content
note: the normal same-origin policy is used for web sites; they can only link to xbl files on the same domain, or within the chrome.

2006-11-10 - Archive of obsolete content
trunk / 1_8 for kurdish firefox the firefox translations of the kurdish are only in trunk translating the firefox privacy policy the final and approved en-us version of privacy policy is available here and ready for localization team to translate.

2006-12-01 - Archive of obsolete content
summary: mozilla.dev.l10n - december 1, 2006 announcements langpacks for sunbird nightly builds available for testing langpacks for sunbird nightly builds available for testing seamonkey 1.1 late string changes for mail content policy the fix to bug 360288 has landed.

2006-11-24 - Archive of obsolete content
te of bugs for the firefox 1.5.0.9/2.0.0.1 releases discussion non-ascii rendering performance boris zbarsky made some suggestions on how to improve international font rendering cvs commit access changes a large discussion went on about changes to policies surrounding cvs commit access project drivers and technical oversight mike connor suggested ways to better organize project management, policy making, and technical oversight.

2006-12-01 - Archive of obsolete content
also discussed is the the mozilla_1_8_branch's npotb (not part of the build) checkin policy.

2006-11-10 - Archive of obsolete content
this can be defined within the nsicontentpolicy.

2006-12-01 - Archive of obsolete content
discussions nsicontentpolicy and user interaction the proper way to get user confirmation before trying to load certain file types.

Introduction to Public-Key Cryptography - Archive of obsolete content
for example, the number of certificates required may be too large for a single ca to maintain; different organizational units may have different policy requirements; or it may be important for a ca to be physically located in the same geographic area as the people to whom it is issuing certificates.

Choosing Standards Compliance Over Proprietary Practices - Archive of obsolete content
shared resources when an organization instills a corporate-wide policy of shared standards, they can leverage engineering resources across multiple projects.

RDF in Mozilla FAQ - Archive of obsolete content
contributors examples section added 2002-07-02 by danbri thanks to myk melez for notes on remote xul / security policy author: chris waterson original document information author(s): chris waterson last updated date: december 22, 2004 copyright information: copyright (c) chris waterson ...

Archive of obsolete content
or whenever you make network requests yourself, you almost always need to enforce same-origin policy.

Implementing controls using the Gamepad API - Game development
next, we set up two event listeners to get the data: window.addeventlistener("gamepadconnected", gamepadapi.connect); window.addeventlistener("gamepaddisconnected", gamepadapi.disconnect); due to security policy, you have to interact with the controller first while the page is visible for the event to fire.

Gecko FAQ - Gecko Redirect 1
formally, a layout engine defines the placement policy for a document and places content on a page.

CORS - MDN Web Docs Glossary: Definitions of Web-related terms
the same-origin security policy forbids cross-origin access to resources.

Document directive - MDN Web Docs Glossary: Definitions of Web-related terms
csp document directives are used in a content-security-policy header and govern the properties of a document or worker environment to which a policy applies.

Fetch directive - MDN Web Docs Glossary: Definitions of Web-related terms
csp fetch directives are used in a content-security-policy header and control locations from which certain resource types may be loaded.

Forbidden header name - MDN Web Docs Glossary: Definitions of Web-related terms
forbidden header names start with proxy- or sec-, or are one of the following names: accept-charset accept-encoding access-control-request-headers access-control-request-method connection content-length cookie cookie2 date dnt expect feature-policy host keep-alive origin proxy- sec- referer te trailer transfer-encoding upgrade via note: the user-agent header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in firefox 43) — it can now be set in a fetch headers object, or via xhr setrequestheader().

Reporting directive - MDN Web Docs Glossary: Definitions of Web-related terms
csp reporting directives are used in a content-security-policy header and control the reporting process of csp violations.

SRI - MDN Web Docs Glossary: Definitions of Web-related terms
learn more subresource integrity content-security-policy: require-sri-for ...

Site - MDN Web Docs Glossary: Definitions of Web-related terms
the concept of a site is used in samesite cookies, as well as a web application's cross-origin resource policy.

Origin - MDN Web Docs Glossary: Definitions of Web-related terms
living standard learn more see same-origin policy for more information.

MDN Web Docs Glossary: Definitions of Web-related terms
responsive web design rest rgb ril robots.txt round trip time (rtt) routers rss rtcp (rtp control protocol) rtf rtl (right to left) rtp (real-time transport protocol) and srtp (secure rtp) rtsp: real-time streaming protocol ruby s safe same-origin policy scm scope screen reader script-supporting element scroll container scrollport sctp sdp search engine second-level domain secure sockets layer (ssl) selector (css) self-executing anonymous function semantics seo serialization server serve...

What is accessibility? - Learn web development
to show that you care and have thought about accessibility, publish an accessibility statement on your site that details what your policy is toward accessibility, and what steps you have taken toward making the site accessible.

Sending forms through JavaScript - Learn web development
xhr.send( urlencodeddata ); } btn.addeventlistener( 'click', function() { senddata( {test:'ok'} ); } ) here's the live result: note: this use of xmlhttprequest is subject to the same-origin policy if you want to send data to a third party web site.

Handling common accessibility problems - Learn web development
include an accessibility policy/statement somewhere findable on your site to say what you did.

Client-side tooling overview - Learn web development
this part of the tooling should be specific to your own development environment, though it’s not uncommon for companies to have some kind of policy or pre-baked configuration available to install so that all their developers are all using the same processes.

Accessibility/LiveRegionDevGuide
the following are guidelines on how to implement each container-live this property determines the interruption policy or politeness level for the event and can have values of "off", "polite", "assertive" and "rude".

Embedding API for Accessibility
setboolpref("browser.accept.applets", acceptapplets); no scripts setboolpref("browser.accept.scripts", acceptscripts); no popup windows // turn window.open off for particular sites: user_pref("capability.policy.popupsites.sites", "http://www.annoyingsite1.com http://www.popupsite2.com"); user_pref("capability.policy.popupsites.windowinternal.open","noaccess"); // or turn it off everywhere: user_pref("capability.policy.default.windowinternal.open","noaccess"); // o...

Links and Resources
guidelines & standards information and resources on section 508 - legal policy for us government purchases requiring software accessibility.

Mozilla’s UAAG evaluation report
here are all the "hidden prefs" lines that can be added to the user's prefs.js file, for controlling popup behavior: turn window.open off for particular sites: user_pref("capability.policy.popupsites.sites", "http://www.annoyingsite1.com http://www.popupsite2.com"); user_pref("capability.policy.popupsites.windowinternal.open", "noaccess"); or turn it off everywhere: user_pref("capability.policy.default.windowinternal.open", "noaccess"); override popping up new windows on target=anything: user_pref("browser.target_new_blocked", true); override popup ...

Application cache implementation overview
then, nsicacheservice is asked to open nsicachesession with store_offline policy and the given client id.

Installing headers using EXPORTS
here is an example <tt>makefile.in</tt> which has both c++ and idl headers: module = content xpidl_module = content_base exports = \ nsicontent.h \ nsidocument.h \ nsistylesheet.h \ $(null) xpidlsrcs = \ nsicontentpolicy.idl \ nsiselectioncontroller.idl \ $(null) include $(topsrcdir)/config/rules.mk ...

Message manager overview
process scripts are most likely to be useful when chrome code wants to run some code only once in the content process, to access some global service: for example, to register an observer or a content policy.

Errors
this page lists the errors that can be raised due to firefox's anti-tracking functionality, governed by the storage access policy.

Privacy
storage access policy: block cookies from trackerstracking protection ...

Security best practices for Firefox front-end engineers
this policy includes all dom apis that take a string and parse it into a dom tree.

WebRequest.jsm
you can use this api to implement a content policy in an add-on (for example, an ad or script blocker), as you could using nsicontentpolicy.

Localizing extension metadata on addons.mozilla.org
the localizable data fields of an extension are: name homepage summary description eula privacy policy version notes developer comments when you submit a new extension to amo, the process is divided into several steps.

Midas
user_pref("capability.policy.policynames", "allowclipboard"); user_pref("capability.policy.allowclipboard.clipboard.paste", "allaccess"); see: more about security preferences note: the shortcut key will automatically trigger this command (typically accel-v) with or without the signed js or any code on the page to handle it.

PR_SetLibraryPath
this allows an environment to express policy decisions globally and lazily, rather than hardcoding and distributing the decisions throughout the code.

Deprecated SSL functions
function name/documentation source code replacement in nss 3.2 ssl_enable mxr ssl_optionset ssl_enablecipher mxr ssl_cipherprefsetdefault ssl_enabledefault mxr ssl_optionsetdefault ssl_redohandshake mxr ssl_rehandshake ssl_setpolicy mxr ssl_cipherpolicyset ...

JSS Provider Notes
this policy varies across pkcs #11 tokens.

Mozilla-JSS JCA Provider notes
this policy varies across pkcs #11 tokens.

NSS_3.12.1_release_notes.html
ader file bug 429716: debug builds of libpkix unconditionally dump socket traffic to stdout bug 430368: vfychain -t option is undocumented bug 430369: vfychain -o succeeds even if -pp is not specified bug 430399: vfychain -pp crashes bug 430405: error log is not produced by cert_pkixverifycert bug 430743: update ssltap to understand the tls session ticket extension bug 430859: pkix: policy mapping fails verification with error invalid arguments bug 430875: document the policy for the order of cipher suites in ssl_implementedciphers.

NSS 3.12.4 release notes
new functions in the nss shared library: pk11_isinternalkeyslot (see pk11pub.h) secmod_opennewslot (see pk11pub.h) new error codes (see secerr.h): sec_error_bad_info_access_method sec_error_crl_import_failed new oids (see secoidt.h) sec_oid_x509_any_policy the nssckbi pkcs #11 module's version changed to 1.75.

NSS 3.14 release notes
support for md5 may be manually enabled (but is discouraged) by setting the environment variable of "nss_hash_alg_support=+md5" or by using the nss_setalgorithmpolicy function.

NSS 3.15.5 release notes
notable changes in nss 3.15.5 bug 950129: improve the ocsp fetching policy when verifying ocsp responses bug 949060: validate the iov input argument (an array of priovec structures) of ssl_writev (called via pr_writev).

NSS 3.16.3 release notes
notable changes in nss 3.16.3 the following 1024-bit ca certificates were removed cn = entrust.net secure server certification authority sha1 fingerprint: 99:a6:9b:e6:1a:fe:88:6b:4d:2b:82:00:7c:b8:54:fc:31:7e:15:39 cn = gte cybertrust global root sha1 fingerprint: 97:81:79:50:d8:1c:96:70:cc:34:d8:09:cf:79:44:31:36:7e:f4:74 ou = valicert class 1 policy validation authority sha1 fingerprint: e5:df:74:3c:b6:01:c4:9b:98:43:dc:ab:8c:e8:6a:81:10:9f:e4:8e ou = valicert class 2 policy validation authority sha1 fingerprint: 31:7a:2a:d0:7f:2b:33:5e:f5:a1:c3:4e:4b:57:e8:b7:d8:f1:fc:a6 ou = valicert class 3 policy validation authority sha1 fingerprint: 69:bd:8c:f4:9c:d3:00:fb:59:2e:17:93:ca:55:6a:f3:ec...

NSS 3.16.4 release notes
it was removed in nss 3.16.3, but discussion in the mozilla.dev.security.policy forum led to the decision to keep this root included longer in order to give website administrators more time to update their web servers.

NSS 3.18.1 release notes
ou = equifax secure certificate authority sha1 fingerprint: d2:32:09:ad:23:d3:14:23:21:74:e4:0d:7f:9d:62:13:97:86:63:3a the following ca certificate was removed after discussion about it in the mozilla.dev.security.policy forum.

NSS 3.21 release notes
ckm_tls_mac - computes tls finished mac in secoidt.h nss_use_alg_in_ssl_kx - policy flag indicating that keys are used in tls key exchange in sslerr.h ssl_error_rx_short_dtls_read - error code for failure to include a complete dtls record in a udp packet ssl_error_no_supported_signature_algorithm - error code for when no valid signature and hash algorithm is available ssl_error_unsupported_signature_algorithm - error code for when an unsupported signature and h...

NSS 3.26 release notes
nss 3.26 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_26_rtm/src/ new in nss 3.26 new functionality the selfserv test utility has been enhanced to support alpn (http/1.1) and 0-rtt added support for the system-wide crypto policy available on fedora linux, see http://fedoraproject.org/wiki/changes/cryptopolicy introduced build flag nss_disable_libpkix which allows compilation of nss without the libpkix library notable changes in nss 3.26 the following ca certificate was added cn = isrg root x1 sha-256 fingerprint: 96:bc:ec:06:26:49:76:f3:74:60:77:9a:cf:28:c5:a7:cf:e8:a3:c0:aa:e1:1a:8f:fc:ee:05:c0:bd...

NSS 3.39 release notes
added the nss-policy-check utility, which can be used to check an nss policy configuration for problems.

NSS 3.43 release notes
g 1529308 - improve gyp build system handling bug 1529950 and bug 1521174 - improve nss s/mime tests for thunderbird bug 1530134 - if docker isn't installed, try running a local clang-format as a fallback bug 1531267 - enable fips mode automatically if the system fips mode flag is set bug 1528262 - add a -j option to the strsclnt command to specify sigschemes bug 1513909 - add manual for nss-policy-check bug 1531074 - fix a deref after a null check in seckey_setpublicvalue bug 1517714 - properly handle esni with hrr bug 1529813 - expose hkdf-expand-label with mechanism bug 1535122 - align tls 1.3 hkdf trace levels bug 1530102 - use getentropy on compatible versions of freebsd.

NSS 3.45 release notes
note: in 3.45 the sslchannelinfo is left unmodified, while an upcoming change in 3.46 will set sslchannelinfo.authkeybits to that of the delegated credential for better policy enforcement.

NSS 3.47 release notes
bug 1542207 - limit policy check on signature algorithms to known algorithms bug 1560329 - drbg: add continuous self-test on entropy source bug 1579290 - asan builds should disable lsan while building bug 1385061 - build nspr tests with nss make; add gyp parameters to build/run nspr tests bug 1577359 - build atob and btoa for thunderbird bug 1579036 - confusing error when trying to export non-existent cert with pk12ut...

NSS 3.52 release notes
bug 1629661 - mpconfig calls in ssl initialize policy before nss is initialized.

PKCS11 FAQ
nss knows about all the mechanisms defined in pkcs #11 version 2.01, but will not perform those that aren't defined by nss's policy mechanism.

NSS tools : vfychain
options -a the following certfile is base64 encoded -b yymmddhhmmz validate date (default: now) -d directory database directory -f enable cert fetching from aia url -o oid set policy oid for cert validation(format oid.1.2.3) -p use pkix library to validate certificate by calling: * cert_verifycertificate if specified once, * cert_pkixverifycert if specified twice and more.

NSS_3.12.3_release_notes.html
.h) seedcontextstr seedcontext new functions in the nss shared library: cert_rfc1485_escapeandquote (see cert.h) cert_comparecerts (see cert.h) cert_registeralternateocspaiainfocallback (see ocsp.h) pk11_getsymkeyhandle (see pk11pqg.h) util_setforkstate (see secoid.h) nss_getalgorithmpolicy (see secoid.h) nss_setalgorithmpolicy (see secoid.h) for the 2 functions above see also (in secoidt.h): nss_use_alg_in_cert_signature nss_use_alg_in_cms_signature nss_use_alg_reserved support for the watcom c compiler is removed the file watcomfx.h is removed.

NSS tools : vfychain
options -a the following certfile is base64 encoded -b yymmddhhmmz validate date (default: now) -d directory database directory -f enable cert fetching from aia url -o oid set policy oid for cert validation(format oid.1.2.3) -p use pkix library to validate certificate by calling: * cert_verifycertificate if specified once, * cert_pkixverifycert if specified twice and more.

Network Security Services
pkcs #11 information documentation on pkcs #11 modules implementing pkcs #11 for nss the strings nss uses to load pkcs #11 modules pkcs #11 faq using the jar installation manager to install a pkcs #11 cryptographic module pkcs #11 conformance testing - archived version ca certificates pre-loaded into nss mozilla ca certificate policy list of pre-loaded ca certificates consumers of this list must consider the trust bit setting for each included root certificate.

Small Footprint
class generation library if you do not include optimizer or javaadapter, nor do you use policysecuritycontroller then you do not need rhino library for class file generation and you can remove all the classes from in org.mozilla.classfile package.

Rhino overview
these features allow for the implementation of a traditional url-based security policy for javascript as in netscape navigator.

Rhino shell
note if the shell is invoked with the system property rhino.use_java_policy_security set to true and with a security manager installed, the shell restricts scripts permissions based on their urls according to java policy settings.

Hacking Tips
the other being disable this check in "about:config", by temporarily switching "security.fileuri.strict_origin_policy" to false note 2: the files can be very big and take a long time to load in the browser.

Index
153 jssecuritycallbacks.contentsecuritypolicyallows the jssecuritycallbacks.contentsecuritypolicyallows callback is called when a script attempts to access an object property.

Security and the jar protocol
firefox 2.0.0.10 (and firefox 1.5.0.15) fixed a potential security issue in the same origin policy when the jar: protocol was used to load data.

A Web PKI x509 certificate primer
cas apply to have their root certificates included by default in mozilla products by following the mozilla ca certificate policy and applying for inclusion as per ca:how_to_apply.

Preface
finish implementing the weblock component: nsicontentpolicy, file i/o, locking, etc.

Using XPCOM Components
managing cookies from javascript var cmgr = components.classes["@mozilla.org/cookiemanager;1"] .getservice(); cmgr = cmgr.queryinterface(components.interfaces.nsicookiemanager); function loadcookies() { // load cookies into a table var enumerator = cmgr.enumerator; var count = 0; var showpolicyfield = false; while (enumerator.hasmoreelements()) { var nextcookie = enumerator.getnext(); nextcookie = nextcookie.queryinterface(components.interfaces.nsicookie); /* ....

Creating XPCOM components
e modifying paths with nsifile manipulating files with nsifile using nsilocalfile for reading data processing the white list data iweblock method by method lock and unlock addsite removesite setsites getnext getsites hasmoreelements finishing the component using frozen interfaces copying interfaces into your build environment implementing the nsicontentpolicy interface receiving notifications implementing the nsicontentpolicy uniform resource locators checking the white list creating nsiuri objects building the weblock ui user interface package list client code overview xul the xul document the locking ui site adding ui weblock.xul overlaying new user interface into mozilla weblockoverlay.xul other res...

nsIAnnotationService
if they haven't visited a page in a couple of months, they probably aren't interested in many other annotations, the positions of things, or other stuff you create, so put that in the weeks policy.

nsIApplicationCache
clients can open a session with nsicacheservice.createsession() using this client id and a storage policy of store_offline to access this cache.

nsIDispatchSupport
see nsiactivexsecuritypolicy for list of flags.

nsIDownloadManager
download_blocked_policy 9 windows specific: request was blocked by zone policy settings.

nsIRequest
it is the responsibility of the request to implement this policy.

XPCOM Interface Reference by grouping
ocesscontentframemessagemanager nsiscriptableio nsixpcscriptable future nsixmlhttprequestupload obsolete nsixmlrpcclient nsixmlrpcfault security auth nsiauthmodule nsiauthprompt nsiauthpromptprovider nsiauthpromptwrapper nsiasyncverifyredirectcallback content nsicontentpolicy credentials nsilogininfo nsiloginmanager using nsiloginmanager nsiloginmanagerstorage nsiloginmetainfo history nsiglobalhistory nsiglobalhistory2 nsiglobalhistory3 ssl nsibadcertlistener2 system action nsicancelable ...

Xray vision
so when chrome code accesses content objects, it sees them with xray vision: // chrome code var transfer = gbrowser.contentwindow.confirm("transfer all my money?"); // calls the native implementation note that using window.confirm() would be a terrible way to implement a security policy, and is only shown here to illustrate how xray vision works.

Mailnews and Mail code review requirements
see the full super-review policy for more details.

Toolkit version format
see maintenance policy for special rules that mark version as "beta" in the amo queues.

Migrating from Firebug - Firefox Developer Tools
download firefox developer edition general activation firebug's activation is url based respecting the same origin policy.

AudioWorkletProcessor.process - Web APIs
the returned value lets your processor have influence over the lifetime policy of the audioworkletprocessor and the node that owns it.

CloseEvent - Web APIs
1008 policy violation the endpoint is terminating the connection because it received a message that violates its policy.

Document.cookie - Web APIs
the only way to protect the cookie is by using a different domain or subdomain, due to the same origin policy.

Document.open() - Web APIs
this is no longer the case.document non-spec'ed parameters to document.open gecko-specific notes starting with gecko 1.9, this method is subject to the same same-origin policy as other properties, and does not work if doing so would change the document's origin.

Document - Web APIs
document.featurepolicy read only returns the featurepolicy interface which provides a simple api for introspecting the feature policies applied to a specific document.

Fetch API - Web APIs
in august 2017, the spec changed the default credentials policy to 'same-origin'.

Introduction to the File and Directory Entries API - Web APIs
the file and directory entries api adheres to the same-origin policy the file and directory entries api does not let you create and rename executable files the file system is sandboxed you cannot run your app from file:// the file and directory entries api adheres to the same-origin policy an origin is the domain, application layer protocol, and port of a url of the document where the script is being executed.

HTMLAnchorElement - Web APIs
htmlanchorelement.referrerpolicy is a domstring that reflects the referrerpolicy html attribute indicating which referrer to use.

HTMLAreaElement - Web APIs
htmlareaelement.referrerpolicy is a domstring that reflects the referrerpolicy html attribute indicating which referrer to use when fetching the linked resource.

HTMLAudioElement - Web APIs
modern browser's default autoplay policy will block that from happening.

HTMLElement - Web APIs
htmlorforeignelement.nonce returns the cryptographic number used once that is used by content security policy to determine whether a given fetch will be allowed to proceed.

HTMLIFrameElement.src - Web APIs
the htmliframeelement.src property reflects the html referrerpolicy attribute of the <iframe> element defining which referrer is sent when fetching the resource.

HTMLImageElement - Web APIs
htmlimageelement.referrerpolicy a domstring that reflects the referrerpolicy html attribute, which tells the user agent how to decide which referrer to use in order to fetch the image.

HTMLOrForeignElement.nonce - Web APIs
the nonce property of the htmlorforeignelement interface returns the cryptographic number used once that is used by content security policy to determine whether a given fetch will be allowed to proceed.

HTMLOrForeignElement - Web APIs
propertiesdataset read only the dataset read-only property of the htmlorforeignelement interface provides read/write access to all the custom data attributes (data-*) set on the element.nonce the nonce property of the htmlorforeignelement interface returns the cryptographic number used once that is used by content security policy to determine whether a given fetch will be allowed to proceed.tabindexthe tabindex property of the htmlorforeignelement interface represents the tab order of the current element.methodsblur()the htmlelement.blur() method removes keyboard focus from the current element.focus()the htmlelement.focus() method sets focus on the specified element, if it can be focused.

HTMLScriptElement - Web APIs
htmlscriptelement.referrerpolicy is a domstring that reflects the referrerpolicy html attribute indicating which referrer to use when fetching the script, and fetches done by that script.

Using IndexedDB - Web APIs
the resource behind this url is subjected to the * "same origin policy", thus for this method to work, the url must come from * the same origin as the web site/app this code is deployed on.

IndexedDB API - Web APIs
note: like most web storage solutions, indexeddb follows a same-origin policy.

InterventionReportBody - Web APIs
so for example, a script was been stopped because it was significantly slowing down the browser, or the browser's autoplay policy blocked audio from playing without a user gesture to trigger it.

Location: reload() - Web APIs
see same-origin policy for more information.

MediaStreamConstraints.audio - Web APIs
examples for browsers with feature policy enabled, the samples below need the microphone feature enabled.

performance.now() - Web APIs
starting with firefox 79, high resolution timers can be used if you cross-origin isolate your document using the cross-origin-opener-policy and cross-origin-embedder-policy headers: cross-origin-opener-policy: same-origin cross-origin-embedder-policy: require-corp these headers ensure a top-level document does not share a browsing context group with cross-origin documents.

RTCDtlsTransport.state - Web APIs
let pc = new rtcpeerconnection({ bundlepolicy: "max-bundle" }); /* ...

RTCIceCandidate.address - Web APIs
to do this, configure the ice agent's ice transport policy using rtcconfiguration, like this: var rtcconfig = { iceservers: [ { urls: "turn:myturn.server.ip", username: "username", credential: "password" } ], icetransportpolicy: "relay" } by setting rtcconfiguration.icetransportpolicy to "relay", any host candidates (candidates where the ip address is the peer's own ip address) are left out of the pool of candidates, as...

RTCRtpReceiver.transport - Web APIs
note that when bundling is in effect—that is, when the rtcpeerconnection was created with an rtcconfiguration object whose bundlepolicy is max-compat or max-bundle—multiple receivers may be sharing the same transport; in this case, all of them are using the same connection to transmit and/or receive rtp and rtcp packets.

RTCRtpSender.transport - Web APIs
note that when bundling is in effect—that is, when the rtcpeerconnection was created with an rtcconfiguration object whose bundlepolicy is max-compat or max-bundle—multiple senders may be sharing the same transport; in this case, all of them are using the same connection to transmit and/or receive rtp and rtcp packets.

Report.body - Web APIs
depending on what type the report is, the object returned will actually be a deprecationreportbody, interventionreportbody, crashreportbody, or featurepolicyviolationreportbody.

Request - Web APIs
request.referrerpolicy read only contains the referrer policy of the request (e.g., no-referrer).

Using the Resource Timing API - Web APIs
tatic/img/opengraph-logo.png"; var image2 = new image(); image2.src = "http://mozorg.cdn.mozilla.net/media/img/firefox/firefox-256.e2c1fc556816.jpg" // set a callback if the resource buffer becomes filled performance.onresourcetimingbufferfull = buffer_full; } coping with cors when cors is in effect, many of the timing properties' values are returned as zero unless the server's access policy permits these values to be shared.

Resource Timing API - Web APIs
when cors is in effect, many of these values are returned as zero unless the server's access policy permits these values to be shared.

SVGAElement - Web APIs
svgaelement.referrerpolicy see htmlanchorelement.referrerpolicy.

Storage API - Web APIs
each site storage unit has exactly one box into which all of its data is placed, and has a box mode that describes the data retention policy for that box.

WakeLock.request() - Web APIs
exceptions notallowederror thrown when wake lock is not available, which can happen because: document is not allowed to use screen wake lock due to screen-wake-lock policy.

WebXR Device API - Web APIs
permissions and security for webxr the webxr device api has several areas of security to contend with, from establishing feature-policy to ensuring the user intends to use the mixed reality presentation before activating it.

Advanced techniques: Creating and sequencing audio - Web APIs
isplaying = false; setupsample() .then((sample) => { loadingel.style.display = 'none'; // remove loading screen dtmf = sample; // to be used in our playsample function playbutton.addeventlistener('click', function() { isplaying = !isplaying; if (isplaying) { // start playing // check if context is in suspended state (autoplay policy) if (audioctx.state === 'suspended') { audioctx.resume(); } currentnote = 0; nextnotetime = audioctx.currenttime; scheduler(); // kick off scheduling requestanimationframe(draw); // start the drawing loop.

Using the Web Audio API - Web APIs
// select our play button const playbutton = document.queryselector('button'); playbutton.addeventlistener('click', function() { // check if context is in suspended state (autoplay policy) if (audiocontext.state === 'suspended') { audiocontext.resume(); } // play or pause track depending on state if (this.dataset.playing === 'false') { audioelement.play(); this.dataset.playing = 'true'; } else if (this.dataset.playing === 'true') { audioelement.pause(); this.dataset.playing = 'false'; } }, false); we also need to ...

Window.localStorage - Web APIs
exceptions securityerror the request violates a policy decision, or the origin is not a valid scheme/host/port tuple (this can happen if the origin uses the file: or data: scheme, for example).

Window.resizeBy() - Web APIs
// create resizable window myexternalwindow = window.open("http://myurl.domain", "mywindowname", "resizable"); // resize window to 500x500 myexternalwindow.resizeto(500, 500); // make window relatively smaller to 400x400 myexternalwindow.resizeby(-100, -100); the window you create must respect the same origin policy.

Window.sessionStorage - Web APIs
exceptions securityerror the request violates a policy decision, or the origin is not a valid scheme/host/port tuple (this can happen if the origin uses the file: or data: scheme, for example).

WindowOrWorkerGlobalScope.crossOriginIsolated - Web APIs
this value is dependant on any cross-origin-opener-policy and cross-origin-embedder-policy headers present in the response.

Using XMLHttpRequest - Web APIs
"&" : "?") + (new date()).gettime()); oreq.send(null); security firefox 3 note versions of firefox prior to firefox 3 allowed you to set the preference capability.policy.<policyname>.xmlhttprequest.open</policyname> to allaccess to give specific sites cross-site access.

XMLHttpRequest.mozSystem - Web APIs
if true, the same origin policy is not enforced on the request.

XMLHttpRequest.withCredentials - Web APIs
the third-party cookies obtained by setting withcredentials to true will still honor same-origin policy and hence can not be accessed by the requesting script through document.cookie or from response headers.

XMLHttpRequest - Web APIs
if true, the same origin policy will not be enforced on the request.

XRSessionInit - Web APIs
by session type, those are: reference space type user consent rquirement feature policy requirement bounded-floor always required xr-spatial-tracking local always required for inline sessions xr-spatial-tracking local-floor always required xr-spatial-tracking unbounded always required xr-spatial-tracking viewer always required — ...

XRSystem: devicechange event - Web APIs
bubbles no cancelable no interface event event handler xrsystem.ondevicechange usage notes devicechange events are not delivered if the document which owns the xrsystem object has been granted permission to do so through the xr-spatial-tracking feature policy.

XRSystem: isSessionSupported() - Web APIs
securityerror the document's origin does not have permission to use the xr-spatial-tracking feature policy.

ARIA Screen Reader Implementors Guide - Accessibility
alternatively, implementations may choose to have a policy of clearing more polite items, e.g.

Mozilla CSS extensions - CSS: Cascading Style Sheets
ccepted] -moz-animation-name [prefixed version still accepted] -moz-animation-play-state [prefixed version still accepted] -moz-animation-timing-function [prefixed version still accepted] -moz-appearance b -moz-backface-visibility [prefixed version still accepted] -moz-background-clipobsolete since gecko 2 -moz-background-originobsolete since gecko 2 -moz-background-inline-policyobsolete since gecko 32 [superseded by the standard version box-decoration-break] -moz-background-sizeobsolete since gecko 2 -moz-border-end [superseded by the standard version border-inline-end] -moz-border-end-color [superseded by the standard version border-inline-end-color] -moz-border-end-style [superseded by the standard version border-inline-end-style] -moz-border-end-width [su...

WAI ARIA Live Regions/API Support - Developer guides
cs from an event for any mutation event in a page, the author can get the following object attributes from the event object, if they are defined on some ancestor element (closest ancestor wins): object attribute name possible values default value if not specified meaning aria markup if required container-live "off" | "polite" | "assertive" "off" interruption policy aria-live on ancestor element container-relevant "[additions] [removals] [text]" | "all" "additions text" what types of mutations are possibly relevant?

Making content editable - Developer guides
you can enable them by setting the preferences shown below using about:config: user_pref("capability.policy.policynames", "allowclipboard"); user_pref("capability.policy.allowclipboard.sites", "https://www.mozilla.org"); user_pref("capability.policy.allowclipboard.clipboard.cutcopy", "allaccess"); user_pref("capability.policy.allowclipboard.clipboard.paste", "allaccess"); example: a simple but complete rich text editor <!doctype html> <html> <head> <title>rich text editor</title> <script type="text/j...

<meta>: The Document-level Metadata element - HTML: Hypertext Markup Language
the attribute is named http-equiv(alent) because all the allowed values are names of particular http headers: content-security-policy allows page authors to define a content policy for the current page.

Preloading content with rel="preload" - HTML: Hypertext Markup Language
apply the correct content security policy to the resource.

Proxy Auto-Configuration (PAC) file - HTTP
in chrome (versions 52 to 73), you can disable this by setting pachttpsurlstrippingenabled to false in policy or by launching with the --unsafe-pac-url command-line flag (in chrome 74, only the flag works, and from 75 onward, there is no way to disable path-stripping; as of chrome 81, path-stripping does not apply to http urls, but there is interest in changing this behavior to match https); in firefox, the preference is network.proxy.autoconfig_url.include_path.

HTTP resources and specifications - HTTP
cross-origin resource sharing living standard rfc 7034 http header field x-frame-options informational rfc 6797 http strict transport security (hsts) proposed standard upgrade insecure requests upgrade insecure requests candidate recommendation content security policy 1.0 content security policy 1.0 csp 1.1 and csp 3.0 doesn't extend the http standard obsolete microsoft document specifying legacy document modes* defines x-ua-compatible note rfc 5689 http extensions for web distributed authoring and versioning (webdav) these extensions of the web, as well as carddav and caldav, are out-of-scope for http on the web.

HTTP
csp directives the content-security-policy response header fields allows web site administrators to control resources the user agent is allowed to load for a given page.

Error: Permission denied to access property "x" - JavaScript
this is likely an <iframe> element loaded from a different domain for which you violated the same-origin policy.

SharedArrayBuffer - JavaScript
for top-level documents, two headers will need to be set to cross-origin isolate your site: cross-origin-opener-policy with same-origin as value (protects your origin from attackers) cross-origin-embedder-policy with require-corp as value (protects victims from your origin) cross-origin-opener-policy: same-origin cross-origin-embedder-policy: require-corp to check if cross origin isolation has been successful, you can test against the crossoriginisolated property available to window and worker contexts: if ...

SVG Attribute reference - SVG: Scalable Vector Graphics
ethod min mode n name numoctaves o offset opacity operator order orient orientation origin overflow overline-position overline-thickness p panose-1 paint-order path pathlength patterncontentunits patterntransform patternunits ping pointer-events points pointsatx pointsaty pointsatz preservealpha preserveaspectratio primitiveunits r r radius referrerpolicy refx refy rel rendering-intent repeatcount repeatdur requiredextensions requiredfeatures restart result rotate rx ry s scale seed shape-rendering slope spacing specularconstant specularexponent speed spreadmethod startoffset stddeviation stemh stemv stitchtiles stop-color stop-opacity strikethrough-position strikethrough-thickness string stroke stroke-dasharr...

<a> - SVG: Scalable Vector Graphics
value type: <list-of-urls> ; default value: none; animatable: no referrerpolicy which referrer to send when fetching the url.

Mixed content - Web security
as well as finding these warnings in the web console, you could use content security policy (csp) to report issues.

Securing your site - Web security
content security policy an added layer of security that helps to detect and mitigate certain types of attacks, including cross site scripting (xss) and data injection attacks.

Types of attacks - Web security
exfiltration avenues can be limited by deploying a strict content-security-policy.