Search completed in 1.19 seconds.
SecurityPolicyViolationEvent.SecurityPolicyViolationEvent() - Web APIs
the security
policyviolationevent constructor creates a new security
policyviolationevent object instance.
... syntax let spvevt = new security
policyviolationevent(type, eventinitdict); properties type a domstring representing the type of security
policy violation that occurred.
... eventinitdict optional a dictionary object containing information about the properties of the security
policyviolationevent to be constructed.
...And 15 more matches
SecurityPolicyViolationEvent.originalPolicy - Web APIs
the original
policy read-only property of the security
policyviolationevent interface is a domstring containing the
policy whose enforcement uncovered the violation.
... syntax let orig
policy = violationeventinstance.original
policy; value a domstring representing the
policy whose enforcement uncovered the violation.
... example document.addeventlistener("security
policyviolation", (e) => { console.log(e.original
policy); }); specifications specification status comment content security
policy level 3the definition of 'original
policy' in that specification.
Content Security Policy (CSP) - HTTP
content security
policy (csp) is an added layer of security that helps to detect and mitigate certain types of attacks, including cross site scripting (xss) and data injection attacks.
...browsers that don't support it still work with servers that implement it, and vice-versa: browsers that don't support csp simply ignore it, functioning as usual, defaulting to the standard same-origin
policy for web content.
... if the site doesn't offer the csp header, browsers likewise use the standard same-origin
policy.
...And 28 more matches
Using Feature Policy - HTTP
feature
policy allows you to control which origins can use which features, both in the top-level page and in embedded frames.
... essentially, you write a
policy, which is an allowed list of origins for each feature.
... for every feature controlled by feature
policy, the feature is only enabled in the current document or frame if its origin matches the allowed list of origins.
...And 25 more matches
Feature Policy - HTTP
feature
policy allows web developers to selectively enable, disable, and modify the behavior of certain features and apis in the browser.
... it is similar to content security
policy but controls features instead of security behavior.
... the feature-
policy header has now been renamed to permissions-
policy in the spec, and this article will eventually be updated to reflect that change.
...And 24 more matches
nsIContentPolicy - Archive of obsolete content
dom/base/nsicontent
policy.idlscriptable interface used to implement a content
policy mechanism.
... 63 introduced gecko 1.0 inherits from: nsicontent
policybase last changed in gecko 42 (firefox 42 / thunderbird 42 / seamonkey 2.39) you can observe content that is being loaded into your browser by implementing nsicontent
policy.
... warning: do not block the caller in your implementations of shouldload() or shouldprocess() (for example, by launching a dialog to prompt the user for something).") note: in reality, much of this interface is defined in the nsicontent
policybase interface, but for now is documented here until someone has time to split things up.
...And 18 more matches
Content-Security-Policy - HTTP
the http content-security-
policy response header allows web site administrators to control resources the user agent is allowed to load for a given page.
... for more information, see the introductory article on content security
policy (csp).
... header type response header forbidden header name no syntax content-security-
policy: <
policy-directive>; <
policy-directive> where <
policy-directive> consists of: <directive> <value> with no internal punctuation.
...And 18 more matches
Storage access policy: Block cookies from trackers
firefox includes a new storage access
policy that blocks cookies and other site data from third-party tracking resources.
... this
policy is designed as an alternative to the older cookie policies, which have been available in firefox for many years.
... this
policy protects against cross-site tracking while minimizing the site breakage associated with traditional cookie blocking.
...And 14 more matches
Feature-Policy - HTTP
the http feature-
policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.
...the header has now been renamed to permissions-
policy in the spec, and this article will eventually be updated to reflect that change.
... for more information, see the main feature
policy article.
...And 14 more matches
SecurityPolicyViolationEvent - Web APIs
the security
policyviolationevent interface inherits from event, and represents the event object of an event sent on a document or worker when its content security
policy is violated.
... constructor security
policyviolationevent() creates a new security
policyviolationevent object instance.
... properties security
policyviolationevent.blockeduriread only a usvstring representing the uri of the resource that was blocked because it violates a
policy.
...And 13 more matches
nsIContentSecurityPolicy
content/base/public/nsicontentsecurity
policy.idlscriptable describes an xpcom component used to model and enforce content security policies.
... 1.0 66 introduced gecko 2.0 inherits from: nsisupports last changed in gecko 2.0 (firefox 4 / thunderbird 3.3 / seamonkey 2.1) method overview boolean permitsancestry(in nsidocshell docshell); void refine
policy(in astring
policystring, in nsiuri selfuri); void scanrequestdata(in nsihttpchannel achannel); void sendreports(in astring blockeduri, in astring violateddirective); short shouldload(in unsigned long acontenttype, in nsiuri acontentlocation, in nsiuri arequestorigin, in nsisupports acontext, in acstring amimetypeguess, in nsisupports aextra); short shouldprocess(in unsigned long acontenttype, in nsiuri acontentlocation, in nsiuri arequestorigin, in nsisupports acontext, in acstring amimetype, in nsisupports aextra); attributes attribute type desc...
...ription allowseval boolean whether this
policy allows eval and eval-like functions such as settimeout("code string", time).
...And 12 more matches
Content-Security-Policy-Report-Only - HTTP
the http content-security-
policy-report-only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects.
... for more information, see also this article on content security
policy (csp).
... syntax content-security-
policy-report-only: <
policy-directive>; <
policy-directive> directives the directives of the content-security-
policy header can also be applied to content-security-
policy-report-only.
...And 12 more matches
Referrer-Policy - HTTP
the referrer-
policy http header controls how much referrer information (sent via the referer header) should be included with requests.
...the referrer-
policy header does not share this misspelling.
... referrer-
policy: no-referrer referrer-
policy: no-referrer-when-downgrade referrer-
policy: origin referrer-
policy: origin-when-cross-origin referrer-
policy: same-origin referrer-
policy: strict-origin referrer-
policy: strict-origin-when-cross-origin referrer-
policy: unsafe-url directives no-referrer the referer header will be omitted entirely.
...And 10 more matches
HTMLScriptElement.referrerPolicy - Web APIs
the referrer
policy property of the htmlscriptelement interface reflects the html referrer
policy of the <script> element and fetches made by that script, defining which referrer is sent when fetching the resource.
... syntax refstr = scriptelem.referrer
policy; scriptelem.referrer
policy = refstr; value a domstring; one of the following: no-referrer the referer header will be omitted entirely.
... no-referrer-when-downgrade (default) this is the user agent's default behavior if no
policy is specified.
...And 8 more matches
RTCConfiguration.bundlePolicy - Web APIs
the rtcconfiguration dictionary's bundle
policy property is a string value indicating which sdp bundling
policy, if any, to use for the underlying rtp streams used by an rtcpeerconnection.
... syntax let rtcconfiguration = { bundle
policy:
policy }; rtcconfiguration.bundle
policy =
policy; value a domstring identifying the sdp bundling
policy to use for the rtp streams used by the rtcpeerconnection.
... this string, which must be a member of the rtcbundle
policy enumeration, has the following possible values: balanced the ice agent begins by creating one rtcdtlstransport to handle each type of content added: one for audio, one for video, and one for the rtc data channel, if applicable.
...And 6 more matches
Cross-Origin Resource Policy (CORP) - HTTP
cross-origin resource
policy is a
policy set by the cross-origin-resource-
policy http header that lets web sites and applications opt in to protection against certain requests from other origins (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel attacks, like spectre, as well as cross-site script inclusion attacks.
... corp is an additional layer of protection beyond the default same-origin
policy.
... cross-origin resource
policy complements cross-origin read blocking (corb), which is a mechanism to prevent some cross-origin reads by default.
...And 6 more matches
HTMLIFrameElement.referrerPolicy - Web APIs
the htmliframeelement.referrer
policy property reflects the html referrer
policy attribute of the <iframe> element defining which referrer is sent when fetching the resource.
... syntax refstr = iframeelt.referrer
policy; iframeelt.referrer
policy = refstr; values no-referrer the referer header will be omitted entirely.
... no-referrer-when-downgrade (default) this is the user agent's default behavior if no
policy is specified.
...And 5 more matches
Feature-Policy: fullscreen - HTTP
the http feature-
policy header fullscreen directive controls whether the current document is allowed to use element.requestfullscreen().
... when this
policy is enabled, the returned promise rejects with a typeerror.
... syntax feature-
policy: fullscreen <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 5 more matches
FeaturePolicy - Web APIs
the feature
policy interface of the feature
policy api represents the set of policies applied to the current execution context.
... feature
policy methods feature
policy.allowsfeature returns a boolean that indicates whether or not a particular feature is enabled in the specified context.
... feature
policy.features returns a list of names of all features supported by the user agent.
...And 4 more matches
HTMLAnchorElement.referrerPolicy - Web APIs
the htmlanchorelement.referrer
policy property reflect the html referrer
policy attribute of the <a> element defining which referrer is sent when fetching the resource.
... syntax refstr = anchorelt.referrer
policy; anchorelt.referrer
policy = refstr; values "no-referrer" meaning that the referer: http header will not be sent.
... examples var elt = document.createelement("a"); var linktext = document.createtextnode("my link"); elt.appendchild(linktext); elt.href = "https://developer.mozilla.org/"; elt.referrer
policy = "no-referrer"; var div = document.getelementbyid("divaround"); div.appendchild(elt); // when clicked, the link will not send a referrer header.
...And 3 more matches
HTMLAreaElement.referrerPolicy - Web APIs
the htmlareaelement.referrer
policy property reflect the html referrer
policy attribute of the <area> element defining which referrer is sent when fetching the resource.
... syntax refstr = areaelt.referrer
policy; areaelt.referrer
policy = refstr; values "no-referrer" meaning that the referer: http header will not be sent.
... examples <img usemap="#maparound" width="100" height="100" src="/img/logo@2x.png" /> <map id="mymap" name="maparound" />> var elt = document.createelement("area"); elt.href = "/img2.png"; elt.shape = "rect"; elt.referrer
policy = "no-referrer"; elt.coords = "0,0,100,100"; var map = document.getelementbyid("mymap"); map.appendchild(elt); // when clicked, the area's link will not send a referrer header.
...And 3 more matches
Cross-Origin-Embedder-Policy - HTTP
the http cross-origin-embedder-
policy (coep) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using corp or cors).
... header type response header forbidden header name no syntax cross-origin-embedder-
policy: unsafe-none | require-corp directives unsafe-none this is the default value.
... allows the document to fetch cross-origin resources without giving explicit permission through the cors protocol or the cross-origin-resource-
policy header.
...And 3 more matches
Feature-Policy: encrypted-media - HTTP
the http feature-
policy header encrypted-media directive controls whether the current document is allowed to use the encrypted media extensions api (eme).
... when this
policy is enabled, the promise returned by navigator.requestmediakeysystemaccess() will reject with a domexception.
... syntax feature-
policy: encrypted-media <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 3 more matches
Feature-Policy: geolocation - HTTP
the http feature-
policy header geolocation directive controls whether the current document is allowed to use the geolocation interface.
... when this
policy is enabled, calls to getcurrentposition() and watchposition() will cause those functions' callbacks to be invoked with a positionerror code of permission_denied.
... syntax feature-
policy: geolocation <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 3 more matches
Feature-Policy: payment - HTTP
the http feature-
policy header field's payment directive controls whether the current document is allowed to use the payment request api.
... when this
policy is disabled, the paymentrequest() constructor will throw a syntaxerror.
... syntax feature-
policy: payment <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 3 more matches
FeaturePolicy.features() - Web APIs
the features() method of the feature
policy interface returns a list of names of all features supported by the user agent.
... feature whose name appears on the list might not be allowed by the feature
policy of the current execution context and/or might not be accessible because of user's permissions.
... syntax const supportedfeatures = feature
policy.features() parameters none.
...And 2 more matches
FeaturePolicy.getAllowlistForFeature() - Web APIs
the getallowlistforfeature() method of the feature
policy allows query of the allow list for a specific feature for the current feature
policy.
... syntax const allowlist = feature
policy.getallowlistforfeature(<feature>) parameter feature name a specific feature name must be specified.
... errors the function will raise a warning if the specified feature
policy directive name is not known.
...And 2 more matches
HTMLImageElement.referrerPolicy - Web APIs
the htmlimageelement.referrer
policy property reflects the html referrer
policy attribute of the <img> element defining which referrer is sent when fetching the resource.
... syntax refstr = imgelt.referrer
policy; imgelt.referrer
policy = refstr; values a domstring representing the referrer
policy.
... examples var img = new image(); img.src = 'img/logo.png'; img.referrer
policy = 'origin'; var div = document.getelementbyid('divaround'); div.appendchild(img); // fetch the image using the origin as the referrer specifications specification status comment referrer
policythe definition of 'referrer
policy attribute' in that specification.
...And 2 more matches
Feature-Policy: autoplay - HTTP
the http feature-
policy header autoplay directive controls whether the current document is allowed to autoplay media requested through the htmlmediaelement interface.
... when this
policy is enabled and there were no user gestures, the promise returned by htmlmediaelement.play() will reject with a domexception.
... syntax feature-
policy: autoplay <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 2 more matches
Feature-Policy: battery - HTTP
the http feature-
policy header battery directive controls whether the current document is allowed to gather information about the acceleration of the device through the batterymanager interface obtained via navigator.getbattery().
... syntax feature-
policy: battery <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default
policy the default value is 'self'.
...And 2 more matches
Feature-Policy: camera - HTTP
the http feature-
policy header camera directive controls whether the current document is allowed to use video input devices.
... when this
policy is enabled, the promise returned by mediadevices.getusermedia() will reject with a notallowederror.
... syntax feature-
policy: camera <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 2 more matches
Feature-Policy: display-capture - HTTP
the http feature-
policy header display-capture directive controls whether or not the document is permitted to use screen capture api, i.e.,getdisplaymedia() to capture the screen's contents.
... syntax feature-
policy: display-capture <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default
policy the default alowlist is 'self'.
...And 2 more matches
Feature-Policy: midi - HTTP
the http feature-
policy header midi directive controls whether the current document is allowed to use the web midi api.
... when this
policy is enabled, the promise returned by navigator.requestmidiaccess() will reject with a domexception.
... syntax feature-
policy: midi <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 2 more matches
Feature-Policy: publickey-credentials-get - HTTP
the http feature-
policy header publickey-credentials-get directive controls whether the current document is allowed to access web authentcation api to create new public-key credentials, i.e, via navigator.credentials.get({publickey: ..., ...}).
... when this
policy is enabled, any attempt to query public key credentials will result in an error.
... syntax feature-
policy: publickey-credentials-get <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 2 more matches
Feature-Policy: sync-xhr - HTTP
the http feature-
policy header sync-xhr directive controls whether the current document is allowed to make synchronous xmlhttprequest requests.
... syntax feature-
policy: sync-xhr <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default
policy by default the
policy is set to *, which means synchronous requests are allowed in all frames.
...And 2 more matches
Feature-Policy: usb - HTTP
the http feature-
policy header usb directive controls whether the current document is allowed to use the webusb api.
... syntax feature-
policy: usb <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default
policy the default value is 'self'.
...And 2 more matches
Feature-Policy: xr-spatial-tracking - HTTP
the http feature-
policy header xr-spatial-tracking directive controls whether the current document is allowed to use the webxr device api.
... this
policy controls whether navigator.xr.requestsession() can return xrsession that requires spatial tracking and whether user agent can indicate support for sessions supporting spatial tracking via navigator.xr.issessionsupported() and devicechange event on navigator.xr object.
... syntax feature-
policy: xr-spatial-tracking <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
...And 2 more matches
nsIChannelPolicy
netwerk/base/public/nsichannel
policy.idlscriptable a container for
policy information to be used during channel creation.
... 1.0 66 introduced gecko 2.0 inherits from: nsisupports last changed in gecko 2.0 (firefox 4 / thunderbird 3.3 / seamonkey 2.1) this interface exists to allow the content
policy mechanism to function properly during channel redirects.
...attributes attribute type description contentsecurity
policy nsisupports a nsicontentsecurity
policy object to determine if the load should be allowed.
... loadtype unsigned long indicates what type of content is being loaded, for example nsicontent
policy::type_image.
FeaturePolicy.allowedFeatures() - Web APIs
the allowedfeatures() method of the feature
policy interface returns a list of directive names of all features allowed by the feature
policy.enables introspection of individual directives of the feature
policy it is run on.
... syntax const allowed = feature
policy.allowedfeatures() parameters none.
... return value an array of strings representing the feature
policy directive names that are allowed by the feature
policy this method is called on.
... // first, get the feature
policy object const feature
policy = document.feature
policy // then query feature for specific const allowed = feature
policy.allowedfeatures() for (const directive of allowed){ console.log(directive) } specifications specification status comment feature
policythe definition of 'allowsfeature' in that specification.
FeaturePolicy.allowsFeature() - Web APIs
the allowsfeature() method of the feature
policy interface enables introspection of individual directives of the feature
policy it is run on.
... syntax const allowed = feature
policy.allowsfeature(<feature>) or const allowed = feature
policy.allowsfeature(<feature>, <origin>) parameters feature name a specific feature name must be specified.
... example the following example queries whether or not the document is allowed to use camera api by the feature
policy.
... // first, get the feature
policy object const feature
policy = document.feature
policy // then query feature for specific const allowed = feature
policy.allowsfeature("camera") if (allowed){ console.log("fp allows camera.") } else { console.log("fp does not allows camera.") } specifications specification status comment feature
policythe definition of 'allowsfeature' in that specification.
RTCConfiguration.iceTransportPolicy - Web APIs
the webrtc device api dictionary rtcconfiguration's icetransport
policy property is a string indicating the transport selection
policy the ice agent should use during negotiation of connections.
... its value must come from the rtcicetransport
policy enumerated type.
... syntax let rtcconfiguration = { icetransport
policy:
policy }; rtcconfiguration.icetransport
policy =
policy; let
policy = rtcconfiguration.icetransport
policy; value a domstring which indicates what ice candidate
policy the ice agent should use during the negotiation process, per the jsep standard.
... let config = { iceservers: [ { urls: [ "stun:stun.example.com" ] }, ], icetransport
policy: "relay" }; let pc = new rtcpeerconnection(config); specifications specification status comment webrtc 1.0: real-time communication between browsersthe definition of 'rtccandidate.icetransport
policy' in that specification.
Request.referrerPolicy - Web APIs
the referrer
policy read-only property of the request interface returns the referrer
policy, which governs what referrer information, sent in the referer header, should be included with the request.
... syntax var myreferrer
policy = request.referrer
policy; value a domstring representing the request's referrer
policy.
... for more information and possible values, see the referrer-
policy http header page.
... example in the following snippet, we create a new request using the request.request() constructor (for an image file in the same directory as the script), then save the request referrer
policy in a variable: var myrequest = new request('flowers.jpg'); var myreferrer = myrequest.referrer
policy; // returns "" by default specifications specification status comment fetchthe definition of 'referrer
policy' in that specification.
Cross-Origin-Opener-Policy - HTTP
the http cross-origin-opener-
policy (coop) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
... header type response header forbidden header name no syntax cross-origin-opener-
policy: unsafe-none | same-origin-allow-popups | same-origin directives unsafe-none this is the default value.
... cross-origin-opener-
policy: same-origin cross-origin-embedder-
policy: require-corp see also the cross-origin-embedder-
policy header which you'll need to set as well.
... to check if cross-origin isolation has been successful, you can test against the crossoriginisolated property available to window and worker contexts: if (crossoriginisolated) { // post sharedarraybuffer } else { // do something else } specifications specification html living standardthe definition of 'cross-origin-opener-
policy header' in that specification.
Cross-Origin-Resource-Policy - HTTP
note: due to a bug in chrome, setting cross-origin-resource-
policy can break pdf rendering, preventing visitors from being able to read past the first page of some pdfs.
... due to a bug in firefox, setting cross-origin-resource-
policy can prevent some resources (such as pdfs) from being downloaded in some circumstances.
... the http cross-origin-resource-
policy response header conveys a desire that the browser blocks no-cors cross-origin/cross-site requests to the given resource.
... header type response header forbidden header name no syntax cross-origin-resource-
policy: same-site | same-origin | cross-origin examples the response header below will cause compatible user agents to disallow cross-origin no-cors requests: cross-origin-resource-
policy: same-origin for more examples, see https://resource
policy.fyi/.
Feature-Policy: accelerometer - HTTP
the http feature-
policy header accelerometer directive controls whether the current document is allowed to gather information about the acceleration of the device through the accelerometer interface.
... syntax feature-
policy: accelerometer <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default
policy the default value is 'self'.
... specifications specification status comment feature
policy editor's draft initial definition.
Feature-Policy: ambient-light-sensor - HTTP
the http feature-
policy header ambient-light-sensor directive controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the ambientlightsensor interface.
... syntax feature-
policy: ambient-light-sensor <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default
policy the default value is 'self'.
... specification specification status comment feature
policy editor's draft initial definition.
Feature-Policy: document-domain - HTTP
the http feature-
policy header document-domain directive controls whether the current document is allowed to set document.domain.
... when this
policy is enabled, attempting to set document.domain will fail and cause a securityerror domexception to be be thrown.
... syntax feature-
policy: document-domain <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default
policy the default value is *.
Feature-Policy: microphone - HTTP
the http feature-
policy header microphone directive controls whether the current document is allowed to use audio input devices.
... when this
policy is enabled, the promise returned by mediadevices.getusermedia() will reject with a notallowederror.
... syntax feature-
policy: microphone <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature
policy editor's draft initial definition.
Feature-Policy: picture-in-picture - HTTP
the http feature-
policy header picture-in-picture directive controls whether the current document is allowed to play a video in a picture-in-picture mode via the corresponding api.
... syntax feature-
policy: picture-in-picture <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default
policy as of june 2019, the spec draft and google chrome set default allow list to *.
... specifications specification status comment feature
policy editor's draft initial definition.
Feature-Policy: screen-wake-lock - HTTP
the http feature-
policy header screen-wake-lock directive controls whether the current document is allowed to use screen wake lock api to indicate that device should not dim or turn off the screen.
... syntax feature-
policy: screen-wake-lock <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default
policy default allow list for screen-wake-lock is 'self'.
... specifications specification status comment feature
policy editor's draft initial definition.
Feature-Policy: wake-lock - HTTP
the http feature-
policy header wake-lock directive controls whether the current document is allowed to use wake lock api to indicate that device should not enter power-saving mode.
... syntax feature-
policy: wake-lock <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default
policy default allow list for wake-lock is 'self'.
... specifications specification status comment feature
policy editor's draft initial definition.
Same-origin policy for file: URIs - Archive of obsolete content
this
policy affects anything that does same-origin checks, including xmlhttprequest, xslt, and xbl.
... for cross-window dom access, each file is treated as a separate origin, with one exception: if a file is loaded from another file that would otherwise be able to load it following this same-origin
policy, they are considered to have the same origin.
...the new security.fileuri.strict_origin_
policy preference, which defaults to true, can be set to false if the user doesn't want to strictly enforce the same origin
policy on file: uris.
Same origin policy for XBL - Archive of obsolete content
the same origin
policy used for xbl documents is different from the
policy used for other content.
... this article provides a description of how the same origin
policy for xbl works.
...a content
policy check is performed.
Document.featurePolicy - Web APIs
the feature
policy read-only property of the document interface returns the feature
policy interface which provides a simple api for inspecting the feature policies applied to a specific document.
... syntax var
policy = iframeelement.feature
policy value a feature
policy object that can be used to inspect the feature
policy settings applied to the document.
... specification specification status comment feature
policy editor's draft initial definition.
HTMLIFrameElement.featurePolicy - Web APIs
the feature
policy read-only property of the htmliframeelement interface returns the feature
policy interface which provides a simple api for introspecting the feature policies applied to a specific frame.
... syntax var
policy = htmliframeelement.feature
policy value a feature
policy object that can be used to inspect the feature
policy settings applied to the frame.
... specification specification status comment feature
policy editor's draft initial definition.
HTMLLinkElement.referrerPolicy - Web APIs
the htmllinkelement.referrer
policy property reflect the html referrer
policy attribute of the <link> element defining which referrer is sent when fetching the resource.
... see the http referrer-
policy header for details.
... syntax domstring htmllinkelement.referrer
policy example var links = document.getelementsbytagname("link"); links[0].referrer
policy; // "no-referrer" specifications specification status comment referrer
policythe definition of 'referrer
policy attribute' in that specification.
SecurityPolicyViolationEvent.disposition - Web APIs
the disposition read-only property of the security
policyviolationevent interface indicates how the violated
policy is configured to be treated by the user agent.
... syntax let disposition = violationeventinstance.disposition; value a value defined in the security
policyviolationeventdisposition enum representing the uri of the blocked resource.
... possible values are "enforce" or "report" example document.addeventlistener("security
policyviolation", (e) => { console.log(e.disposition); }); specifications specification status comment content security
policy level 3the definition of 'disposition' in that specification.
Feature-Policy: gyroscope - HTTP
the http feature-
policy header gyroscope directive controls whether the current document is allowed to gather information about the orientation of the device through the gyroscope interface.
... syntax feature-
policy: gyroscope <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature
policy editor's draft initial definition.
Feature-Policy: layout-animations - HTTP
the http feature-
policy header layout-animations directive controls whether the current document is allowed to show layout animations.
... syntax feature-
policy: layout-animations <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature
policy editor's draft initial definition.
Feature-Policy: legacy-image-formats - HTTP
the http feature-
policy header legacy-image-formats directive controls whether the current document is allowed to display images in legacy formats.
... syntax feature-
policy: legacy-image-formats <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature
policy editor's draft initial definition.
Feature-Policy: magnetometer - HTTP
the http feature-
policy header magnetometer directive controls whether the current document is allowed to gather information about the orientation of the device through the magnetometer interface.
... syntax feature-
policy: magnetometer <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature
policy editor's draft initial definition.
Feature-Policy: oversized-images - HTTP
the http feature-
policy header oversized-images directive controls whether the current document is allowed to download and display large images.
... syntax feature-
policy: oversized-images <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specification specification status comment feature
policy editor's draft initial definition.
Feature-Policy: unoptimized-images - HTTP
the http feature-
policy header unoptimized-images directive controls whether the current document is allowed to download and display unoptimized images.
... syntax feature-
policy: unoptimized-images <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature
policy editor's draft initial definition.
Feature-Policy: unsized-media - HTTP
the http feature-
policy header unsized-media directive controls whether the current document is allowed to change the size of media elements after the initial layout is complete.
... syntax feature-
policy: unsized-media <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature
policy editor's draft initial definition.
Feature-Policy: vibrate - HTTP
the http feature-
policy header vibrate directive controls whether the current document is allowed to trigger device vibrations via navigator.vibrate() method of vibration api.
... syntax feature-
policy: vibrate <allowlist>; <vibrate> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... specifications specification status comment feature
policy editor's draft initial definition.
Same-origin policy - Web security
the same-origin
policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin.
... exceptions in internet explorer internet explorer has two major exceptions to the same-origin
policy: trust zones if both domains are in the highly trusted zone (e.g.
... cross-origin network access the same-origin
policy controls interactions between two different origins, such as when you use xmlhttprequest or an <img> element.
JSSecurityCallbacks.contentSecurityPolicyAllows
the jssecuritycallbacks.contentsecurity
policyallows callback is called when a script attempts to access an object property.
...jssecuritycallbacks.contentsecurity
policyallows is invoked once per global object upon the first attempt to evaluate js code from a string (either through eval or the function constructor).
SecurityPolicyViolationEvent.blockedURI - Web APIs
the blockeduri read-only property of the security
policyviolationevent interface is a usvstring representing the uri of the resource that was blocked because it violates a
policy.
... example document.addeventlistener("security
policyviolation", (e) => { console.log(e.blockeduri); }); specifications specification status comment content security
policy level 3the definition of 'blockeduri' in that specification.
SecurityPolicyViolationEvent.columnNumber - Web APIs
the columnnumber read-only property of the security
policyviolationevent interface is the column number in the document or worker at which the violation occurred.
... example document.addeventlistener("security
policyviolation", (e) => { console.log(e.columnnumber); }); specifications specification status comment content security
policy level 3the definition of 'columnnumber' in that specification.
SecurityPolicyViolationEvent.documentURI - Web APIs
the documenturi read-only property of the security
policyviolationevent interface is a usvstring representing the uri of the document or worker in which the violation was found.
... example document.addeventlistener("security
policyviolation", (e) => { console.log(e.documenturi); }); specifications specification status comment content security
policy level 3the definition of 'documenturi' in that specification.
SecurityPolicyViolationEvent.effectiveDirective - Web APIs
the effectivedirective read-only property of the security
policyviolationevent interface is a domstring representing the directive whose enforcement uncovered the violation.
... example document.addeventlistener("security
policyviolation", (e) => { console.log(e.effectivedirective); }); specifications specification status comment content security
policy level 3the definition of 'effectivedirective' in that specification.
SecurityPolicyViolationEvent.lineNumber - Web APIs
the linenumber read-only property of the security
policyviolationevent interface is the line number in the document or worker at which the violation occurred.
... example document.addeventlistener("security
policyviolation", (e) => { console.log(e.linenumber); }); specifications specification status comment content security
policy level 3the definition of 'linenumber' in that specification.
SecurityPolicyViolationEvent.referrer - Web APIs
the referrer read-only property of the security
policyviolationevent interface is a usvstring representing the referrer of the resources whose
policy was violated.
... example document.addeventlistener("security
policyviolation", (e) => { console.log(e.referrer); }); specifications specification status comment content security
policy level 3the definition of 'referrer' in that specification.
SecurityPolicyViolationEvent.sample - Web APIs
the sample read-only property of the security
policyviolationevent interface is a domstring representing a sample of the resource that caused the violation.
... example document.addeventlistener("security
policyviolation", (e) => { console.log(e.sample); }); specifications specification status comment content security
policy level 3the definition of 'sample' in that specification.
SecurityPolicyViolationEvent.sourceFile - Web APIs
the sourcefile read-only property of the security
policyviolationevent interface is a usvstring representing the uri of the document or worker in which the violation was found.
... example document.addeventlistener("security
policyviolation", (e) => { console.log(e.sourcefile); }); specifications specification status comment content security
policy level 3the definition of 'sourcefile' in that specification.
SecurityPolicyViolationEvent.statusCode - Web APIs
the statuscode read-only property of the security
policyviolationevent interface is a number representing the http status code of the document or worker in which the violation occurred.
... example document.addeventlistener("security
policyviolation", (e) => { console.log(e.statuscode); }); specifications specification status comment content security
policy level 3the definition of 'statuscode' in that specification.
SecurityPolicyViolationEvent.violatedDirective - Web APIs
the violateddirective read-only property of the security
policyviolationevent interface is a domstring representing the directive whose enforcement uncovered the violation.
... example document.addeventlistener("security
policyviolation", (e) => { console.log(e.violateddirective); }); specifications specification status comment content security
policy level 3the definition of 'violateddirective' in that specification.
Feature-Policy: xr - HTTP
this feature
policy directive was at one point defined as xr (but implemented in chrome as vr), use xr-spatial-tracking instead.
HTTP Index - HTTP
16 content security
policy (csp) csp, content security
policy, reference, security content security
policy (csp) is an added layer of security that helps to detect and mitigate certain types of attacks, including cross site scripting (xss) and data injection attacks.
... 19 cross-origin resource
policy (corp) http, reference, security cross-origin resource
policy is an opt-in mechanism that allows web applications to protect against certain cross-origin requests, such as those issued by the browser when resources are embedded using elements such as <script> and <img>.
... this serves as an additional layer of protection above and beyond the same-origin
policy which can mitigate speculative side channel attacks as well as cross-site script inclusion attacks.
...And 84 more matches
sslfnc.html
ssl initialization functions ssl export
policy functions ssl configuration functions ssl communication functions ssl functions used by callbacks ssl handshake functions nss shutdown function deprecated functions ssl initialization functions this section describes the initialization functions that are specific to ssl.
... note that at least one of the functions listed in ssl export
policy functions must also be called during nss initialization.
... the
policy flags for all cipher suites are turned off by default, disallowing all cipher suites.
...And 81 more matches
Index - HTTP
28 content-security-
policy csp, http, reference, security, header the http content-security-
policy response header allows web site administrators to control resources the user agent is allowed to load for a given page.
... 29 csp: base-uri csp, directive, document directive, http, security the http content-security-
policy base-uri directive restricts the urls which can be used in a document's <base> element.
... 30 csp: block-all-mixed-content csp, directive, http, mixed content, reference, security the http content-security-
policy (csp) block-all-mixed-content directive prevents loading any assets using http when the page is loaded using https.
...And 43 more matches
Index - Web APIs
904 document.domain api, document, html dom, property, reference the domain property of the document interface gets/sets the domain portion of the origin of the current document, as used by the same origin
policy.
... 911 document.feature
policy api, document, feature
policy, feature-
policy, reference the feature
policy read-only property of the document interface returns the feature
policy interface which provides a simple api for inspecting the feature policies applied to a specific document.
... 1289 feature
policy feature
policy, feature-
policy, reference no summary!
...And 35 more matches
Finishing the Component
the interface that we need for this project is something called nsicontent
policy.
...(for weblock, all you need are the headers for nsicontent
policy and the nsicontent
policy.idl.) then, using the same steps you used to create the weblock.h, create a header from this idl file using the xpidl compiler.
... once you have these interface and header files, you can modify the weblock class to implement the nsicontent
policy interface.
...And 15 more matches
HTTP headers - HTTP
referrer-
policy governs which referrer information sent in the referer header should be included with requests made.
... security cross-origin-embedder-
policy (coep) allows a server to declare an embedder
policy for a given document.
... cross-origin-opener-
policy (coop) prevents other domains from opening/controlling a window.
...And 10 more matches
nsIIOService
andler(in string ascheme); nsichannel newchannel(in autf8string aspec, in string aorigincharset, in nsiuri abaseuri); obsolete since gecko 48 nsichannel newchannel2(in autf8string aspec, in string aorigincharset, in nsiuri abaseuri, in nsidomnode aloadingnode, in nsiprincipal aloadingprincipal, in nsiprincipal atriggeringprincipal, in uint32_t asecurityflags, in uint32_t acontent
policytype); nsichannel newchannelfromuri(in nsiuri auri); obsolete since gecko 48 nsichannel newchannelfromuri2(in nsiuri auri, in nsidomnode aloadingnode, in nsiprincipal aloadingprincipal, in nsiprincipal atriggeringprincipal, in unsigned long asecurityflags, in unsigned long acontent
policytype); nsichannel newchannelfromuriwithloadinfo(in nsiuri auri, in nsiloadinfo aload...
...info); nsichannel newchannelfromuriwithproxyflags2(in nsiuri auri, in nsiuri aproxyuri, in uint32_t aproxyflags,in nsidomnode aloadingnode, in nsiprincipal aloadingprincipal, in nsiprincipal atriggeringprincipal, in uint32_t asecurityflags, in uint32_t acontent
policytype); nsiuri newfileuri(in nsifile afile); nsiuri newuri(in autf8string aspec, in string aorigincharset, in nsiuri abaseuri); attributes attribute type description offline boolean returns true if networking is in "offline" mode.
...this gives the protocol handler ultimate control over its own security
policy while ensuring reasonable, default protection.
...And 9 more matches
CSP: script-src - HTTP
the http content-security-
policy (csp) script-src directive specifies valid sources for javascript.
... syntax one or more sources can be allowed for the script-src
policy: content-security-
policy: script-src <source>; content-security-
policy: script-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 8 more matches
Autoplay guide for media and Web Audio APIs - Web media technologies
that means that both of the following are considered autoplay behavior, and are therefore subject to the browser's autoplay blocking
policy: <audio src="/music.mp4" autoplay> and audioelement.play(); the following web features and apis may be affected by autoplay blocking: the html <audio> and <video> elements the web audio api from the user's perspective, a web page or app that spontaneously starts making noise without warning can be jarring, inconvenient, or off-putting.
...least one of the following is true: the audio is muted or its volume is set to 0 the user has interacted with the site (by clicking, tapping, pressing keys, etc.) if the site has been whitelisted; this may happen either automatically if the browser determines that the user engages with media frequently, or manually through preferences or other user interface features if the autoplay feature
policy is used to grant autoplay support to an <iframe> and its document.
... the autoplay feature
policy in addition to the browser-side management and control over autoplay functionality described above, a web server can also express its willingness to allow autoplay to function.
...And 8 more matches
Index
on an organizational level the contents of the set are managed according to the mozilla ca
policy.
...for example: certificates were valid at the time the signature was made, name in certificates matches the expected signer (check subject name, common name, email, based on application), the trust restrictions recorded inside the certificate (extensions) permit the use (e.g., encryption might be allowed, but not signing), and based on environment/application
policy it might be required to perform a revocation check (ocsp or crl), that asks the issuer(s) of the certificates whether there have been events that made it necessary to revoke the trust (revoke the validity of the cert).
...in order to distinguish an ev certificate, cas will embed a
policy oid in the certificate, and the browser is expected to verify that a trust chain permits the end entity (ee) certificate to make use of the
policy.
...And 7 more matches
NSS_3.12_release_notes.html
3.12 3 new shared library are shipped with nss 3.12: nssutil sqlite nssdbm 1 new include file is shipped with nss3.12: utilrename.h new functions in the nss shared library: cert_checknamespace (see cert.h) cert_encodecertpoliciesextension (see cert.h) cert_encodeinfoaccessextension (see cert.h) cert_encodeinhibitanyextension (see cert.h) cert_encodenoticereference (see cert.h) cert_encode
policyconstraintsextension (see cert.h) cert_encode
policymappingextension (see cert.h) cert_encodesubjectkeyid (see certdb/cert.h) cert_encodeusernotice (see cert.h) cert_findcrlentryreasonexten (see cert.h) cert_findcrlnumberexten (see cert.h) cert_findnameconstraintsexten (see cert.h) cert_getclassicocspdisabled
policy (see cert.h) cert_getclassicocspenabledhardfailure
policy (see cert.h) cert_getclassi...
...cocspenabledsoftfailure
policy (see cert.h) cert_getpkixverifynistrevocation
policy (see cert.h) cert_getusepkixforvalidation (see cert.h) cert_getvaliddnspatternsfromcert (see cert.h) cert_newtempcertificate (see cert.h) cert_setocsptimeout (see certhigh/ocsp.h) cert_setusepkixforvalidation (see cert.h) cert_pkixverifycert (see cert.h) hash_gettype (see sechash.h) nss_initwithmerge (see nss.h) pk11_createmergelog (see pk11pub.h) pk11_creategenericobject (see pk11pub.h) pk11_createpbev2algorithmid (see pk11pub.h) pk11_destroymergelog (see pk11pub.h) pk11_generatekeypairwithopflags (see pk11pub.h) pk11_getpbecryptomechanism (see pk11pub.h) pk11_isremovable (see pk11pub.h) pk11_mergetokens (see pk11pub.h) pk11_writerawattribute (see pk11pub.h) seckey_ecparamstobasepointorderlen (see keyhi.h) seckey_...
...kip_test_on_missing_source cert_rev_m_require_info_on_missing_source cert_rev_m_ignore_missing_fresh_info cert_rev_m_fail_on_missing_fresh_info cert_rev_m_stop_testing_on_fresh_info cert_rev_m_continue_testing_on_fresh_info cert_rev_mi_test_each_method_separately cert_rev_mi_test_all_local_information_first cert_rev_mi_no_overall_info_requirement cert_rev_mi_require_some_fresh_info_available cert_
policy_flag_no_mapping cert_
policy_flag_explicit cert_
policy_flag_no_any cert_enable_ldap_fetch cert_enable_http_fetch new macro in utilrename.h: smime_aes_cbc_128 the nssckbi pkcs #11 module's version changed to 1.70.
...And 7 more matches
RTCConfiguration - Web APIs
properties bundle
policy optional specifies how to handle negotiation of candidates when the remote peer is not compatible with the sdp bundle standard.
... this must be one of the values from the enum rtcbundle
policy.
... icetransport
policy optional the current ice transport
policy; this must be one of the values from the rtcicetransport
policy enumeration.
...And 7 more matches
nsICacheService
method overview nsicachesession createsession(in string clientid, in nscachestorage
policy storage
policy, in boolean streambased); acstring createtemporaryclientid(in nscachestorage
policy storage
policy); obsolete since gecko 1.9.2 void evictentries(in nscachestorage
policy storage
policy); void init(); obsolete since gecko 1.8 void shutdown(); obsolete since gecko 1.8 void visitentries(in nsicachevisitor visitor); attributes ...
... nsicachesession createsession( in string clientid, in nscachestorage
policy storage
policy, in boolean streambased ); parameters clientid specifies the name of the client using the cache.
... storage
policy limits the storage
policy for all entries accessed via the returned session.
...And 6 more matches
<iframe>: The Inline Frame element - HTML: Hypertext Markup Language
allow specifies a feature
policy for the <iframe>.
... see the article privacy, permissions, and information security for details on security issues and how <iframe> works with feature
policy to keep systems safe.
... csp a content security
policy enforced for the embedded resource.
...And 6 more matches
CSP: report-uri - HTTP
the deprecated http content-security-
policy (csp) report-uri directive instructs the user agent to report attempts to violate the content security
policy.
...so for compatibility with current browsers while also adding forward compatibility when browsers get report-to support, you can specify both report-uri and report-to: content-security-
policy: ...; report-uri https://endpoint.com; report-to groupname in browsers that support report-to, the report-uri directive will be ignored.
... syntax content-security-
policy: report-uri <uri>; content-security-
policy: report-uri <uri> <uri>; <uri> a uri where to post the report to.
...And 6 more matches
CSP: style-src - HTTP
the http content-security-
policy (csp) style-src directive specifies valid sources for stylesheets.
... syntax one or more sources can be allowed for the style-src
policy: content-security-
policy: style-src <source>; content-security-
policy: style-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 6 more matches
MediaDevices.getUserMedia() - Web APIs
on browsers that support managing media permissions with feature
policy, this error is returned if feature
policy is not configured to allow access to the input source(s).
...only a window's top-level document context for a valid origin can even request permission to use getusermedia(), unless the top-level context expressly grants permission for a given <iframe> to do so using feature
policy.
...the originally-designed security mechanism is in the process of being replaced with feature
policy, so various browsers have different levels of security support, using different mechanisms.
...And 5 more matches
CSP: form-action - HTTP
the http content-security-
policy (csp) form-action directive restricts the urls which can be used as the target of a form submissions from a given context.
... syntax one or more sources can be set for the form-action
policy: content-security-
policy: form-action <source>; content-security-
policy: form-action <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 5 more matches
Planned changes to shared memory - JavaScript
for top-level documents, two headers will need to be set: cross-origin-opener-
policy with same-origin as value (protects your origin from attackers) cross-origin-embedder-
policy with require-corp as value (protects victims from your origin) with these two headers set, postmessage() will no longer throw for sharedarraybuffer objects and shared memory across threads is therefore available.
... nested documents and dedicated workers will need to set the cross-origin-embedder-
policy header as well with the same value.
...same-site (but cross-origin) nested documents and subresources will need to set the cross-origin-resource-
policy header with same-site as value.
...And 5 more matches
nsICookie
policy nscookie
policy holds the sites compact
policy value.
...
policy_unknown 0 the cookie collected in a previous session, and its information no longer available.
...
policy_none 1 the site did not send a compact
policy along with the cookie.
...And 4 more matches
nsIHttpChannel
inalresponseheader(in acstring aheader, in nsihttpheadervisitor avisitor); acstring getrequestheader(in acstring aheader); acstring getresponseheader(in acstring header); boolean isnocacheresponse(); boolean isnostoreresponse(); void redirectto(in nsiuri anewuri); void setemptyrequestheader(in acstring aheader); void setreferrerwith
policy(in nsiuri referrer, in unsigned long referrer
policy); void setrequestheader(in acstring aheader, in acstring avalue, in boolean amerge); void setresponseheader(in acstring header, in acstring value, in boolean merge); void visitoriginalresponseheaders(in nsihttpheadervisitor avisitor); void visitrequestheaders(in nsihttpheadervisitor avisitor); void ...
...visitresponseheaders(in nsihttpheadervisitor avisitor); constants constant description referrer_
policy_no_referrer_when_downgrade default; indicates not to pass on the referrer when downgrading from https to http referrer_
policy_no_referrer indicates no referrer will be sent referrer_
policy_origin only send the origin of the referring uri referrer_
policy_origin_when_xorigin same as the default; only send the origin of the referring uri for cross-origin requests referrer_
policy_unsafe_url always send the referrer, even when downgrading from https to http attributes attribute type description allowpipelining boolean this attribute is a hint to the channel to indicate whether o...
... referrer
policy read only unsigned long the referrer
policy in use for this channel, indicated by one of the constants listed above methods getoriginalresponseheader() get the value of a particular original response header, that is, in the same form as it came from the network.
...And 4 more matches
<script>: The Script element - HTML: Hypertext Markup Language
nonce a cryptographic nonce (number used once) to whitelist scripts in a script-src content-security-
policy.
... the server must generate a unique nonce value each time it transmits a
policy.
... it is critical to provide a nonce that cannot be guessed as bypassing a resource's
policy is otherwise trivial.
...And 4 more matches
CSP: base-uri - HTTP
the http content-security-
policy base-uri directive restricts the urls which can be used in a document's <base> element.
... syntax one or more sources can be allowed for the base-uri
policy: content-security-
policy: base-uri <source>; content-security-
policy: base-uri <source> <source>; sources while this directive uses the same arguments as other csp directives, some of them don’t make sense for `<base>`, such as the keywords 'unsafe-inline' and 'strict-dynamic' <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 4 more matches
CSP: connect-src - HTTP
the http content-security-
policy (csp) connect-src directive restricts the urls which can be loaded using script interfaces.
... syntax one or more sources can be allowed for the connect-src
policy: content-security-
policy: connect-src <source>; content-security-
policy: connect-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 4 more matches
CSP: default-src - HTTP
the http content-security-
policy (csp) default-src directive serves as a fallback for the other csp fetch directives.
... default-src directive and uses this value for it: child-src connect-src font-src frame-src img-src manifest-src media-src object-src prefetch-src script-src script-src-elem script-src-attr style-src style-src-elem style-src-attr worker-src csp version 1 directive type fetch directive syntax one or more sources can be allowed for the default-src
policy: content-security-
policy: default-src <source>; content-security-
policy: default-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 4 more matches
Intercepting Page Loads - Archive of obsolete content
content
policy finally, there is the option of implementing nsicontent
policy.
... you can create an xpcom component that extends nsicontent
policy and register it to the "content-
policy" category using the nsicategorymanager.
... the nsicontent
policy.shouldload() method is the only one in this interface that is really useful.
...And 3 more matches
Index - MDN Web Docs Glossary: Definitions of Web-related terms
53 csp glossary, http, infrastructure a csp (content security
policy) is used to detect and mitigate certain types of website related attacks like xss and data injections.
... 117 document directive csp, directive, document, glossary, http, security csp document directives are used in a content-security-
policy header and govern the properties of a document or worker environment to which a
policy applies.
... 143 fetch directive csp, http, security csp fetch directives are used in a content-security-
policy header and control locations from which certain resource types may be loaded.
...And 3 more matches
Script security
the security model for web content is based on the same-origin
policy, in which code gets full access to objects from its origin but highly restricted access to objects from a different origin.
... security
policy gecko implements the following security
policy: objects that are same-origin are able to access each other freely.
... objects that are cross-origin get highly restricted access to each other, according to the same-origin
policy.
...And 3 more matches
An overview of NSS Internals
on an organizational level the contents of the set are managed according to the mozilla ca
policy.
...for example: certificates were valid at the time the signature was made, name in certificates matches the expected signer (check subject name, common name, email, based on application), the trust restrictions recorded inside the certificate (extensions) permit the use (e.g., encryption might be allowed, but not signing), and based on environment/application
policy it might be required to perform a revocation check (ocsp or crl), that asks the issuer(s) of the certificates whether there have been events that made it necessary to revoke the trust (revoke the validity of the cert).
...in order to distinguish an ev certificate, cas will embed a
policy oid in the certificate, and the browser is expected to verify that a trust chain permits the end entity (ee) certificate to make use of the
policy.
...And 3 more matches
NSS Tools sslstrength
synopsis 1) sslstrength ciphers 2) sslstrength hostname[:port] [ciphers=xyz] [debug] [verbose] [
policy=export|domestic] description the first form simple lists out the possible ciphers.
... restricting ciphers by default, sslstrength assumes that all the preferences are on, so it will use any preferences in your
policy.
...firstly, you can set
policy to be either domestic or export.
...And 3 more matches
NSS functions
function name/documentation source code nss versions nss_getclientauthdata mxr 3.2 and later nss_setdomestic
policy mxr 3.2 and later nss_setexport
policy mxr 3.2 and later nss_setfrance
policy mxr 3.2 and later nssssl_versioncheck mxr 3.2.1 and later ssl_authcertificate mxr 3.2 and later ssl_authcertificatehook mxr 3.2 and later ssl_badcerthook mxr 3.2 and later ssl_certdbhandleset mxr 3.2 and later ...
... ssl_canbypass mxr 3.11.7 and later ssl_cipher
policyget mxr 3.2 and later ssl_cipher
policyset mxr 3.2 and later ssl_cipherprefget mxr 3.2 and later ssl_cipherprefgetdefault mxr 3.2 and later ssl_cipherprefset mxr 3.2 and later ssl_cipherprefsetdefault mxr 3.2 and later ssl_clearsessioncache mxr 3.2 and later ssl_configmpserversidcache mxr 3.2 and later ssl_configsecureserver mxr 3.2 and later ssl_configserversessionidcache mxr 3.2 and later ssl_datapending mxr 3.2 and later ssl_forcehandshake mxr 3.2 and later ssl_forcehandshakewithtimeout mxr 3.11.4 and later ssl_getchannelinfo m...
... function name/documentation source code replacement in nss 3.2 ssl_enable mxr ssl_optionset ssl_enablecipher mxr ssl_cipherprefsetdefault ssl_enabledefault mxr ssl_optionsetdefault ssl_redohandshake mxr ssl_rehandshake ssl_set
policy mxr ssl_cipher
policyset certificate functions the public functions listed here are used to interact with certificate databases.
...And 3 more matches
NSS Tools sslstrength
synopsis 1) sslstrength ciphers 2) sslstrength hostname[:port] [ciphers=xyz] [debug] [verbose] [
policy=export|domestic] description the first form simple lists out the possible ciphers.
...restricting ciphers by default, sslstrength assumes that all the preferences are on, so it will use any preferences in your
policy.
...firstly, you can set
policy to be either domestic or export.
...And 3 more matches
Console messages - Firefox Developer Tools
this site specified both an x-content-security-
policy/report-only header and a content-security-
policy/report-only header.
... the x-content-security-
policy/report-only header(s) will be ignored.
... see content security
policy for more details.
...And 3 more matches
Sensor APIs - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
... if (error.name === 'securityerror') { // see the note above about feature
policy.
...And 3 more matches
CSP: child-src - HTTP
the http content-security-
policy (csp) child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.
... syntax one or more sources can be allowed for the child-src
policy: content-security-
policy: child-src <source>; content-security-
policy: child-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 3 more matches
CSP: font-src - HTTP
the http content-security-
policy (csp) font-src directive specifies valid sources for fonts loaded using @font-face.
... syntax one or more sources can be allowed for the font-src
policy: content-security-
policy: font-src <source>; content-security-
policy: font-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 3 more matches
CSP: frame-src - HTTP
the http content-security-
policy (csp) frame-src directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
... syntax one or more sources can be allowed for the frame-src
policy: content-security-
policy: frame-src <source>; content-security-
policy: frame-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 3 more matches
CSP: img-src - HTTP
the http content-security-
policy img-src directive specifies valid sources of images and favicons.
... syntax one or more sources can be allowed for the img-src
policy: content-security-
policy: img-src <source>; content-security-
policy: img-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 3 more matches
CSP: media-src - HTTP
the http content-security-
policy (csp) media-src directive specifies valid sources for loading media using the <audio> and <video> elements.
... syntax one or more sources can be allowed for the media-src
policy: content-security-
policy: media-src <source>; content-security-
policy: media-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 3 more matches
CSP: navigate-to - HTTP
the http content-security-
policy (csp) navigate-to directive restricts the urls to which a document can initiate navigations by any means including <form> (if form-action is not specified), <a>, window.location, window.open, etc.
... syntax one or more sources can be set for the navigate-to
policy: content-security-
policy: navigate-to <source>; content-security-
policy: navigate-to <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 3 more matches
CSP: object-src - HTTP
the http content-security-
policy object-src directive specifies valid sources for the <object>, <embed>, and <applet> elements.
... syntax one or more sources can be allowed for the object-src
policy: content-security-
policy: object-src <source>; content-security-
policy: object-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 3 more matches
CSP: referrer - HTTP
the http content-security-
policy (csp) referrer directive used to specify information in the referer header (with a single r as this was a typo in the original spec) for links away from a page.
... use the referrer-
policy header instead.
... syntax content-security-
policy: referrer <referrer-
policy>; where <referrer-
policy> can be one of the following values: "no-referrer" the referer header will be omitted entirely.
...And 3 more matches
CSP: sandbox - HTTP
the http content-security-
policy (csp) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute.
... it applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin
policy.
... csp version 1.1 / 2 directive type document directive this directive is not supported in the <meta> element or by the content-security-
policy-report-only header field.
...And 3 more matches
CSP: worker-src - HTTP
the http content-security-
policy (csp) worker-src directive specifies valid sources for worker, sharedworker, or serviceworker scripts.
... syntax one or more sources can be allowed for the worker-src
policy: content-security-
policy: worker-src <source>; content-security-
policy: worker-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 3 more matches
Index - Archive of obsolete content
634 same origin
policy for xbl same-origin
policy, security, xbl the same origin
policy used for xbl documents is different from the
policy used for other content.
... this article provides a description of how the same origin
policy for xbl works.
... 1997 mozilla.dev.platform faq faq for questions asked on mozilla.dev.platform 1998 nsicontent
policy interfaces, interfaces:scriptable, needsmarkupwork, reference, xpcom, xpcom interface reference you can observe content that is being loaded into your browser by implementing nsicontent
policy.
...And 2 more matches
Limitations of chrome scripts
nsicontent
policy without the shim in multiprocess firefox, if you register the nsicontent
policy in the chrome process then it will never see any attempts to load web content, because they happen in the content process.
...it transparently registers an nsicontent
policy in the content process, whose shouldload just forwards to the chrome process.
...the chrome process then checks the content against the
policy supplied by the add-on, and forwards the response back to the child to be enforced.
...And 2 more matches
OS.File for the main thread
winshare (ignored under non-windows platforms) if specified, a sharing
policy, as per windows function createfile.
... if unspecified, files are opened with a default sharing
policy (file is not protected against being read/written/removed by another process or another use in the same process).
... you can build this
policy from constants os.constants.win.file_share_*.
...And 2 more matches
NSS Config Options
nss config options format the specified ciphers will be allowed by
policy, but an application may allow more by
policy explicitly: config="allow=curve1:curve2:hash1:hash2:rsa-1024..." only the specified hashes and curves will be allowed: config="disallow=all allow=sha1:sha256:secp256r1:secp384r1" only the specified hashes and curves will be allowed, and rsa keys of 2048 or more will be accepted, and dh key exchange with 1024-bit primes or more: config="disallow=all allow=sha1:sha256:secp256r1:secp384r1:min-rsa=2048:min-dh=1024" a
policy that enables the aes ciphersuites and the secp256/384 curves: config="allow=aes128-cbc:aes128-gcm::hmac-sha1:sha1:sha256:sha384:rsa:ecdhe-rsa:secp256r1:secp384r1" turn off md5 config="disallow=md5" turn off md5 and sha1 only for ssl config...
...disable: turn off ciphersuites by default without disallowing them by
policy.
... flags: turn on the following flags: ssl-lock: turn off the ability for applications to change
policy with the ssl_setcipher
policy (or ssl_set
policy).
...And 2 more matches
nsICache
store_anywhere 0 the storage
policy of a cache entry determines the device(s) to which it belongs.
...the cache service decides which cache device to use based on "some resource management calculation." store_in_memory 1 the storage
policy of a cache entry determines the device(s) to which it belongs.
... store_on_disk 2 the storage
policy of a cache entry determines the device(s) to which it belongs.
...And 2 more matches
nsIWebBrowserPersist
void cancelsave(); void savechannel(in nsichannel achannel, in nsisupports afile); void savedocument(in nsidomdocument adocument, in nsisupports afile, in nsisupports adatapath, in string aoutputcontenttype, in unsigned long aencodingflags, in unsigned long awrapcolumn); void saveuri(in nsiuri auri, in nsisupports acachekey, in nsiuri areferrer, in long areferrer
policy, in nsiinputstream apostdata, in string aextraheaders, in nsisupports afile, in nsiloadcontext aprivacycontext); void saveprivacyawareuri(in nsiuri auri, in nsisupports acachekey, in nsiuri areferrer, in long areferrer
policy, in nsiinputstream apostdata, in string aextraheaders, in nsisupports afile, in boolean aisprivate); attributes attribute type description ...
... as of firefox 36, a new parameter areferrer
policy was added as the fourth argument, changing the number of parameters from 7 to 8 and shifting the order of the parameters in a backwards incompatible way.
... void saveuri( in nsiuri auri, in nsisupports acachekey, in nsiuri areferrer, in long areferrer
policy, in nsiinputstream apostdata, in string aextraheaders, in nsisupports afile, in nsiloadcontext aprivacycontext ); parameters auri uri to save to file.
...And 2 more matches
RTCDtlsTransport - Web APIs
to be able to negotiate with such endpoints (or to exclude them entirely), the rtcconfiguration property bundle
policy may be provided when creating the connection.
... the bundle
policy lets you control how to negotiate with these legacy endpoints.
... the default
policy is "balanced", which provides a balance between performance and compatibility.
...And 2 more matches
RTCPeerConnection() - Web APIs
rtcconfiguration dictionary bundle
policy optional specifies how to handle negotiation of candidates when the remote peer is not compatible with the sdp bundle standard.
... this must be one of the values from the enum rtcbundle
policy.
... icetransport
policy optional the current ice transport
policy; this must be one of the values from the rtcicetransport
policy enum.
...And 2 more matches
<img>: The Image Embed element - HTML: Hypertext Markup Language
there are many other attributes to achieve various purposes: referrer/cors control for security and privacy: see crossorigin and referrer
policy.
... referrer
policy a string indicating which referrer to use when fetching the resource: no-referrer: the referer header will not be sent.
...this is the default if no
policy is otherwise specified.
...And 2 more matches
<link>: The External Resource Link element - HTML: Hypertext Markup Language
when using <link> to establish a favicon for a site, and your site uses a content security
policy (csp) to enhance its security, the
policy applies to the favicon.
... if you encounter problems with the favicon not loading, verify that the content-security-
policy header's img-src directive is not preventing access to it.
...it specifies the type of content being loaded by the <link>, which is necessary for request matching, application of correct content security
policy, and setting of correct accept request header.
...And 2 more matches
CSP: manifest-src - HTTP
the http content-security-
policy: manifest-src directive specifies which manifest can be applied to the resource.
... syntax one or more sources can be allowed for the manifest-src
policy: content-security-
policy: manifest-src <source>; content-security-
policy: manifest-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 2 more matches
CSP: prefetch-src - HTTP
the http content-security-
policy (csp) prefetch-src directive specifies valid resources that may be prefetched or prerendered.
... syntax one or more sources can be allowed for the prefetch-src
policy: content-security-
policy: prefetch-src <source>; content-security-
policy: prefetch-src <source> <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 2 more matches
CSP: script-src-attr - HTTP
the http content-security-
policy (csp) script-src-attr directive specifies valid sources for javascript inline event handlers.
... syntax one or more sources can be allowed for the script-src-attr
policy: content-security-
policy: script-src-attr <source>; content-security-
policy: script-src-attr <source> <source>; script-src-attr can be used in conjunction with script-src: content-security-
policy: script-src <source>; content-security-
policy: script-src-attr <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an option...
...the server must generate a unique nonce value each time it transmits a
policy.
...And 2 more matches
CSP: script-src-elem - HTTP
the http content-security-
policy (csp) script-src-elem directive specifies valid sources for javascript <script> elements, but not inline script event handlers like onclick.
... syntax one or more sources can be allowed for the script-src-elem
policy: content-security-
policy: script-src-elem <source>; content-security-
policy: script-src-elem <source> <source>; script-src-elem can be used in conjunction with script-src: content-security-
policy: script-src <source>; content-security-
policy: script-src-elem <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 2 more matches
CSP: style-src-attr - HTTP
the http content-security-
policy (csp) style-src-attr directive specifies valid sources for inline styles applied to individual dom elements.
... syntax one or more sources can be allowed for the style-src-attr
policy: content-security-
policy: style-src-attr <source>; content-security-
policy: style-src-attr <source> <source>; style-src-attr can be used in conjunction with style-src: content-security-
policy: style-src <source>; content-security-
policy: style-src-attr <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 2 more matches
CSP: style-src-elem - HTTP
the http content-security-
policy (csp) style-src-elem directive specifies valid sources for stylesheets <style> elements and <link> elements with rel="stylesheet".
... syntax one or more sources can be allowed for the style-src-elem
policy: content-security-
policy: style-src-elem <source>; content-security-
policy: style-src-elem <source> <source>; style-src-elem can be used in conjunction with style-src: content-security-
policy: style-src <source>; content-security-
policy: style-src-elem <source>; sources <source> can be one of the following: <host-source> internet hosts by name or ip address, as well as an optional url scheme and/or port number.
...the server must generate a unique nonce value each time it transmits a
policy.
...And 2 more matches
Expect-CT - HTTP
when present with the enforce directive, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the certificate transparency
policy should be enforced and that violations should be reported.
... enforce optional signals to the user agent that compliance with the certificate transparency
policy should be enforced (rather than only reporting compliance) and that the user agent should refuse future connections that violate its certificate transparency
policy.
... when both the enforce directive and the report-uri directive are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the certificate transparency
policy should be enforced and that violations should be reported.
...And 2 more matches
Privacy, permissions, and information security
web technologies and features used to enforce security and privacy technology or feature description certificate transparency an open standard for monitoring and auditing certificates, creating a database of public logs that can be used to help identify incorrect or malicious certificates content security
policy provides the ability to define the extent to which a document's content can be accessed by other devices over the web; used in particular to prevent or mitigate attacks on the server feature
policy lets web developers selectively enable, disable, and modify the behavior of certain features and apis both for a document and for subdocuments loaded in <iframe>s <iframe>'s al...
...low attribute technically part of feature
policy, the allow attribute on an <iframe> specifies which web features the document in the frame should be allowed to access http public key pinning (hpkp) hpkp is used by servers to instruct a client to associate a specific public key with the server going forward in order to decrease the likelihood of man-in-the-middle attacks http strict transport security (hsts) hsts is used by servers to let them protect themselves from protocol downgrade and cookie hijack attacks by letting sites tell clients that they can only use https to communicate with the server http/2 while http/2 technically does not have to use encryption, most browser developers are only supporting it when used with https, so it can be thought of in...
...this is the technology behind the https (hypertext transport protocol secured) protocol not all of these are generally directly used within code; notably, the permissions api, feature
policy, and the allow attribute on <iframe> elements are primary tools directly used by code to help secure a site and its content.
...And 2 more matches
Referer header: privacy and security concerns - Web security
you can also mitigate such risks using: the referrer-
policy header on your server to control what information is sent through the referer header.
... the referrer
policy attribute on html elements that are in danger of leaking such information (such as <img> and <a>).
... helmetjs referrer-
policy — middleware for setting referrer-
policy in node.js/express apps (see also helmetjs for more security provisions).
...And 2 more matches
Web security
content security content security
policy (csp) content security
policy (csp) is an added layer of security that helps to detect and mitigate certain types of attacks, including cross-site scripting (xss) and data injection attacks.
... information leakage referer header
policy: privacy and security concerns there are privacy and security risks associated with the referer http header.
... robots.txt to be written site maps to be written integrity same-origin
policy the same-origin
policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin.
...And 2 more matches
Mozilla Crypto FAQ - Archive of obsolete content
the cryptography
policy page maintained by the electronic privacy information center (epic).
...encryption
policy and related topics.
... building in big brother: the cryptographic
policy debate, by lance hoffman (ed.).
... cryptography & liberty 2000: an international survey of encryption
policy, by the electronic privacy information center.
Index
170 storage access
policy: block cookies from trackers privacy, storage access
policy, tracking protection firefox includes a new storage access
policy that blocks cookies and other site data from third-party tracking resources.
... this new
policy is designed as an alternative to the current policies, which have been available in firefox for many years.
... the new
policy protects against cross-site tracking while minimizing the site breakage associated with traditional cookie blocking.
... this article explains how the new
policy works and how you can test it.
JSS FAQ
if i don't call setcipher
policy, is the domestic
policy used by default?
... org/mozilla/jss/pkix/crmf/certreqmsg.java org/mozilla/jss/pkix/crmf/certtemplate.java org/mozilla/jss/pkix/primitive/name.java org/mozilla/jss/provider/javax/crypto/jsssecretkeyfactoryspi.java org/mozilla/jss/util/utf8converter.java org/mozilla/jss/util/base64inputstream.java jss/samples/pqggen.java jss/samples/pkcs12.java if i don't call setcipher
policy, is the domestic
policy used by default?
... yes, domestic is the default because we call nss_setdomestic
policy() during cryptomanager.initialize().
... setcipher
policy does not need to be called by a jss app unless that app wants to limit itself to export-allowed cipher suites.
NSS 3.22 release notes
enforce an external
policy on nss from a config file (bug 1009429) you can now add a config= line to pkcs11.txt (assuming you are using sql databases), which will force nss to restrict the application to certain cryptographic algorithms and protocols.
..._rsa sec_oid_tls_dh_dss sec_oid_tls_dh_anon sec_oid_tls_ecdhe_ecdsa sec_oid_tls_ecdhe_rsa sec_oid_tls_ecdh_ecdsa sec_oid_tls_ecdh_rsa sec_oid_tls_ecdh_anon sec_oid_tls_rsa_export sec_oid_tls_dhe_rsa_export sec_oid_tls_dhe_dss_export sec_oid_tls_dh_rsa_export sec_oid_tls_dh_dss_export sec_oid_tls_dh_anon_export sec_oid_apply_ssl_
policy in sslt.h ssl_signed_cert_timestamp_xtn is added to sslextensiontype.
... new macros in nss.h nss_rsa_min_key_size nss_dh_min_key_size nss_dsa_min_key_size nss_tls_version_min_
policy nss_tls_version_max_
policy nss_dtls_version_min_
policy nss_dtls_version_max_
policy in pkcs11t.h ckp_pkcs5_pbkd2_hmac_gostr3411 - prf based on hmac with gostr3411 for pbkdf (not supported) ckp_pkcs5_pbkd2_hmac_sha224 - prf based on hmac with sha-224 for pbkdf ckp_pkcs5_pbkd2_hmac_sha256 - prf based on hmac with sha-256 for pbkdf ckp_pkcs5_pbkd2_hmac_sha384 - prf based on hmac with sha-256 for pbkdf ckp_pkcs5_pbkd2_hmac_sha512 - prf based on hmac with sha-256 for pbkdf ckp_pkcs5_pbkd2_hmac_sha512_224 - prf based on hmac with sha-512 truncated to 224 bits for pbkdf (not supported) ckp_pkcs5_pbkd2_hmac_sha512_256 - prf based on ...
...hmac with sha-512 truncated to 256 bits for pbkdf (not supported) in secoidt.h nss_use_alg_in_ssl nss_use_
policy_in_ssl in ssl.h ssl_enable_signed_cert_timestamps in sslt.h ssl_max_extensions is updated to 13 notable changes in nss 3.22 nss c++ tests are built by default, requiring a c++11 compiler.
NSS 3.31 release notes
notable changes in nss 3.31 the apis that set a tls version range have been changed to trim the requested range to the overlap with a systemwide crypto
policy, if configured.
... ssl_versionrangegetsupported can be used to query the overlap between the library's supported range of tls versions and the systemwide
policy.
... previously, ssl_versionrangeset and ssl_versionrangesetdefault returned a failure if the requested version range wasn't fully allowed by the systemwide crypto
policy.
... they have been changed to return success, if at least one tls version overlaps between the requested range and the systemwide
policy.
Handling Mozilla Security Bugs
this list will act as a forum for discussing group
policy and the addition of new members, as described below.
... changing this
policy this
policy is not set in stone.
... it is our hope that any disputes that arise over membership, disclosure, or any other issue addressed by this
policy can be resolved by consensus among the mozilla security module owner, the module owner's peers, and other security bug group members through discussions on the private security bug group mailing list.
... as with other mozilla project issues, mozilla.org staff will have the final authority to make changes to this
policy, and will do so only after consulting with the various parties involved and with the public mozilla community, in order to ensure that all views are taken into account.
nsICookieConsent
last changed in gecko 1.9 (firefox 3) inherits from: nsisupports method overview void getconsent(); methods getconsent() gives a decision on what should be done with a cookie, based on a site's p3p
policy and the user's preferences.
... the
policy for the given uri and channel is also returned.
... nscookiestatus getconsent( in nsiuri uri, in nsihttpchannel httpchannel, in boolean isforeign, out nscookie
policy policy ); parameters uri the uri to find the
policy for.
...
policy the
policy for the given uri, or nsicookie::
policy_unknown if one cannot be found.
Network request details - Firefox Developer Tools
referrer
policy: the value of the referrer-
policy header.
... version: the http version used transferred: the amount of data transferred with the request the referrer
policy, which governs which referrer information, sent in the referer header, should be included with requests.
... (see referrer-
policy for a description of possible values) blocking: if the request is to a site that is associated with a known tracker, an icon and a message are shown; otherwise, this field is not shown.
...: "content-length", "value": "673" }, { "name": "content-type", "value": "text/javascript; charset=utf-8" }, { "name": "date", "value": "tue, 11 jun 2019 13:01:39 gmt" }, { "name": "mediawiki-login-suppressed", "value": "true" }, { "name": "p3p", "value": "cp=\"this is not a p3p
policy!
RTCPeerConnection - Web APIs
constants rtcbundle
policy enum the rtcbundle
policy enum defines string constants which are used to request a specific
policy for gathering ice candidates if the remote peer isn't "bundle-aware" (compatible with the sdp bundle standard for bundling multiple media streams on a single transport link).
... if the remote endpoint is bundle-aware, all media tracks and data channels are bundled onto a single transport at the completion of negotiation, regardless of
policy used, and any superfluous transports that were created initially are closed at that point.
... rtcicetransport
policy enum the rtcicetransport
policy enum defines string constants which can be used to limit the transport policies of the ice candidates to be considered during the connection process.
... rtcrtcpmux
policy enum the rtcrtcpmux
policy enum defines string constants which specify what ice candidates are gathered to support non-multiplexed rtcp.
Using Web Workers - Web APIs
content security
policy workers are considered to have their own execution context, distinct from the document that created them.
... for this reason they are, in general, not governed by the content security
policy of the document (or parent worker) that created them.
... so for example, suppose a document is served with the following header: content-security-
policy: script-src 'self' among other things, this will prevent any scripts it includes from using eval().
... to specify a content security
policy for the worker, set a content-security-
policy response header for the request which delivered the worker script itself.
<a>: The Anchor element - HTML: Hypertext Markup Language
referrer
policy how much of the referrer to send when following the link.
... see referrer-
policy for possible values and their effects.
... hand tremors and the giant-button-problem specifications specification status comment referrer
policythe definition of 'referrer attribute' in that specification.
... candidate recommendation added the referrer
policy attribute.
<area> - HTML: Hypertext Markup Language
referrer
policy a string indicating which referrer to use when fetching the resource: "no-referrer" meaning that the referer: header will not be sent.
...this is a user agent’s default behavior, if no
policy is otherwise specified.
...ples <map name="primary"> <area shape="circle" coords="75,75,75" href="left.html" alt="click to go left"> <area shape="circle" coords="275,75,75" href="right.html" alt="click to go right"> </map> <img usemap="#primary" src="https://udn.realityripple.com/samples/6a/7e559101b3.png" alt="350 x 150 pic"> result specifications specification status comment referrer
policythe definition of 'referrer
policy attribute' in that specification.
... candidate recommendation added the referrer
policy attribute.
CSP: frame-ancestors - HTTP
the http content-security-
policy (csp) frame-ancestors directive specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.
... syntax one or more sources can be set for the frame-ancestors
policy: content-security-
policy: frame-ancestors <source>; content-security-
policy: frame-ancestors <source> <source>; sources <source> can be one of the following: the frame-ancestors directive’s syntax is similar to a source list of other directives (e.g.
... examples content-security-
policy: frame-ancestors 'none'; content-security-
policy: frame-ancestors 'self' https://www.example.org; specifications specification status comment content security
policy level 3the definition of 'frame-ancestors' in that specification.
... content security
policy level 2the definition of 'frame-ancestors' in that specification.
CSP: plugin-types - HTTP
the http content-security-
policy (csp) plugin-types directive restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.
... syntax one or more mime types can be set for the plugin-types
policy: content-security-
policy: plugin-types <type>/<subtype>; content-security-
policy: plugin-types <type>/<subtype> <type>/<subtype>; <type>/<subtype> a valid mime type.
... <meta http-equiv="content-security-
policy" content="object-src 'none'"> allowing flash content the content security
policy content-security-
policy: plugin-types application/x-shockwave-flash will allow to load flash objects: <object data="https://example.com/flash" type="application/x-shockwave-flash"></object> allowing java applets to load an <applet> you must specify application/x-java-applet: content-security-
policy: plugin-types application/x-java-applet specifications specification status comment content security
policy level 3...
... content security
policy level 2the definition of 'plugin-types' in that specification.
CSP: report-to - HTTP
the content-security-
policy report-to http response header field instructs the user agent to store reporting endpoints for an origin.
... content-security-
policy: ...; report-to groupname the directive has no effect in and of itself, but only gains meaning in combination with other directives.
... syntax content-security-
policy: report-to <json-field-value>; examples see content-security-
policy-report-only for more information and examples.
... report-to: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/csp-reports" } ] }, { "group": "hpkp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/hpkp-reports" } ] } content-security-
policy: ...; report-to csp-endpoint report-to: { "group": "endpoint-1", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/reports" }, { "url": "https://backup.com/reports" } ] } content-security-
policy: ...; report-to endpoint-1 ...
web-share - HTTP
the http feature-
policy header web-share directive controls controls whether the current document is allowed to use the navigator.share() of web share api to share text, links, images, and other content to arbitrary destiations of user's choice.
... syntax feature-
policy: web-share <allowlist>; <allowlist> an allowlist is a list of origins that takes one or more of the following values, separated by spaces: *: the feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
... default
policy the default value is 'self'.
... specifications specification status comment feature
policy editor's draft initial definition.
Java in Firefox Extensions - Archive of obsolete content
ository/jav...xtensionutils/ ) build and add references leading to this jar and all other jars in your extension within an array of java.net.url's, pass to java.net.urlclassloader to get a class loader, and finally pass the classloader and array to a function which gives the necessary privileges: // this function will be called to give the necessary privileges to your jar files // however, the
policy never comes into play, because // (1) adding permissions doesn't add to the
policy itself, and // (2) addurl alone does not set the grant codebase function
policyadd (loader, urls) { try { //if have trouble with the
policy try changing it to //edu.mit.simile.javafirefoxextensionutils.urlset
policy var str = 'edu.mit.simile.javafirefoxextensionutils.urlsetpo...
...licy'; var
policyclass = java.lang.class.forname( str, true, loader ); var
policy =
policyclass.newinstance();
policy.setouter
policy(java.security.
policy.get
policy()); java.security.
policy.set
policy(
policy);
policy.addpermission(new java.security.allpermission()); for (var j=0; j < urls.length; j++) {
policy.addurl(urls[j]); } }catch(e) { alert(e+'::'+e.linenumber); } } //get extension folder installation path...
...va/testjava.jar"; // seems you don't actually have to replace the backslashes as they work as well var urlarray = []; // build a regular javascript array (liveconnect will auto-convert to a java array) urlarray[0] = new java.net.url(myjarpath); urlarray[1] = new java.net.url(classloaderjarpath); var cl = java.net.urlclassloader.newinstance(urlarray); //set security policies using the above
policyadd() function
policyadd(cl, urlarray); now you can begin using liveconnect, including referencing the classes in your jars.
Safely loading URIs - Archive of obsolete content
changes in gecko 1.9 a key security change in gecko 1.9 is the addition of the new security.fileuri.strict_origin_
policy preference.
... this boolean preference, which defaults to true, can be set to false if the user doesn't want to strictly enforce the same origin
policy on file: uris.
... see same-origin
policy for file: uris for details.
Supporting private browsing mode - Archive of obsolete content
amo
policy and private browsing in order to publicly list an add-on on addons.mozilla.org, the add-on must properly respect private browsing mode by not recording sensitive data while private browsing mode is active.
... this is a new
policy that is just being implemented (as of february, 2010).
... note: during the transition period as this
policy is put into effect, there is some leeway as well as a grace period.
The new nsString class implementation (1999) - Archive of obsolete content
the deficiencies of the current implementation are: class based -- making it unsuitable for cross-dll usage due to fragility little intrinsic i18n support few efficiencies, notably a lack of support for narrow (1-byte) character strings no support for external memory management
policy lack of xpcom interface notable features of the new nsstrimpl implementation are: intrinsic support for 1 and 2 byte character widths provides automatic conversion between strings with different character sizes inviolate base structure eliminates class fragility problem; safe across dll boundaries offers c-style function api to manipulate nsstrimpl offers simple memory allocator api for s...
...pecialized memory
policy shares binary format with bstring coming soon: a new xpcom (nsistring) interface non-templatized; this is a requirement for gecko very efficient buffer manipulation architecture the fundamental data type in the new architecture is struct nsstrimpl, given below: struct nsstrimpl { print32 mlength; void* mbuffer; print32 mcapacity; char mcharsize; char munused; // and now for the nsstrimpl api...
...our nsstrimpl uses an allocator pattern so that programmers can install their own
policy, but this may also make allocation simpler in a multiprocess environment.
Security Controls - Archive of obsolete content
for example, a security
policy is a management control, but its security requirements are implemented by people (operational controls) and systems (technical controls).
...an organization may have an acceptable use
policy that specifies the conduct of users, including not visiting malicious websites.
... security controls to help thwart phishing, besides the management control of the acceptable use
policy itself, include operational controls, such as training users not to fall for phishing scams, and technical controls that monitor emails and web site usage for signs of phishing activity.
Audio for Web games - Game development
autoplay browser autoplay
policy now affects desktop and mobile browsers.
...you can find out more about best practises with the autoplay
policy here.
...tton'); // load file loadfile(anchor.href).then((track) => { // set loading to false el.dataset.loading = 'false'; // hide loading text loadtext.style.display = 'none'; // show button playbutton.style.display = 'inline-block'; // allow play on click playbutton.addeventlistener('click', function() { // check if context is in suspended state (autoplay
policy) if (audioctx.state === 'suspended') { audioctx.resume(); } playtrack(track); playbutton.dataset.playing = true; }) }) }) note: you can see this demo in action here and view the source code here.
CSP - MDN Web Docs Glossary: Definitions of Web-related terms
a csp (content security
policy) is used to detect and mitigate certain types of website related attacks like xss and data injections.
... the implementation is based on an http header called content-security-
policy.
... learn more general knowledge content security
policy on wikipedia technical knowledge content security
policy documentation on mdn ...
Introduction to web APIs - Learn web development
lume'); const audiosource = audioctx.createmediaelementsource(audioelement); next up we include a couple of event handlers that serve to toggle between play and pause when the button is pressed and reset the display back to the beginning when the song has finished playing: // play/pause audio playbtn.addeventlistener('click', function() { // check if context is in suspended state (autoplay
policy) if (audioctx.state === 'suspended') { audioctx.resume(); } // if track is stopped, play it if (this.getattribute('class') === 'paused') { audioelement.play(); this.setattribute('class', 'playing'); this.textcontent = 'pause' // if track is playing, stop it } else if (this.getattribute('class') === 'playing') { audioelement.pause(); ...
... they have additional security mechanisms where appropriate webapi features are subject to the same security considerations as javascript and other web technologies (for example same-origin
policy), but they sometimes have additional security mechanisms in place.
...as an example, the notifications api asks for permission using a pop-up dialogue box: the web audio and htmlmediaelement apis are subject to a security mechanism called autoplay
policy — this basically means that you can't automatically play audio when a page loads — you've got to allow your users to initiate audio play through a control like a button.
Performance
beam down information in advance to avoid synchronous calls to the parent bad: // processscript.js function content
policy() { // ...
... } object.assign(contenty
policy.prototype, { classdescription: ..., classid: ..., contractid: ..., queryinterface: xpcomutils.generateqi([ci.nsicontent
policy]), shouldload: function(type, location, origin, context) { let resultlist = services.cpmm.sendsyncmessage("my-addon:check-load", {destination: location, source: origin}) // <=== sync message!
... if(resultlist.every((r) => r == true)) return ci.nsicontent
policy.accept; return ci.nsicontent
policy.reject_request; } }); // more boilerplate code here this example is a (somewhat condensed) content
policy which gets triggered for every network request in a child process to either allow or deny the request.
Midas editor module security preferences
add these lines to user.js: user_pref("capability.
policy.
policynames", "allowclipboard"); user_pref("capability.
policy.allowclipboard.sites", "https://www-archive.mozilla.org"); user_pref("capability.
policy.allowclipboard.clipboard.cutcopy", "allaccess"); user_pref("capability.
policy.allowclipboard.clipboard.paste", "allaccess"); change the url https://www.mozilla.org to the site for which you want to enable this function.
...for example: user_pref("capability.
policy.allowclipboard.sites", "http://www-archive.mozilla.org") is not the same as: user_pref("capability.
policy.allowclipboard.sites", "https://www-archive.mozilla.org") this is because the first uses http while the second uses https.
...for example: user_pref("capability.
policy.allowclipboard.sites", "https://www-archive.mozilla.org https://developer.mozilla.org") again, keep in mind the security risks involved here and be sure to remove permission to access the clipboard once you no longer need it enabled.
Certificate functions
and later cert_encodecrldistributionpoints mxr 3.5 and later cert_encodegeneralname mxr 3.4 and later cert_encodeinfoaccessextension mxr 3.12 and later cert_encodeinhibitanyextension mxr 3.12 and later cert_encodenoticereference mxr 3.12 and later cert_encodeocsprequest mxr 3.6 and later cert_encode
policyconstraintsextension mxr 3.12 and later cert_encode
policymappingextension mxr 3.12 and later cert_encodesubjectkeyid mxr 3.12 and later cert_encodeusernotice mxr 3.12 and later cert_extractpublickey mxr 3.2 and later cert_findcertbyname mxr 3.2 and later cert_findcrlentryreasonexten mxr 3.12 and later ...
... mxr 3.2 and later cert_getcertificatenames mxr 3.10 and later cert_getcertificaterequestextensions mxr 3.10 and later cert_getcertissuerandsn mxr 3.2 and later cert_getcertnicknames mxr 3.2 and later cert_getcerttrust mxr 3.2 and later cert_getcertuid mxr 3.2 and later cert_getclassicocspdisabled
policy mxr 3.12 and later cert_getclassicocspenabledhardfailure
policy mxr 3.12 and later cert_getclassicocspenabledsoftfailure
policy mxr 3.12 and later cert_getcommonname mxr 3.2 and later cert_getcountryname mxr 3.2 and later cert_getdbcontentversion mxr 3.2 and later cert_getdefaultcertdb mxr 3.2 and later ...
...0 and later cert_getocspresponsestatus mxr 3.6 and later cert_getocspstatusforcertid mxr 3.6 and later cert_getoidstring mxr 3.9 and later cert_getorgname mxr 3.2 and later cert_getorgunitname mxr 3.2 and later cert_getocspauthorityinfoaccesslocation mxr 3.4 and later cert_getpkixverifynistrevocation
policy mxr 3.12 and later cert_getprevgeneralname mxr 3.10 and later cert_getprevnameconstraint mxr 3.10 and later cert_getsloptime mxr 3.2 and later cert_getsslcacerts mxr 3.2 and later cert_getstatename mxr 3.2 and later cert_getusepkixforvalidation mxr 3.12 and later cert_getvaliddnspatternsfromce...
NSS tools : certutil
--extpm add the
policy mappings extension to the certificate.
... --extpc add the
policy constraints extension to the certificate.
... --extia add the inhibit any
policy access extension to the certificate.
sslintro.html
nss_setdomestic
policy, nss_setexport
policy, nss_setfrance
policy, or ssl_cipher
policyset.
... these functions tell the library which cipher suites are permitted by
policy (for example, to comply with export restrictions).
... cipher suites disabled by
policy cannot be enabled by user preference.
certutil
--extpm add the
policy mappings extension to the certificate.
... --extpc add the
policy constraints extension to the certificate.
... --extia add the inhibit any
policy access extension to the certificate.
JSAPI User Guide
the same origin
policy governs a script's access to data and functions from other web pages.
... to use spidermonkey's fine-grained security features: decide what security
policy you want to enforce.
...(some security checks are also built into the javascript engine; you must decide what security
policy to enforce for each of these checks.) implement one or more jsprincipals objects in your application.
imgILoader
mage/loader;1"] .getservice(components.interfaces.imgiloader); method overview imgirequest loadimage(in nsiuri auri, in nsiuri ainitialdocumenturl, in nsiuri areferreruri, in nsiprincipal aloadingprincipal, in nsiloadgroup aloadgroup, in imgidecoderobserver aobserver, in nsisupports acx, in nsloadflags aloadflags, in nsisupports cachekey, in imgirequest arequest, in nsichannel
policy channel
policy); imgirequest loadimagewithchannel(in nsichannel achannel, in imgidecoderobserver aobserver, in nsisupports cx, out nsistreamlistener alistener); boolean supportimagewithmimetype(in string mimetype); constants constant value description load_cors_anonymous 1 << 16 load_cors_use_credentials 1 << 17 methods loadimage() start the load and decode of an image.
... imgirequest loadimage( in nsiuri auri, in nsiuri ainitialdocumenturl, in nsiuri areferreruri, in nsiprincipal aloadingprincipal, in nsiloadgroup aloadgroup, in imgidecoderobserver aobserver, in nsisupports acx, in nsloadflags aloadflags, in nsisupports cachekey, in imgirequest arequest, in nsichannel
policy channel
policy ); parameters auri the uri to load.
...channel
policy return value loadimagewithchannel() start the load and decode of an image.
nsICacheSession
evictentries() this method evicts all entries for this session's clientid according to its storage
policy.
...isstorageenabled() this method checks if the cache devices implied by the session storage
policy are currently enabled for instantiation if they don't already exist.
...return value returns whether any of the cache devices implied by the session storage
policy are currently enabled for instantiation or not, depending on their existence.
nsIPrincipal
obsolete since gecko 1.8 csp nsicontentsecurity
policy a content security
policy associated with this principal.
... security
policy voidptr the domain security
policy of the principal.
...d 4 methods native code only!canenablecapability short canenablecapability( in string capability ); parameters capability missing description return value missing description exceptions thrown missing exception missing description checkmayload() checks whether this principal is allowed to load the network resource located at the given uri under the same-origin
policy.
Using Fetch - Web APIs
the spec changed the default credentials
policy to same-origin.
... fetch requests are controlled by the connect-src directive of content security
policy rather than the directive of the resources it's retrieving.
... mode: 'cors', // no-cors, *cors, same-origin cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached credentials: 'same-origin', // include, *same-origin, omit headers: { 'content-type': 'application/json' // 'content-type': 'application/x-www-form-urlencoded', }, redirect: 'follow', // manual, *follow, error referrer
policy: 'no-referrer', // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url body: json.stringify(data) // body data type must match "content-type" header }); return response.json(); // parses json response into native javascript objects } postdata('https://example.com/answer', { answer: 42 }) .th...
HTMLIFrameElement.csp - Web APIs
the csp property of the htmliframeelement interface specifies the content security
policy that an embedded document must agree to enforce upon itself.
... syntax var csp = htmliframeelement.csp htmliframeelement.csp = csp value a content security
policy.
... specifications specification status comment content security
policy: embedded enforcementthe definition of 'csp' in that specification.
HTMLIFrameElement - Web APIs
htmliframeelement.csp specifies the content security
policy that an embedded document must agree to enforce upon itself.
... htmliframeelement.feature
policy read only returns the feature
policy interface which provides a simple api for introspecting the feature policies applied to a specific document.
... htmliframeelement.referrer
policy is a domstring that reflects the referrer
policy html attribute indicating which referrer to use when fetching the linked resource.
Reporting API - Web APIs
the reporting api provides a generic reporting mechanism for web applications to use to make reports available based on various platform features (for example content security
policy, feature-
policy, or feature deprecation reports) in a consistent manner.
...such information can include: content security
policy violations.
... feature-
policy violations.
Using the Screen Capture API - Web APIs
security in order to function when feature
policy is enabled, you will need the display-capture permission.
... this can be done using the feature-
policy http header or—if you're using the screen capture api in an <iframe>, the <iframe> element's allow attribute.
... for example, this line in the http headers will enable screen capture api for the document and any embedded <iframe> elements that are loaded from the same origin: feature-
policy: display-capture 'self' if you're performing screen capture within an <iframe>, you can request permission just for that frame, which is clearly more secure than requesting a more general permission: <iframe src="https://mycode.example.net/etc" allow="display-capture"> </iframe> ...
SharedWorker() - Web APIs
this script must obey the same-origin
policy.
...it must obey the same-origin
policy.
... exceptions a securityerror is raised if the document is not allowed to start workers, for example if the url has an invalid syntax or if the same-origin
policy is violated.
Storage Access API - Web APIs
in the case of breakage, site owners have often encouraged users to add their site as an exception or to disable the
policy entirely.
... as a consequence, users who wish to continue to interact with embedded content are forced to greatly relax their blocking
policy for resources loaded from all embedded origins and possibly across all websites.
... documentation for firefox's new storage access
policy for blocking tracking cookies includes a detailed description of the scope of storage access grants.
Worker() - Web APIs
this script must obey the same-origin
policy.
...it must obey the same-origin
policy.
...if the url has an invalid syntax or if the same-origin
policy is violated.
HTML attribute reference - HTML: Hypertext Markup Language
allow <iframe> specifies a feature-
policy for the iframe.
... crossorigin <audio>, <img>, <link>, <script>, <video> how the element handles cross-origin requests csp <iframe> specifies the content security
policy that an embedded document must agree to enforce upon itself.
... referrer
policy <a>, <area>, <iframe>, <img>, <link>, <script> specifies which referrer is sent when fetching the resource.
<style>: The Style Information element - HTML: Hypertext Markup Language
nonce a cryptographic nonce (number used once) used to whitelist inline styles in a style-src content-security-
policy.
... the server must generate a unique nonce value each time it transmits a
policy.
... it is critical to provide a nonce that cannot be guessed as bypassing a resource’s
policy is otherwise trivial.
Evolution of HTTP - HTTP
relaxing the security-model of the web http is independent of the security model of the web, the same-origin
policy.
...over the years, it has proved useful to be able to be more lenient, by allowing under certain constraints to lift some of the restriction of this
policy.
...these are defined in specifications like cross-origin resource sharing (cors) or the content security
policy (csp).
CORS errors - HTTP
cross-origin resource sharing (cors) is a standard that allows a server to relax the same-origin
policy.
... if the cors configuration isn't setup correctly, the browser console will present an error like "cross-origin request blocked: the same origin
policy disallows reading the remote resource at $somesite" indicating that the request was blocked due to violating the cors security rules.
...it will probably look like this: the text of the error message will be something similar to the following: cross-origin request blocked: the same origin
policy disallows reading the remote resource at https://some-url-here.
CSP: block-all-mixed-content - HTTP
the http content-security-
policy (csp) block-all-mixed-content directive prevents loading any assets over http when the page uses https.
... syntax content-security-
policy: block-all-mixed-content; examples content-security-
policy: block-all-mixed-content; <meta http-equiv="content-security-
policy" content="block-all-mixed-content"> to disallow http assets on a more granular level, you can also set individual directives to https:.
... for example, to disallow nonsecure http images: content-security-
policy: img-src https: specifications specification status comment mixed contentthe definition of 'block-all-mixed-content' in that specification.
CSP: require-sri-for - HTTP
the http content-security-
policy require-sri-for directive instructs the client to require the use of subresource integrity for scripts or styles on the page.
... syntax content-security-
policy: require-sri-for script; content-security-
policy: require-sri-for style; content-security-
policy: require-sri-for script style; script requires sri for scripts.
... examples if you set your site to require sri for script and styles using this directive: content-security-
policy: require-sri-for script style <script> elements like the following will be loaded as they use a valid integrity attribute.
CSP: trusted-types - HTTP
the http content-security-
policy (csp) trusted-types directive instructs user agents to restrict usage of known dom xss sinks to a predefined set of functions that only accept non-spoofable, typed values in place of strings.
...this directive declares a white-list of trusted type
policy names created with trustedtypes.create
policy from trusted types api.
... syntax content-security-
policy: trusted-types; content-security-
policy: trusted-types <
policyname>; content-security-
policy: trusted-types <
policyname> <
policyname> 'allow-duplicates'; <domstring> any string can be a trusted type
policy name.
CSP: upgrade-insecure-requests - HTTP
the http content-security-
policy (csp) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure urls (those served over http) as though they have been replaced with secure urls (those served over https).
... syntax content-security-
policy: upgrade-insecure-requests; examples // header content-security-
policy: upgrade-insecure-requests; // meta tag <meta http-equiv="content-security-
policy" content="upgrade-insecure-requests"> with the above header set on a domain example.com that wants to migrate from http to https, non-navigational insecure resource requests are automatically upgraded (first-party as well as third-party requ...
... <img src="https://example.com/image.png"> <img src="https://not-example.com/image.png"> navigational upgrades to third-party resources brings a significantly higher potential for breakage, these are not upgraded: <a href="https://example.com/">home</a> <a href="http://not-example.com/">home</a> finding insecure requests with the help of the content-security-
policy-report-only header and the report-uri directive, you can set-up an enforced
policy and a reported
policy like this: content-security-
policy: upgrade-insecure-requests; default-src https: content-security-
policy-report-only: default-src https:; report-uri /endpoint that way, you still upgrade insecure requests on your secure site, but the only monitoring
policy is violated and reports insecure r...
Network Error Logging - HTTP
max_age specifies the lifetime of the
policy, in seconds (in a similar way to e.g.
...the referenced reporting group should have a lifetime at least as long as the nel
policy.
... include_subdomains if true, the
policy applies to all subdomains under the origin that the
policy header is set.
XPCOM Objects - Archive of obsolete content
one common use for this service is registering a component as a content
policy.
...nregisterself methods: registerself : function(acompmgr, alocation, aloaderstr, atype) { let categorymanager = cc[@mozilla.org/categorymanager;1].getservice(ci.nsicategorymanager); acompmgr.queryinterface(ci.nsicomponentregistrar); acompmgr.registerfactorylocation( class_id, class_name, contract_id, alocation, aloaderstr, atype); categorymanager.addcategoryentry( "content-
policy", "xulschool hello world", contract_id, true, true); }, in this case the component would need to implement nsicontent
policy.
Index of archived content - Archive of obsolete content
pydom rdf api rdf datasource how-to reading textual data remote xul remote debugging rsyncing the cvs repository running windows debug builds downloaded from tinderbox sxsw 2007 presentations safe browsing safe browsing: design documentation safely loading uris same origin
policy for xbl space manager detailed design space manager high level design standalone xpcom standard makefile header static analysis for windows code under linux stress testing string quick reference string rosetta stone structure of an installable bundle supporting per-window private browsing ...
... cross-browser tooltips environment variables affecting crash reporting io guide images, tables, and mysterious gaps installing plugins to gecko embedding browsers on windows mcd, mission control desktop, aka autoconfig monitoring wifi access points no proxy for configuration notes on html reflow same-origin
policy for file: uris source navigator source code directories overview using xml data islands in mozilla using content preferences visualizing an audio spectrum working with bfcache cert_override.txt mozilla release faq newsgroup summaries format mozilla.dev.a...
2006-10-20 - Archive of obsolete content
method shouldload in "content-
policy" category problem ?
... a student learning xpcom is having issues with the method shouldload in the interface nslcontent
policy.
Navigation directive - MDN Web Docs Glossary: Definitions of Web-related terms
csp navigation directives are used in a content-security-
policy header and govern to which location a user can navigate to or submit a form to, for example.
... learn more https://www.w3.org/tr/csp/#directives-navigation other kinds of directives: fetch directive document directive reporting directive block-all-mixed-content upgrade-insecure-requests require-sri-for trusted-types content-security-
policy ...
What’s in the head? Metadata in HTML - Learn web development
note: if your site uses a content security
policy (csp) to enhance its security, the
policy applies to the favicon.
... if you encounter problems with the favicon not loading, verify that the content-security-
policy header's img-src directive is not preventing access to it.
From object to iframe — other embedding technologies - Learn web development
one important note is that you should never add both allow-scripts and allow-same-origin to your sandbox attribute — in that case, the embedded content could bypass the same-origin
policy that stops sites from executing scripts, and use javascript to turn off sandboxing altogether.
... configure csp directives csp stands for content security
policy and provides a set of http headers (metadata sent along with your web pages when they are served from a web server) designed to improve the security of your html document.
Index
683 source code submission add-ons, extensions, review
policy, distribution to complete the review process at addons.mozilla.org (amo), reviewers must be able to read the code in your extension.
... 688 third party library usage add-ons, extensions, review
policy to complete the review process at addons.mozilla.org (amo), reviewers must be able to verify the code in your extension.
Cookies Preferences in Mozilla
network.cookie.cookiebehavior default value: 0 0 = accept all cookies by default 1 = only accept from the originating site (block third party cookies) 2 = block all cookies by default 3 = use p3p settings (note: this is only applicable to older mozilla suite and seamonkey versions.) 4 = storage access
policy: block cookies from trackers network.cookie.lifetime
policy default value: 0 0 = accept cookies normally 1 = prompt for each cookie (prompting was removed in firefox 44) 2 = accept for current session only 3 = accept for n days network.cookie.lifetime.days default value: 90 only used if network.cookie.lifetime
policy is set to 3 sets the number of days that the lifetime of cookies should ...
... network.cookie.alwaysacceptsessioncookies default value: false only used if network.cookie.lifetime
policy is set to 1 true = accepts session cookies without prompting false = prompts for session cookies network.cookie.thirdparty.sessiononly default value: false true = restrict third party cookies to the session only false = no restrictions on third party cookies network.cookie.maxnumber default value: 1000 configures the maximum amount of cookies to be stored valid range is from 0-65535, rfc 2109 and 2965 require this to be at least 300 network.cookie.maxperhost default value: 50 configures the maximum amount of cookies to be stored per host valid range is from 0-65535, rfc 2109 and 2965 require this to be at least 20 network.cookie.disablecookieformailnews defa...
Experimental features in Firefox
nightly 33 no developer edition 33 no beta 33 no release 33 no preference name media.track.enabled dom document property: autoplay
policy the document property autoplay
policy returns a string indicating how the browser handles requests to automatically play media (either using the autoplay property on a media element or by attempting to trigger playback from javascript code.
... nightly 66 no developer edition 66 no beta 66 no release 66 no preference name dom.media.autoplay.autoplay-
policy-api geometryutils methods: convertpointfromnode(), convertrectfromnode(), and convertquadfromnode() the geometryutils methods convertpointfromnode(), convertrectfromnode(), and convertquadfromnode() map the given point, rectangle, or quadruple from the node on which they're called to another node.
Message manager overview
process scripts are most likely to be useful when an extension wants to run some code only once in the content process, to access some global service: for example, to register an observer or a content
policy.
...this is the recommended way to load a script that executes just once per child process, which is something you might want to do if you are interacting with some global service (for example, adding listeners to observer notifications or registering a content
policy).
Process scripts
for example, in multiprocess firefox, if you need to use nsicontent
policy to register a content
policy, you must do this in the content process.
... but if you register it in a frame script, and the frame script is loaded more than once, you'll register the content
policy more than once, which probably isn't what you intend.
Creating localizable web applications
bad: <a href="http://www.mozilla.com/privacy-
policy.html"><?= _('privacy
policy'); ?></a> snippet 2.
... good: css: a[hreflang="en"]::after { content: " [en]" } html/php: <a href="http://www.mozilla.com/privacy-
policy.html" hreflang="en"><?= _('privacy
policy'); ?></a> don't mingle app logic and localizable content when using pure html if you decide not to use gettext on some pages (e.g.
NSS 3.15.2 release notes
bug 848384 - deprecate the ssl cipher
policy code, as it's no longer relevant.
... it is no longer necessary to call nss_setdomestic
policy because all cipher suites are now allowed by default.
NSS 3.30 release notes
nss 3.30 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_30_rtm/src/ new in nss 3.30 new functionality in the pkcs#11 root ca module (nssckbi), cas with positive trust are marked with a new boolean attribute, cka_nss_mozilla_ca_
policy, set to true.
... new macros in ciferfam.h pkcs12_aes_cbc_128, pkcs12_aes_cbc_192, pkcs12_aes_cbc_256 - cipher family identifiers corresponding to the pkcs#5 v2.1 aes based encryption schemes used in the pkcs#12 support in nss in pkcs11n.h cka_nss_mozilla_ca_
policy - identifier for a boolean pkcs#11 attribute, that should be set to true, if a ca is present because of it's acceptance according to the mozilla ca
policy notable changes in nss 3.30 the tls server code has been enhanced to support session tickets when no rsa certificate (e.g.
OLD SSL Reference
etdefault ssl_cipherprefsetdefault ssl_cipherprefgetdefault ssl_clearsessioncache ssl_configserversessionidcache initializing multi-processing with a shared ssl server cache ssl_configmpserversidcache ssl_inheritmpserversidcache ssl export
policy functions nss_setdomestic
policy nss_setexport
policy nss_setfrance
policy ssl_cipher
policyset ssl_cipher
policyget ssl configuration functions ssl configuration ssl_importfd ssl_optionset ...
...ions ssl_forcehandshake ssl_rehandshake ssl_resethandshake nss shutdown function nss_shutdown deprecated functions ssl_enabledefault ssl_enable ssl_enablecipher ssl_set
policy ssl_redohandshake chapter 5 certificate functions this chapter describes the functions and related types used to work with a certificate database such as the cert7.db database provided with communicator.
sslerr.html
ssl_error_no_ciphers_supported -12265 "no cipher suites are present and enabled in this program." possible causes: (a) all cipher suites have been configured to be disabled, (b) the only cipher suites that are configured to be enabled are those that are disallowed by cipher export
policy, (c) the socket is configured to handshake as a server, but the certificate associated with that socket is inappropriate for the key exchange algorithm selected.
... failed because the pkcs#11 token is not logged in." sec_error_ocsp_responder_cert_invalid -8036 "the configured ocsp responder's certificate is invalid." sec_error_ocsp_bad_signature -8035 "ocsp response has an invalid signature." sec_error_out_of_search_limits -8034 "certification validation search is out of search limits." sec_error_invalid_
policy_mapping -8033 "
policy mapping contains any-
policy." sec_error_
policy_validation_failed -8032 "certificate chain fails
policy validation." sec_error_unknown_aia_location_type -8031 "unknown location type in certificate aia extension." sec_error_bad_http_response -8030 "server returned a bad http response." sec_error_bad_ldap_response -...
SSL functions
function name/documentation source code nss versions nss_getclientauthdata mxr 3.2 and later nss_setdomestic
policy mxr 3.2 and later nss_setexport
policy mxr 3.2 and later nss_setfrance
policy mxr 3.2 and later nssssl_versioncheck mxr 3.2.1 and later ssl_authcertificate mxr 3.2 and later ssl_authcertificatehook mxr 3.2 and later ssl_badcerthook mxr 3.2 and later ssl_certdbhandleset mxr 3.2 and later ...
... ssl_canbypass mxr 3.11.7 and later ssl_cipher
policyget mxr 3.2 and later ssl_cipher
policyset mxr 3.2 and later ssl_cipherprefget mxr 3.2 and later ssl_cipherprefgetdefault mxr 3.2 and later ssl_cipherprefset mxr 3.2 and later ssl_cipherprefsetdefault mxr 3.2 and later ssl_clearsessioncache mxr 3.2 and later ssl_configmpserversidcache mxr 3.2 and later ssl_configsecureserver mxr 3.2 and later ssl_configserversessionidcache mxr 3.2 and later ssl_datapending mxr 3.2 and later ssl_forcehandshake mxr 3.2 and later ssl_forcehandshakewithtimeout mxr 3.11.4 and later ssl_getchannelinfo m...
JSCheckAccessOp
jscheckaccessop implementations generally work by using jsdbgapi functions such as js_frameiterator and js_stackframeprincipals to obtain the principals of the code attempting the checked operation, then examining those principals and comparing them with the system's security
policy.
... the nature of principals and the security
policy are entirely up to the application.
JS_GetSecurityCallbacks
callback structure struct jssecuritycallbacks { jscspevalchecker contentsecurity
policyallows; // added in spidermonkey 1.8.5 jssubsumesop subsumes; // added in spidermonkey 31 jscheckaccessop checkobjectaccess; // obsolete since jsapi 29 jsprincipalstranscoder principalstranscoder; // obsolete since jsapi 13 jsobjectprincipalsfinder findobjectprincipals; // obsolete since jsapi 13 }; name type description ...
... contentsecurity
policyallows jscspevalchecker a pointer to the function which checks if a csp instance wants to disable eval() and friends.
Shell global objects
serialize(data, [transferables, [
policy]]) serialize data using js_writestructuredclone.
...
policy must be an object.
Setting up an update server
this can be done most reliably with an enterprise
policy.
... the
policy file location depends on the operating system you are using.
Gecko object attributes
other possible values are "polite", "assertive", and "rude", which is a suggestion for the
policy when interrupting the user for changes to this region.
... container-live interruption
policy.
Starting WebLock
void lock(); void unlock(); this interface does not enforce any
policy with respect to how the user enables or disables this feature.
...there is no
policy applied to what sites get added or removed to this list, or who can remove a site.
Index
388 nsichannel
policy interfaces, interfaces:scriptable, xpcom, xpcom interface reference this interface exists to allow the content
policy mechanism to function properly during channel redirects.
...(see nsicontentpref below.) 439 nsicontentsecurity
policy interfaces, interfaces:scriptable, needscontent, xpcom, xpcom interface reference verifies ancestry as permitted by the
policy.
nsICacheEntryDescriptor
this fails if the storage
policy is not store_in_memory.
... storage
policy nscachestorage
policy get or set the storage
policy of the cache entry.
XPCOM Interface Reference
inputstreamnsibinaryoutputstreamnsiblocklistpromptnsiblocklistservicensiboxobjectnsibrowserboxobjectnsibrowserhistorynsibrowsersearchservicensicrlinfonsicrlmanagernsicachensicachedeviceinfonsicacheentrydescriptornsicacheentryinfonsicachelistenernsicachemetadatavisitornsicacheservicensicachesessionnsicachevisitornsicachingchannelnsicancelablensicategorymanagernsichannelnsichanneleventsinknsichannel
policynsicharsetresolvernsichromeframemessagemanagernsichromeregistrynsiclassinfonsiclipboardnsiclipboardcommandsnsiclipboarddragdrophooklistnsiclipboarddragdrophooksnsiclipboardhelpernsiclipboardownernsicollectionnsicommandcontrollernsicommandlinensicommandlinehandlernsicommandlinerunnernsicomponentmanagernsicomponentregistrarnsicompositionstringsynthesizernsiconsolelistenernsiconsolemessagensiconsoles...
...ervicensicontainerboxobjectnsicontentframemessagemanagernsicontentprefnsicontentprefcallback2nsicontentprefobservernsicontentprefservicensicontentprefservice2nsicontentsecurity
policynsicontentsniffernsicontentviewnsicontentviewmanagernsicontentviewernsicontrollernsicontrollersnsiconverterinputstreamnsiconverteroutputstreamnsicookiensicookie2nsicookieacceptdialognsicookieconsentnsicookiemanagernsicookiemanager2nsicookiepermissionnsicookiepromptservicensicookieservicensicookiestoragensicrashreporternsicryptohmacnsicryptohashnsicurrentcharsetlistenernsicyclecollectorlistenernsidbchangelistenernsidbfolderinfonsidnslistenernsidnsrecordnsidnsrequestnsidnsservicensidomcanvasrenderingcontext2dnsidomchromewindownsidomclientrectnsidomdesktopnotificationnsidomdesktopnotificationcenternsidomelementnsidomeve...
Index
18 cookies in thunderbird cookies, guide, thunderbird in versions of thunderbird prior to 3 the cookie
policy was very restrictive (to rss only).
... thunderbird 3 uses the gecko cookie
policy with some changes.
AbsoluteOrientationSensor - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
AbsoluteOrientationSensor - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Accelerometer.Accelerometer() - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Accelerometer.x - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Accelerometer.y - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Accelerometer.z - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Accelerometer - Web APIs
if a feature
policy blocks the use of a feature, it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
AmbientLightSensor.illuminance - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation insfructions.
AmbientLightSensor - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Document.domain - Web APIs
the domain property of the document interface gets/sets the domain portion of the origin of the current document, as used by the same origin
policy.
... exceptions securityerror an attempt has been made to set domain under one of the following conditions: the document is inside a sandboxed <iframe> the document has no browsing context the document's effective domain is null the given value is not equal to the document's effective domain (or it is not a registerable domain suffix of it) the document-domain feature-
policy is enabled examples getting the domain for the uri http://developer.mozilla.org/docs/web, this example sets currentdomain to the string "developer.mozilla.org".
Element.requestFullscreen() - Web APIs
the element is not permitted to use the "fullscreen" feature, either because of feature
policy configuration or other access control features.
... additionally, of course, the feature
policy "fullscreen" permission must be granted.
Fullscreen API - Web APIs
controlling access the availability of full-screen mode can be controlled using feature
policy.
... see using feature
policy to learn more about using feature
policy to control access to an api.
Gyroscope.Gyroscope() - Web APIs
if a feature
policy blocks use of a feature, it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Gyroscope.x - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Gyroscope.y - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Gyroscope.z - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Gyroscope - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
HTMLLinkElement - Web APIs
htmllinkelement.referrer
policy is a domstring that reflects the referrer
policy html attribute indicating which referrer to use.
... living standard adds the following properties: crossorigin, referrer
policy, and as.
Basic concepts - Web APIs
like most web storage solutions, indexeddb follows a same-origin
policy.
... indexeddb adheres to a same-origin
policy.
Browser storage limits and eviction criteria - Web APIs
this will be evicted under a least recently used (lru
policy) when storage limits are reached.
... lru
policy when the available disk space is filled up, the quota manager will start clearing out data based on an lru
policy — the least recently used origin will be deleted first, then the next one, until the browser is no longer over the limit.
LinearAccelerationSensor.x - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
LinearAccelerationSensor.y - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
LinearAccelerationSensor.z - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
LinearAccelerationSensor - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Magnetometer.Magnetometer() - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Magnetometer.x - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Magnetometer.y - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Magnetometer.z - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Magnetometer - Web APIs
if a feature
policy blocks use of a feature, it's because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Navigator.getBattery() - Web APIs
note: in some browsers access to this feature is controlled by feature-
policy directive battery.
...for example, it might not be explicitly allowed or restricted via feature-
policy battery feature.
Navigator - Web APIs
navigator.security
policy returns an empty string.
... in netscape 4.7x, returns "us & ca domestic
policy" or "export
policy".
OrientationSensor.populateMatrix() - Web APIs
where: w = cos(θ/2) x = vx * sin(θ/2) y = vy * sin(θ/2) z = vz * sin(θ/2) if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
OrientationSensor - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
RelativeOrientationSensor - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Screen Capture API - Web APIs
feature
policy validation user agents that support feature
policy (either using http's feature-
policy header or the <iframe> attribute allow) can specify a desire to use the screen capture api using the
policy control directive display-capture: <iframe allow="display-capture" src="/some-other-document.html"> the default allow list is self, which lets the any content within the document use screen capture.
... see using feature
policy for a more in-depth explanation of how feature
policy is used.
Screen Wake Lock API - Web APIs
feature
policy integration access to screen wake lock api is controlled by feature
policy directive screen-wake-lock.
... refer to using feature
policy for reference how to use it.
Sensor - Web APIs
if a feature
policy blocks use of a feature it is because your code is inconsistent with the policies set on your server.
...see feature-
policy for implementation instructions.
Using the Storage Access API - Web APIs
since embedded content won’t know which storage
policy is in use by the user, it’s best to always check whether the embedded frame has storage access before attempting to read or write from storage.
... accessing a user's cookies in an embedded cross-origin iframe in this example we show how an embedded cross-origin <iframe> can access a user’s cookies under a storage access
policy that blocks third-party cookies.
WebXR permissions and security - Web APIs
the webxr device api has several areas of security to contend with, from establishing feature-
policy to ensuring the user intends to use the mixed reality presentation before activating it.
...this permission comes from the xr-spatial-tracking feature
policy.
Starting up and shutting down a WebXR session - Web APIs
first among these is that use of immersive-vr mode—which entirely replaces the user's view of the world—requires that the xr-spatial-tracking feature
policy be in place.
... if the session couldn't be created for some reason—such as feature
policy disallowing its use or the user declining to grant permission to use the headset—the promise gets rejected.
Web Audio API best practices - Web APIs
autoplay
policy browsers have started to implement an autoplay
policy, which in general can be summed up as: "create or resume context from inside a user gesture".
... const audioctx = new audiocontext(); const button = document.queryselector('button'); button.addeventlistener('click', function() { // check if context is in suspended state (autoplay
policy) if (audioctx.state === 'suspended') { audioctx.resume(); } }, false); you might instead be working with an offlineaudiocontext, in which case you can resume the suspended audio context with the startrendering() method.
Background audio processing using AudioWorklet - Web APIs
in general, the lifetime
policy of any audio node is simple: if the node is still considered to be actively processing audio, it will continue to be used.
...in other words, true overrides the api's logic and gives you control over your processor's lifetime
policy, keeping the processor's owning audioworkletnode running even when it would otherwise decide to shut down the node.
Window.open() - Web APIs
the returned reference can be used to access properties and methods of the new window as long as it complies with same-origin
policy security requirements.
... it is because of the cross-domain script security restriction (also referred as the "same origin
policy").
window.postMessage() - Web APIs
normally, scripts on different pages are allowed to access each other if and only if the pages they originate from share the same protocol, port number, and host (also known as the "same-origin
policy").
...shared memory is gated behind two http headers: cross-origin-opener-
policy with same-origin as value (protects your origin from attackers) cross-origin-embedder-
policy with require-corp as value (protects victims from your origin) cross-origin-opener-
policy: same-origin cross-origin-embedder-
policy: require-corp to check if cross origin isolation has been successful, you can test against the crossoriginisolated property available to window and worker contexts: if ...
WindowOrWorkerGlobalScope.fetch() - Web APIs
the fetch() method is controlled by the connect-src directive of content security
policy rather than the directive of the resources it's retrieving.
... referrer
policy specifies the referrer
policy to use for the request.
Web APIs
imer_query ext_float_blend ext_frag_depth ext_srgb ext_shader_texture_lod ext_texture_compression_bptc ext_texture_compression_rgtc ext_texture_filter_anisotropic eckeygenparams eckeyimportparams ecdhkeyderiveparams ecdsaparams effecttiming element elementcssinlinestyle elementtraversal errorevent event eventlistener eventsource eventtarget extendableevent extendablemessageevent f feature
policy federatedcredential fetchevent file fileentrysync fileerror fileexception filelist filereader filereadersync filerequest filesystem filesystemdirectoryentry filesystemdirectoryreader filesystementry filesystementrysync filesystemfileentry filesystemflags filesystemsync focusevent fontface fontfaceset fontfacesetloadevent formdata formdataentryvalue formdataevent full...
...e svgstyleelement svgswitchelement svgsymbolelement svgtrefelement svgtspanelement svgtests svgtextcontentelement svgtextelement svgtextpathelement svgtextpositioningelement svgtitleelement svgtransform svgtransformlist svgtransformable svgurireference svgunittypes svguseelement svgvkernelement svgviewelement svgzoomandpan screen screenorientation scriptprocessornode scrolltooptions security
policyviolationevent selection sensor sensorerrorevent serviceworker serviceworkercontainer serviceworkerglobalscope serviceworkermessageevent serviceworkerregistration serviceworkerstate shadowroot sharedworker sharedworkerglobalscope slottable sourcebuffer sourcebufferlist speechgrammar speechgrammarlist speechrecognition speechrecognitionalternative speechrecognitionerror speech...
Cross-Origin Resource Sharing (CORS) - HTTP
for example, xmlhttprequest and the fetch api follow the same-origin
policy.
...modern browsers handle the client side of cross-origin sharing, including headers and
policy enforcement.
SameSite cookies - HTTP
cookie “mycookie” has “samesite”
policy set to “lax” because it is missing a “samesite” attribute, and “samesite=lax” is the default value for this attribute.
... the warning appears because the samesite
policy for a cookie has not specified explicitly: set-cookie: flavor=choco while you could rely on modern browsers to apply samesite=lax automatically, you should rather specify it explicitly to clearly communicate your intent which samesite
policy applies to your cookie.
X-Frame-Options - HTTP
note: the content-security-
policy http header has a frame-ancestors directive which obsoletes this header for supporting browsers.
...the content-security-
policy http header has a frame-ancestors directive which you can use instead.
X-XSS-Protection - HTTP
although these protections are largely unnecessary in modern browsers when sites implement a strong content-security-
policy that disables the use of inline javascript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support csp.
... chrome has removed their xss auditor firefox have not, and will not implement x-xss-protection edge have retired their xss filter this means that if you do not need to support legacy browsers, it is recommended that you use content-security-
policy without allowing unsafe-inline scripts instead.
<use> - SVG: Scalable Vector Graphics
for security reasons, browsers may apply the same-origin
policy on use elements and may refuse to load a cross-origin url in the href attribute.
... there is currently no defined way to set a cross-origin
policy for use elements.
preferences/service - Archive of obsolete content
example: require("sdk/preferences/service").set("general.useragent.locale", "chrome://global/locale/intl.properties"); example: setting global preferences var { get, set } = require("sdk/preferences/service"); var { when: unload } = require("sdk/system/unload"); var oldvalue = get("browser.urlbar.autofill"); set("browser.urlbar.autofill", true); // by amo
policy global preferences must be changed back to their original value unload(function() { set("browser.urlbar.autofill", oldvalue); }); ...
Images, Tables, and Mysterious Gaps - Archive of obsolete content
should this property be adopted, then any browser supporting it could emulate traditional "shrinkwrap" behavior without risking other layout upset with the following rule: td {line-box-contain: font replaced;} /* proposed for css3 */ there are other possible fixes contained within the current css3 working drafts, such as line-height-
policy.
Misc top level - Archive of obsolete content
back in the early days, this approach worked, because browsers would usually make a table cell exactly as wide and tall as an image it contained.no proxy for configurationthis document provides a comprehensive discussion of the manual proxy feature "no proxy for:", including configuration issues, testing and bugs.same-origin
policy for file: urisin gecko 1.8 or earlier, any two file: uris are considered to be same-origin.
JavaScript Client API - Archive of obsolete content
further, you agree (a) to maintain and link to (including on websites from which your third party client may be downloaded) a separate, conspicuous, and reasonably detailed privacy
policy detailing how data collected or transmitted by your third party client is managed and protected; (b) that your third party client will only store data in encrypted form on the firefox sync servers operated by mozilla; (c) that you and your third party client will use the firefox sync apis solely for their intended purpose; (d) that your third party client will not hide or mask its identity as it ...
2006-11-10 - Archive of obsolete content
trunk / 1_8 for kurdish firefox the firefox translations of the kurdish are only in trunk translating the firefox privacy
policy the final and approved en-us version of privacy
policy is available here and ready for localization team to translate.
2006-12-01 - Archive of obsolete content
summary: mozilla.dev.l10n - december 1, 2006 announcements langpacks for sunbird nightly builds available for testing langpacks for sunbird nightly builds available for testing seamonkey 1.1 late string changes for mail content
policy the fix to bug 360288 has landed.
2006-11-24 - Archive of obsolete content
te of bugs for the firefox 1.5.0.9/2.0.0.1 releases discussion non-ascii rendering performance boris zbarsky made some suggestions on how to improve international font rendering cvs commit access changes a large discussion went on about changes to policies surrounding cvs commit access project drivers and technical oversight mike connor suggested ways to better organize project management,
policy making, and technical oversight.
Introduction to Public-Key Cryptography - Archive of obsolete content
for example, the number of certificates required may be too large for a single ca to maintain; different organizational units may have different
policy requirements; or it may be important for a ca to be physically located in the same geographic area as the people to whom it is issuing certificates.
RDF in Mozilla FAQ - Archive of obsolete content
contributors examples section added 2002-07-02 by danbri thanks to myk melez for notes on remote xul / security
policy author: chris waterson original document information author(s): chris waterson last updated date: december 22, 2004 copyright information: copyright (c) chris waterson ...
Implementing controls using the Gamepad API - Game development
next, we set up two event listeners to get the data: window.addeventlistener("gamepadconnected", gamepadapi.connect); window.addeventlistener("gamepaddisconnected", gamepadapi.disconnect); due to security
policy, you have to interact with the controller first while the page is visible for the event to fire.
Forbidden header name - MDN Web Docs Glossary: Definitions of Web-related terms
forbidden header names start with proxy- or sec-, or are one of the following names: accept-charset accept-encoding access-control-request-headers access-control-request-method connection content-length cookie cookie2 date dnt expect feature-
policy host keep-alive origin proxy- sec- referer te trailer transfer-encoding upgrade via note: the user-agent header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in firefox 43) — it can now be set in a fetch headers object, or via xhr setrequestheader().
MDN Web Docs Glossary: Definitions of Web-related terms
responsive web design rest rgb ril robots.txt round trip time (rtt) routers rss rtcp (rtp control protocol) rtf rtl (right to left) rtp (real-time transport protocol) and srtp (secure rtp) rtsp: real-time streaming protocol ruby s safe same-origin
policy scm scope screen reader script-supporting element scroll container scrollport sctp sdp search engine second-level domain secure sockets layer (ssl) selector (css) self-executing anonymous function semantics seo serialization server serve...
What is accessibility? - Learn web development
to show that you care and have thought about accessibility, publish an accessibility statement on your site that details what your
policy is toward accessibility, and what steps you have taken toward making the site accessible.
Sending forms through JavaScript - Learn web development
xhr.send( urlencodeddata ); } btn.addeventlistener( 'click', function() { senddata( {test:'ok'} ); } ) here's the live result: note: this use of xmlhttprequest is subject to the same-origin
policy if you want to send data to a third party web site.
Client-side tooling overview - Learn web development
this part of the tooling should be specific to your own development environment, though it’s not uncommon for companies to have some kind of
policy or pre-baked configuration available to install so that all their developers are all using the same processes.
Accessibility/LiveRegionDevGuide
the following are guidelines on how to implement each container-live this property determines the interruption
policy or politeness level for the event and can have values of "off", "polite", "assertive" and "rude".
Embedding API for Accessibility
setboolpref("browser.accept.applets", acceptapplets); no scripts setboolpref("browser.accept.scripts", acceptscripts); no popup windows // turn window.open off for particular sites: user_pref("capability.
policy.popupsites.sites", "http://www.annoyingsite1.com http://www.popupsite2.com"); user_pref("capability.
policy.popupsites.windowinternal.open","noaccess"); // or turn it off everywhere: user_pref("capability.
policy.default.windowinternal.open","noaccess"); // o...
Links and Resources
guidelines & standards information and resources on section 508 - legal
policy for us government purchases requiring software accessibility.
Mozilla’s UAAG evaluation report
here are all the "hidden prefs" lines that can be added to the user's prefs.js file, for controlling popup behavior: turn window.open off for particular sites: user_pref("capability.
policy.popupsites.sites", "http://www.annoyingsite1.com http://www.popupsite2.com"); user_pref("capability.
policy.popupsites.windowinternal.open", "noaccess"); or turn it off everywhere: user_pref("capability.
policy.default.windowinternal.open", "noaccess"); override popping up new windows on target=anything: user_pref("browser.target_new_blocked", true); override popup ...
Installing headers using EXPORTS
here is an example <tt>makefile.in</tt> which has both c++ and idl headers: module = content xpidl_module = content_base exports = \ nsicontent.h \ nsidocument.h \ nsistylesheet.h \ $(null) xpidlsrcs = \ nsicontent
policy.idl \ nsiselectioncontroller.idl \ $(null) include $(topsrcdir)/config/rules.mk ...
Message manager overview
process scripts are most likely to be useful when chrome code wants to run some code only once in the content process, to access some global service: for example, to register an observer or a content
policy.
Errors
this page lists the errors that can be raised due to firefox's anti-tracking functionality, governed by the storage access
policy.
Privacy
storage access
policy: block cookies from trackerstracking protection ...
WebRequest.jsm
you can use this api to implement a content
policy in an add-on (for example, an ad or script blocker), as you could using nsicontent
policy.
Localizing extension metadata on addons.mozilla.org
the localizable data fields of an extension are: name homepage summary description eula privacy
policy version notes developer comments when you submit a new extension to amo, the process is divided into several steps.
Midas
user_pref("capability.
policy.
policynames", "allowclipboard"); user_pref("capability.
policy.allowclipboard.clipboard.paste", "allaccess"); see: more about security preferences note: the shortcut key will automatically trigger this command (typically accel-v) with or without the signed js or any code on the page to handle it.
PR_SetLibraryPath
this allows an environment to express
policy decisions globally and lazily, rather than hardcoding and distributing the decisions throughout the code.
Deprecated SSL functions
function name/documentation source code replacement in nss 3.2 ssl_enable mxr ssl_optionset ssl_enablecipher mxr ssl_cipherprefsetdefault ssl_enabledefault mxr ssl_optionsetdefault ssl_redohandshake mxr ssl_rehandshake ssl_set
policy mxr ssl_cipher
policyset ...
NSS_3.12.1_release_notes.html
ader file bug 429716: debug builds of libpkix unconditionally dump socket traffic to stdout bug 430368: vfychain -t option is undocumented bug 430369: vfychain -o succeeds even if -pp is not specified bug 430399: vfychain -pp crashes bug 430405: error log is not produced by cert_pkixverifycert bug 430743: update ssltap to understand the tls session ticket extension bug 430859: pkix:
policy mapping fails verification with error invalid arguments bug 430875: document the
policy for the order of cipher suites in ssl_implementedciphers.
NSS 3.12.4 release notes
new functions in the nss shared library: pk11_isinternalkeyslot (see pk11pub.h) secmod_opennewslot (see pk11pub.h) new error codes (see secerr.h): sec_error_bad_info_access_method sec_error_crl_import_failed new oids (see secoidt.h) sec_oid_x509_any_
policy the nssckbi pkcs #11 module's version changed to 1.75.
NSS 3.14 release notes
support for md5 may be manually enabled (but is discouraged) by setting the environment variable of "nss_hash_alg_support=+md5" or by using the nss_setalgorithm
policy function.
NSS 3.15.5 release notes
notable changes in nss 3.15.5 bug 950129: improve the ocsp fetching
policy when verifying ocsp responses bug 949060: validate the iov input argument (an array of priovec structures) of ssl_writev (called via pr_writev).
NSS 3.16.3 release notes
notable changes in nss 3.16.3 the following 1024-bit ca certificates were removed cn = entrust.net secure server certification authority sha1 fingerprint: 99:a6:9b:e6:1a:fe:88:6b:4d:2b:82:00:7c:b8:54:fc:31:7e:15:39 cn = gte cybertrust global root sha1 fingerprint: 97:81:79:50:d8:1c:96:70:cc:34:d8:09:cf:79:44:31:36:7e:f4:74 ou = valicert class 1
policy validation authority sha1 fingerprint: e5:df:74:3c:b6:01:c4:9b:98:43:dc:ab:8c:e8:6a:81:10:9f:e4:8e ou = valicert class 2
policy validation authority sha1 fingerprint: 31:7a:2a:d0:7f:2b:33:5e:f5:a1:c3:4e:4b:57:e8:b7:d8:f1:fc:a6 ou = valicert class 3
policy validation authority sha1 fingerprint: 69:bd:8c:f4:9c:d3:00:fb:59:2e:17:93:ca:55:6a:f3:ec...
NSS 3.16.4 release notes
it was removed in nss 3.16.3, but discussion in the mozilla.dev.security.
policy forum led to the decision to keep this root included longer in order to give website administrators more time to update their web servers.
NSS 3.18.1 release notes
ou = equifax secure certificate authority sha1 fingerprint: d2:32:09:ad:23:d3:14:23:21:74:e4:0d:7f:9d:62:13:97:86:63:3a the following ca certificate was removed after discussion about it in the mozilla.dev.security.
policy forum.
NSS 3.21 release notes
ckm_tls_mac - computes tls finished mac in secoidt.h nss_use_alg_in_ssl_kx -
policy flag indicating that keys are used in tls key exchange in sslerr.h ssl_error_rx_short_dtls_read - error code for failure to include a complete dtls record in a udp packet ssl_error_no_supported_signature_algorithm - error code for when no valid signature and hash algorithm is available ssl_error_unsupported_signature_algorithm - error code for when an unsupported signature and h...
NSS 3.26 release notes
nss 3.26 source distributions are available on ftp.mozilla.org for secure https download: source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/nss_3_26_rtm/src/ new in nss 3.26 new functionality the selfserv test utility has been enhanced to support alpn (http/1.1) and 0-rtt added support for the system-wide crypto
policy available on fedora linux, see http://fedoraproject.org/wiki/changes/crypto
policy introduced build flag nss_disable_libpkix which allows compilation of nss without the libpkix library notable changes in nss 3.26 the following ca certificate was added cn = isrg root x1 sha-256 fingerprint: 96:bc:ec:06:26:49:76:f3:74:60:77:9a:cf:28:c5:a7:cf:e8:a3:c0:aa:e1:1a:8f:fc:ee:05:c0:bd...
NSS 3.39 release notes
added the nss-
policy-check utility, which can be used to check an nss
policy configuration for problems.
NSS 3.43 release notes
g 1529308 - improve gyp build system handling bug 1529950 and bug 1521174 - improve nss s/mime tests for thunderbird bug 1530134 - if docker isn't installed, try running a local clang-format as a fallback bug 1531267 - enable fips mode automatically if the system fips mode flag is set bug 1528262 - add a -j option to the strsclnt command to specify sigschemes bug 1513909 - add manual for nss-
policy-check bug 1531074 - fix a deref after a null check in seckey_setpublicvalue bug 1517714 - properly handle esni with hrr bug 1529813 - expose hkdf-expand-label with mechanism bug 1535122 - align tls 1.3 hkdf trace levels bug 1530102 - use getentropy on compatible versions of freebsd.
NSS 3.45 release notes
note: in 3.45 the sslchannelinfo is left unmodified, while an upcoming change in 3.46 will set sslchannelinfo.authkeybits to that of the delegated credential for better
policy enforcement.
NSS 3.47 release notes
bug 1542207 - limit
policy check on signature algorithms to known algorithms bug 1560329 - drbg: add continuous self-test on entropy source bug 1579290 - asan builds should disable lsan while building bug 1385061 - build nspr tests with nss make; add gyp parameters to build/run nspr tests bug 1577359 - build atob and btoa for thunderbird bug 1579036 - confusing error when trying to export non-existent cert with pk12ut...
PKCS11 FAQ
nss knows about all the mechanisms defined in pkcs #11 version 2.01, but will not perform those that aren't defined by nss's
policy mechanism.
NSS tools : vfychain
options -a the following certfile is base64 encoded -b yymmddhhmmz validate date (default: now) -d directory database directory -f enable cert fetching from aia url -o oid set
policy oid for cert validation(format oid.1.2.3) -p use pkix library to validate certificate by calling: * cert_verifycertificate if specified once, * cert_pkixverifycert if specified twice and more.
NSS_3.12.3_release_notes.html
.h) seedcontextstr seedcontext new functions in the nss shared library: cert_rfc1485_escapeandquote (see cert.h) cert_comparecerts (see cert.h) cert_registeralternateocspaiainfocallback (see ocsp.h) pk11_getsymkeyhandle (see pk11pqg.h) util_setforkstate (see secoid.h) nss_getalgorithm
policy (see secoid.h) nss_setalgorithm
policy (see secoid.h) for the 2 functions above see also (in secoidt.h): nss_use_alg_in_cert_signature nss_use_alg_in_cms_signature nss_use_alg_reserved support for the watcom c compiler is removed the file watcomfx.h is removed.
NSS tools : vfychain
options -a the following certfile is base64 encoded -b yymmddhhmmz validate date (default: now) -d directory database directory -f enable cert fetching from aia url -o oid set
policy oid for cert validation(format oid.1.2.3) -p use pkix library to validate certificate by calling: * cert_verifycertificate if specified once, * cert_pkixverifycert if specified twice and more.
Network Security Services
pkcs #11 information documentation on pkcs #11 modules implementing pkcs #11 for nss the strings nss uses to load pkcs #11 modules pkcs #11 faq using the jar installation manager to install a pkcs #11 cryptographic module pkcs #11 conformance testing - archived version ca certificates pre-loaded into nss mozilla ca certificate
policy list of pre-loaded ca certificates consumers of this list must consider the trust bit setting for each included root certificate.
Small Footprint
class generation library if you do not include optimizer or javaadapter, nor do you use
policysecuritycontroller then you do not need rhino library for class file generation and you can remove all the classes from in org.mozilla.classfile package.
Rhino overview
these features allow for the implementation of a traditional url-based security
policy for javascript as in netscape navigator.
Rhino shell
note if the shell is invoked with the system property rhino.use_java_
policy_security set to true and with a security manager installed, the shell restricts scripts permissions based on their urls according to java
policy settings.
Hacking Tips
the other being disable this check in "about:config", by temporarily switching "security.fileuri.strict_origin_
policy" to false note 2: the files can be very big and take a long time to load in the browser.
Index
153 jssecuritycallbacks.contentsecurity
policyallows the jssecuritycallbacks.contentsecurity
policyallows callback is called when a script attempts to access an object property.
Security and the jar protocol
firefox 2.0.0.10 (and firefox 1.5.0.15) fixed a potential security issue in the same origin
policy when the jar: protocol was used to load data.
A Web PKI x509 certificate primer
cas apply to have their root certificates included by default in mozilla products by following the mozilla ca certificate
policy and applying for inclusion as per ca:how_to_apply.
Preface
finish implementing the weblock component: nsicontent
policy, file i/o, locking, etc.
Using XPCOM Components
managing cookies from javascript var cmgr = components.classes["@mozilla.org/cookiemanager;1"] .getservice(); cmgr = cmgr.queryinterface(components.interfaces.nsicookiemanager); function loadcookies() { // load cookies into a table var enumerator = cmgr.enumerator; var count = 0; var show
policyfield = false; while (enumerator.hasmoreelements()) { var nextcookie = enumerator.getnext(); nextcookie = nextcookie.queryinterface(components.interfaces.nsicookie); /* ....
Creating XPCOM components
e modifying paths with nsifile manipulating files with nsifile using nsilocalfile for reading data processing the white list data iweblock method by method lock and unlock addsite removesite setsites getnext getsites hasmoreelements finishing the component using frozen interfaces copying interfaces into your build environment implementing the nsicontent
policy interface receiving notifications implementing the nsicontent
policy uniform resource locators checking the white list creating nsiuri objects building the weblock ui user interface package list client code overview xul the xul document the locking ui site adding ui weblock.xul overlaying new user interface into mozilla weblockoverlay.xul other res...
nsIAnnotationService
if they haven't visited a page in a couple of months, they probably aren't interested in many other annotations, the positions of things, or other stuff you create, so put that in the weeks
policy.
nsIApplicationCache
clients can open a session with nsicacheservice.createsession() using this client id and a storage
policy of store_offline to access this cache.
nsIDownloadManager
download_blocked_
policy 9 windows specific: request was blocked by zone
policy settings.
nsIRequest
it is the responsibility of the request to implement this
policy.
XPCOM Interface Reference by grouping
ocesscontentframemessagemanager nsiscriptableio nsixpcscriptable future nsixmlhttprequestupload obsolete nsixmlrpcclient nsixmlrpcfault security auth nsiauthmodule nsiauthprompt nsiauthpromptprovider nsiauthpromptwrapper nsiasyncverifyredirectcallback content nsicontent
policy credentials nsilogininfo nsiloginmanager using nsiloginmanager nsiloginmanagerstorage nsiloginmetainfo history nsiglobalhistory nsiglobalhistory2 nsiglobalhistory3 ssl nsibadcertlistener2 system action nsicancelable ...
Xray vision
so when chrome code accesses content objects, it sees them with xray vision: // chrome code var transfer = gbrowser.contentwindow.confirm("transfer all my money?"); // calls the native implementation note that using window.confirm() would be a terrible way to implement a security
policy, and is only shown here to illustrate how xray vision works.
Toolkit version format
see maintenance
policy for special rules that mark version as "beta" in the amo queues.
CloseEvent - Web APIs
1008
policy violation the endpoint is terminating the connection because it received a message that violates its
policy.
Document.cookie - Web APIs
the only way to protect the cookie is by using a different domain or subdomain, due to the same origin
policy.
Document.open() - Web APIs
this is no longer the case.document non-spec'ed parameters to document.open gecko-specific notes starting with gecko 1.9, this method is subject to the same same-origin
policy as other properties, and does not work if doing so would change the document's origin.
Document - Web APIs
document.feature
policy read only returns the feature
policy interface which provides a simple api for introspecting the feature policies applied to a specific document.
Fetch API - Web APIs
in august 2017, the spec changed the default credentials
policy to 'same-origin'.
Introduction to the File and Directory Entries API - Web APIs
the file and directory entries api adheres to the same-origin
policy the file and directory entries api does not let you create and rename executable files the file system is sandboxed you cannot run your app from file:// the file and directory entries api adheres to the same-origin
policy an origin is the domain, application layer protocol, and port of a url of the document where the script is being executed.
HTMLAnchorElement - Web APIs
htmlanchorelement.referrer
policy is a domstring that reflects the referrer
policy html attribute indicating which referrer to use.
HTMLAreaElement - Web APIs
htmlareaelement.referrer
policy is a domstring that reflects the referrer
policy html attribute indicating which referrer to use when fetching the linked resource.
HTMLElement - Web APIs
htmlorforeignelement.nonce returns the cryptographic number used once that is used by content security
policy to determine whether a given fetch will be allowed to proceed.
HTMLIFrameElement.src - Web APIs
the htmliframeelement.src property reflects the html referrer
policy attribute of the <iframe> element defining which referrer is sent when fetching the resource.
HTMLImageElement - Web APIs
htmlimageelement.referrer
policy a domstring that reflects the referrer
policy html attribute, which tells the user agent how to decide which referrer to use in order to fetch the image.
HTMLOrForeignElement.nonce - Web APIs
the nonce property of the htmlorforeignelement interface returns the cryptographic number used once that is used by content security
policy to determine whether a given fetch will be allowed to proceed.
HTMLOrForeignElement - Web APIs
propertiesdataset read only the dataset read-only property of the htmlorforeignelement interface provides read/write access to all the custom data attributes (data-*) set on the element.nonce the nonce property of the htmlorforeignelement interface returns the cryptographic number used once that is used by content security
policy to determine whether a given fetch will be allowed to proceed.tabindexthe tabindex property of the htmlorforeignelement interface represents the tab order of the current element.methodsblur()the htmlelement.blur() method removes keyboard focus from the current element.focus()the htmlelement.focus() method sets focus on the specified element, if it can be focused.
HTMLScriptElement - Web APIs
htmlscriptelement.referrer
policy is a domstring that reflects the referrer
policy html attribute indicating which referrer to use when fetching the script, and fetches done by that script.
Using IndexedDB - Web APIs
the resource behind this url is subjected to the * "same origin
policy", thus for this method to work, the url must come from * the same origin as the web site/app this code is deployed on.
InterventionReportBody - Web APIs
so for example, a script was been stopped because it was significantly slowing down the browser, or the browser's autoplay
policy blocked audio from playing without a user gesture to trigger it.
performance.now() - Web APIs
starting with firefox 79, high resolution timers can be used if you cross-origin isolate your document using the cross-origin-opener-
policy and cross-origin-embedder-
policy headers: cross-origin-opener-
policy: same-origin cross-origin-embedder-
policy: require-corp these headers ensure a top-level document does not share a browsing context group with cross-origin documents.
RTCIceCandidate.address - Web APIs
to do this, configure the ice agent's ice transport
policy using rtcconfiguration, like this: var rtcconfig = { iceservers: [ { urls: "turn:myturn.server.ip", username: "username", credential: "password" } ], icetransport
policy: "relay" } by setting rtcconfiguration.icetransport
policy to "relay", any host candidates (candidates where the ip address is the peer's own ip address) are left out of the pool of candidates, as...
RTCRtpReceiver.transport - Web APIs
note that when bundling is in effect—that is, when the rtcpeerconnection was created with an rtcconfiguration object whose bundle
policy is max-compat or max-bundle—multiple receivers may be sharing the same transport; in this case, all of them are using the same connection to transmit and/or receive rtp and rtcp packets.
RTCRtpSender.transport - Web APIs
note that when bundling is in effect—that is, when the rtcpeerconnection was created with an rtcconfiguration object whose bundle
policy is max-compat or max-bundle—multiple senders may be sharing the same transport; in this case, all of them are using the same connection to transmit and/or receive rtp and rtcp packets.
Report.body - Web APIs
depending on what type the report is, the object returned will actually be a deprecationreportbody, interventionreportbody, crashreportbody, or feature
policyviolationreportbody.
Request - Web APIs
request.referrer
policy read only contains the referrer
policy of the request (e.g., no-referrer).
Using the Resource Timing API - Web APIs
tatic/img/opengraph-logo.png"; var image2 = new image(); image2.src = "http://mozorg.cdn.mozilla.net/media/img/firefox/firefox-256.e2c1fc556816.jpg" // set a callback if the resource buffer becomes filled performance.onresourcetimingbufferfull = buffer_full; } coping with cors when cors is in effect, many of the timing properties' values are returned as zero unless the server's access
policy permits these values to be shared.
Resource Timing API - Web APIs
when cors is in effect, many of these values are returned as zero unless the server's access
policy permits these values to be shared.
Storage API - Web APIs
each site storage unit has exactly one box into which all of its data is placed, and has a box mode that describes the data retention
policy for that box.
WakeLock.request() - Web APIs
exceptions notallowederror thrown when wake lock is not available, which can happen because: document is not allowed to use screen wake lock due to screen-wake-lock
policy.
WebXR Device API - Web APIs
permissions and security for webxr the webxr device api has several areas of security to contend with, from establishing feature-
policy to ensuring the user intends to use the mixed reality presentation before activating it.
Advanced techniques: Creating and sequencing audio - Web APIs
isplaying = false; setupsample() .then((sample) => { loadingel.style.display = 'none'; // remove loading screen dtmf = sample; // to be used in our playsample function playbutton.addeventlistener('click', function() { isplaying = !isplaying; if (isplaying) { // start playing // check if context is in suspended state (autoplay
policy) if (audioctx.state === 'suspended') { audioctx.resume(); } currentnote = 0; nextnotetime = audioctx.currenttime; scheduler(); // kick off scheduling requestanimationframe(draw); // start the drawing loop.
Using the Web Audio API - Web APIs
// select our play button const playbutton = document.queryselector('button'); playbutton.addeventlistener('click', function() { // check if context is in suspended state (autoplay
policy) if (audiocontext.state === 'suspended') { audiocontext.resume(); } // play or pause track depending on state if (this.dataset.playing === 'false') { audioelement.play(); this.dataset.playing = 'true'; } else if (this.dataset.playing === 'true') { audioelement.pause(); this.dataset.playing = 'false'; } }, false); we also need to ...
Window.localStorage - Web APIs
exceptions securityerror the request violates a
policy decision, or the origin is not a valid scheme/host/port tuple (this can happen if the origin uses the file: or data: scheme, for example).
Window.resizeBy() - Web APIs
// create resizable window myexternalwindow = window.open("http://myurl.domain", "mywindowname", "resizable"); // resize window to 500x500 myexternalwindow.resizeto(500, 500); // make window relatively smaller to 400x400 myexternalwindow.resizeby(-100, -100); the window you create must respect the same origin
policy.
Window.sessionStorage - Web APIs
exceptions securityerror the request violates a
policy decision, or the origin is not a valid scheme/host/port tuple (this can happen if the origin uses the file: or data: scheme, for example).
Using XMLHttpRequest - Web APIs
"&" : "?") + (new date()).gettime()); oreq.send(null); security firefox 3 note versions of firefox prior to firefox 3 allowed you to set the preference capability.
policy.<
policyname>.xmlhttprequest.open</
policyname> to allaccess to give specific sites cross-site access.
XMLHttpRequest.withCredentials - Web APIs
the third-party cookies obtained by setting withcredentials to true will still honor same-origin
policy and hence can not be accessed by the requesting script through document.cookie or from response headers.
XRSessionInit - Web APIs
by session type, those are: reference space type user consent rquirement feature
policy requirement bounded-floor always required xr-spatial-tracking local always required for inline sessions xr-spatial-tracking local-floor always required xr-spatial-tracking unbounded always required xr-spatial-tracking viewer always required — ...
XRSystem: devicechange event - Web APIs
bubbles no cancelable no interface event event handler xrsystem.ondevicechange usage notes devicechange events are not delivered if the document which owns the xrsystem object has been granted permission to do so through the xr-spatial-tracking feature
policy.
Mozilla CSS extensions - CSS: Cascading Style Sheets
ccepted] -moz-animation-name [prefixed version still accepted] -moz-animation-play-state [prefixed version still accepted] -moz-animation-timing-function [prefixed version still accepted] -moz-appearance b -moz-backface-visibility [prefixed version still accepted] -moz-background-clipobsolete since gecko 2 -moz-background-originobsolete since gecko 2 -moz-background-inline-
policyobsolete since gecko 32 [superseded by the standard version box-decoration-break] -moz-background-sizeobsolete since gecko 2 -moz-border-end [superseded by the standard version border-inline-end] -moz-border-end-color [superseded by the standard version border-inline-end-color] -moz-border-end-style [superseded by the standard version border-inline-end-style] -moz-border-end-width [su...
WAI ARIA Live Regions/API Support - Developer guides
cs from an event for any mutation event in a page, the author can get the following object attributes from the event object, if they are defined on some ancestor element (closest ancestor wins): object attribute name possible values default value if not specified meaning aria markup if required container-live "off" | "polite" | "assertive" "off" interruption
policy aria-live on ancestor element container-relevant "[additions] [removals] [text]" | "all" "additions text" what types of mutations are possibly relevant?
Making content editable - Developer guides
you can enable them by setting the preferences shown below using about:config: user_pref("capability.
policy.
policynames", "allowclipboard"); user_pref("capability.
policy.allowclipboard.sites", "https://www.mozilla.org"); user_pref("capability.
policy.allowclipboard.clipboard.cutcopy", "allaccess"); user_pref("capability.
policy.allowclipboard.clipboard.paste", "allaccess"); example: a simple but complete rich text editor <!doctype html> <html> <head> <title>rich text editor</title> <script type="text/j...
Proxy Auto-Configuration (PAC) file - HTTP
in chrome (versions 52 to 73), you can disable this by setting pachttpsurlstrippingenabled to false in
policy or by launching with the --unsafe-pac-url command-line flag (in chrome 74, only the flag works, and from 75 onward, there is no way to disable path-stripping; as of chrome 81, path-stripping does not apply to http urls, but there is interest in changing this behavior to match https); in firefox, the preference is network.proxy.autoconfig_url.include_path.
HTTP resources and specifications - HTTP
cross-origin resource sharing living standard rfc 7034 http header field x-frame-options informational rfc 6797 http strict transport security (hsts) proposed standard upgrade insecure requests upgrade insecure requests candidate recommendation content security
policy 1.0 content security
policy 1.0 csp 1.1 and csp 3.0 doesn't extend the http standard obsolete microsoft document specifying legacy document modes* defines x-ua-compatible note rfc 5689 http extensions for web distributed authoring and versioning (webdav) these extensions of the web, as well as carddav and caldav, are out-of-scope for http on the web.
HTTP
csp directives the content-security-
policy response header fields allows web site administrators to control resources the user agent is allowed to load for a given page.
SharedArrayBuffer - JavaScript
for top-level documents, two headers will need to be set to cross-origin isolate your site: cross-origin-opener-
policy with same-origin as value (protects your origin from attackers) cross-origin-embedder-
policy with require-corp as value (protects victims from your origin) cross-origin-opener-
policy: same-origin cross-origin-embedder-
policy: require-corp to check if cross origin isolation has been successful, you can test against the crossoriginisolated property available to window and worker contexts: if ...
SVG Attribute reference - SVG: Scalable Vector Graphics
ethod min mode n name numoctaves o offset opacity operator order orient orientation origin overflow overline-position overline-thickness p panose-1 paint-order path pathlength patterncontentunits patterntransform patternunits ping pointer-events points pointsatx pointsaty pointsatz preservealpha preserveaspectratio primitiveunits r r radius referrer
policy refx refy rel rendering-intent repeatcount repeatdur requiredextensions requiredfeatures restart result rotate rx ry s scale seed shape-rendering slope spacing specularconstant specularexponent speed spreadmethod startoffset stddeviation stemh stemv stitchtiles stop-color stop-opacity strikethrough-position strikethrough-thickness string stroke stroke-dasharr...
Mixed content - Web security
as well as finding these warnings in the web console, you could use content security
policy (csp) to report issues.
Securing your site - Web security
content security
policy an added layer of security that helps to detect and mitigate certain types of attacks, including cross site scripting (xss) and data injection attacks.