ElyDotDev/content-security-policy-example.txt Secret

## content-security-policy-example.txt
Content-Security-Policy: default-src: 'self'; script-src: 'self' static.domain.tld

## forbidden-context-for-untrusted-data.html
<script>...NEVER PUT UNTRUSTED DATA HERE...</script>   Directly in a script

<!--...NEVER PUT UNTRUSTED DATA HERE...-->             Inside an HTML comment

<div ...NEVER PUT UNTRUSTED DATA HERE...=test />       In an attribute name

<NEVER PUT UNTRUSTED DATA HERE... href="/test" />      In a tag name

<style>...NEVER PUT UNTRUSTED DATA HERE...</style>     Directly in CSS

## rule-1-characters-to-escape.html
& -->   &amp;
< -->   &lt;
> -->   &gt;
" -->   &quot;
' -->   &#x27;     &apos; not recommended because its not in the HTML spec. &apos; is in the XML and XHTML specs.
/ -->   &#x2F;     Forward slash is included as it helps end an HTML entity

## rule-1-normal-tags.html
<body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body>

 <div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div>

 any other normal HTML elements

## rule-2-html-tag-attributes.html
<div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div>     Inside UNquoted attribute

<div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div>   Inside single quoted attribute

<div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div>   Inside double quoted attribute

## rule-3-dangerous-javascript-functions.html
<script>
   window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...');
</script>

## rule-3-javascript-data-values.html
<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script>     Inside a quoted string

<script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script>          One side of a quoted expression

<div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div>  Inside quoted event handler

## rule-4-css-special-contexts.css
{ background-url : "javascript:alert(1)"; }  // and all other URLs
{ text-size: "expression(alert('XSS'))"; }   // only in IE

## rule-4-style-property-values.html
 <style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style>     property value

 <style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; } </style>   property value

 <span style="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">text</span>       property value

## rule-5-url-parameter-values.html
<a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a >
	& --> &
	< --> <
	> --> >
	" --> "
	' --> ' ' not recommended because its not in the HTML spec. ' is in the XML and XHTML specs.
	/ --> / Forward slash is included as it helps end an HTML entity
	<body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body>

	<div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div>

	any other normal HTML elements
	<div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div> Inside UNquoted attribute

	<div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div> Inside single quoted attribute

	<div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div> Inside double quoted attribute
	<script>
	window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...');
	</script>
	<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> Inside a quoted string

	<script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script> One side of a quoted expression

	<div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div> Inside quoted event handler
	{ background-url : "javascript:alert(1)"; } // and all other URLs
	{ text-size: "expression(alert('XSS'))"; } // only in IE
	<style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> property value

	<style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; } </style> property value

	<span style="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">text</span> property value