web-platform-dx · Elchi3 · Oct 23, 2024 · Oct 14, 2024 · Oct 17, 2024 · Oct 17, 2024
diff --git a/features/draft/spec/csp3.yml → features/csp.yml b/features/draft/spec/csp3.yml → features/csp.yml
@@ -1,8 +1,16 @@
-draft_date: 2024-10-21
-name: Content Security Policy Level 3
-description: TODO
+name: Content Security Policy (CSP)
+description: Content Security Policy (CSP) helps to mitigate certain security threats, including cross-site scripting (XSS) and clickjacking attacks. It consists of a set of directives from a website to a browser, which instruct the browser to restrict the things that the site is allowed to do.
 spec: https://w3c.github.io/webappsec-csp/
+caniuse:
+  - contentsecuritypolicy
+  - contentsecuritypolicy2
+group: security
+status:
+  compute_from: http.headers.Content-Security-Policy
 compat_features:
+  # - http.headers.Content-Security-Policy.block-all-mixed-content (deprecated in BCD)
+  # - http.headers.Content-Security-Policy.prefetch-src (deprecated in BCD)
+  # - http.headers.Content-Security-Policy.report-uri (deprecated in BCD)
   - api.CSPViolationReportBody
   - api.CSPViolationReportBody.blockedURL
   - api.CSPViolationReportBody.columnNumber
@@ -16,7 +24,9 @@ compat_features:
   - api.CSPViolationReportBody.sourceFile
   - api.CSPViolationReportBody.statusCode
   - api.CSPViolationReportBody.toJSON
+  - api.Document.securitypolicyviolation_event
   - api.Element.securitypolicyviolation_event
+  - api.HTMLIFrameElement.csp
   - api.SecurityPolicyViolationEvent
   - api.SecurityPolicyViolationEvent.SecurityPolicyViolationEvent
   - api.SecurityPolicyViolationEvent.blockedURI
@@ -33,6 +43,8 @@ compat_features:
   - api.SecurityPolicyViolationEvent.violatedDirective
   - api.SecurityPolicyViolationEvent.worker_support
   - api.WorkerGlobalScope.securitypolicyviolation_event
+  - html.elements.iframe.csp
+  - html.elements.meta.http-equiv.content-security-policy
   - http.headers.Content-Security-Policy
   - http.headers.Content-Security-Policy-Report-Only
   - http.headers.Content-Security-Policy.base-uri
@@ -61,5 +73,6 @@ compat_features:
   - http.headers.Content-Security-Policy.style-src-attr
   - http.headers.Content-Security-Policy.style-src-elem
   - http.headers.Content-Security-Policy.unsafe-hashes
+  - http.headers.Content-Security-Policy.upgrade-insecure-requests
   - http.headers.Content-Security-Policy.worker-src
   - http.headers.Content-Security-Policy.worker_support
diff --git a/features/draft/spec/csp3.yml.dist → features/csp.yml.dist b/features/draft/spec/csp3.yml.dist → features/csp.yml.dist
@@ -1,13 +1,20 @@
-# Generated from: csp3.yml
+# Generated from: csp.yml
 # Do not edit this file by hand. Edit the source file instead!
 
 status:
-  baseline: false
+  baseline: high
+  baseline_low_date: 2016-08-02
+  baseline_high_date: 2019-02-02
   support:
-    chrome: "97"
-    chrome_android: "97"
-    edge: "97"
+    chrome: "25"
+    chrome_android: "25"
+    edge: "14"
+    firefox: "23"
+    firefox_android: "23"
+    safari: "7"
+    safari_ios: "7"
 compat_features:
+  # ⬇️ Same status as overall feature ⬇️
   # baseline: high
   # baseline_low_date: 2016-08-02
   # baseline_high_date: 2019-02-02
@@ -82,6 +89,19 @@ compat_features:
   #   safari_ios: "9.3"
   - http.headers.Content-Security-Policy.child-src
 
+  # baseline: high
+  # baseline_low_date: 2017-06-06
+  # baseline_high_date: 2019-12-06
+  # support:
+  #   chrome: ≤59
+  #   chrome_android: "59"
+  #   edge: "12"
+  #   firefox: "1"
+  #   firefox_android: "4"
+  #   safari: ≤10.1
+  #   safari_ios: ≤10.3
+  - html.elements.meta.http-equiv.content-security-policy
+
   # baseline: high
   # baseline_low_date: 2018-01-23
   # baseline_high_date: 2020-07-23
@@ -95,6 +115,19 @@ compat_features:
   #   safari_ios: "9.3"
   - http.headers.Content-Security-Policy.frame-ancestors
 
+  # baseline: high
+  # baseline_low_date: 2018-04-30
+  # baseline_high_date: 2020-10-30
+  # support:
+  #   chrome: "43"
+  #   chrome_android: "43"
+  #   edge: "17"
+  #   firefox: "42"
+  #   firefox_android: "42"
+  #   safari: "10.1"
+  #   safari_ios: "10.3"
+  - http.headers.Content-Security-Policy.upgrade-insecure-requests
+
   # baseline: high
   # baseline_low_date: ≤2018-10-02
   # baseline_high_date: ≤2021-04-02
@@ -212,6 +245,19 @@ compat_features:
   #   safari_ios: "15.4"
   - http.headers.Content-Security-Policy.report-sample
 
+  # baseline: high
+  # baseline_low_date: 2022-03-14
+  # baseline_high_date: 2024-09-14
+  # support:
+  #   chrome: "76"
+  #   chrome_android: "76"
+  #   edge: "79"
+  #   firefox: "93"
+  #   firefox_android: "93"
+  #   safari: "15.4"
+  #   safari_ios: "15.4"
+  - api.Document.securitypolicyviolation_event
+
   # baseline: low
   # baseline_low_date: 2022-05-16
   # support:
@@ -303,6 +349,14 @@ compat_features:
   #   safari_ios: "16.4"
   - http.headers.Content-Security-Policy.report-to
 
+  # baseline: false
+  # support:
+  #   chrome: "61"
+  #   chrome_android: "61"
+  #   edge: "79"
+  - api.HTMLIFrameElement.csp
+  - html.elements.iframe.csp
+
   # baseline: false
   # support:
   #   chrome: "74"

diff --git a/features/draft/spec/csp-embedded-enforcement.yml b/features/draft/spec/csp-embedded-enforcement.yml
diff --git a/features/draft/spec/csp-embedded-enforcement.yml.dist b/features/draft/spec/csp-embedded-enforcement.yml.dist
diff --git a/groups/security.yml b/groups/security.yml
@@ -0,0 +1,3 @@
+# Features related to web application security
+# See also SWAG CG https://github.com/w3c-cg/swag/issues/2
+name: Security