diff --git a/index.html b/index.html index 50f1b33af9..2340cc7abd 100644 --- a/index.html +++ b/index.html @@ -1421,7 +1421,7 @@

Content Security Policy Level 3

-

Editor’s Draft,

+

Editor’s Draft,

This version: @@ -1429,7 +1429,7 @@

https://www.w3.org/TR/CSP3/
Previous Versions: -
https://www.w3.org/TR/2016/WD-CSP3-20160801/ +
https://www.w3.org/TR/2016/WD-CSP3-20160818/
Version History:
https://github.com/w3c/webappsec-csp/commits/master/index.src.html
Feedback: @@ -1792,7 +1792,7 @@

1.2.

-

Note: Both effectiveDirective and violatedDirective are the same value. +

Note: Both effectiveDirective and violatedDirective are the same value. This is intentional to maintain backwards compatibility.

  • If violation’s policy’s directive @@ -2749,7 +2750,7 @@

    origin

    -

    violation’s global object’s origin

    +

    violation’s global object’s origin

    window

    @@ -2757,7 +2758,7 @@

    client

    -

    violation’s global object’s relevant +

    violation’s global object’s relevant settings object

    destination

    @@ -2811,7 +2812,7 @@

    value.

  • Let settings object be violation’s global - object’s relevant settings object.

    + object’s relevant settings object.

  • Execute [OOB-REPORTING]'s Queue data as type for endpoint group on settings algorithm with the following arguments:

    @@ -2864,8 +2865,8 @@

    script-src allows developers to whitelist trusted sources of script to execute on a page, while font-src controls the sources of web fonts.

    6.1.1. child-src

    -

    The child-src directive governs the creation of nested browsing - contexts (e.g. iframe and frame navigations) and Worker execution +

    The child-src directive governs the creation of nested browsing + contexts (e.g. iframe and frame navigations) and Worker execution contexts. The syntax for the directive’s name and value is described by the following ABNF:

    directive-name  = "child-src"
@@ -2876,11 +2877,11 @@ 
    
     
     
    
@@ -2931,7 +2932,7 @@ 
    serialized-source-list

    This directive controls requests which transmit or receive data from - other origins. This includes APIs like fetch(), [XHR], [EVENTSOURCE], [BEACON], and a's ping. This directive also controls + other origins. This includes APIs like fetch(), [XHR], [EVENTSOURCE], [BEACON], and a's ping. This directive also controls WebSocket [WEBSOCKETS] connections, though those aren’t technically part of Fetch.

    @@ -3147,7 +3148,7 @@
    Allowed".

    6.1.5. frame-src

    -

    The frame-src directive restricts the URLs which may be loaded into nested browsing contexts. The syntax for the directive’s name and value +

    The frame-src directive restricts the URLs which may be loaded into nested browsing contexts. The syntax for the directive’s name and value is described by the following ABNF:

    directive-name  = "frame-src"
 directive-value = serialized-source-list
@@ -3169,7 +3170,7 @@ 
    
       
    Assert: policy is unused.
    
      
  • 
-      
    If request’s type is "document" and target browsing context is a nested browsing
+      
    If request’s type is "document" and target browsing context is a nested browsing
   context:
    
       
      
        
    1. 
@@ -3186,7 +3187,7 @@ 
      
       
      Assert: policy is unused.
      
      
    2. 
-      
      If request’s type is "document" and target browsing context is a nested browsing
+      
      If request’s type is "document" and target browsing context is a nested browsing
   context:
      
       
        
        
      1. 
@@ -3365,14 +3366,14 @@ 
        </applet>
    • -

    If plugin content is loaded without an associated URL (perhaps an object element lacks a data attribute, but loads some default plugin based +

    If plugin content is loaded without an associated URL (perhaps an object element lacks a data attribute, but loads some default plugin based on the specified type), it MUST be blocked if object-src's value is 'none', but will otherwise be allowed.

    Note: The object-src directive acts upon any request made on behalf of - an object, embed, or applet element. This includes requests - which would populate the nested browsing context generated by the + an object, embed, or applet element. This includes requests + which would populate the nested browsing context generated by the former two (also including navigations). This is true even when the data is semantically equivalent to content which would otherwise be restricted by - another directive, such as an object element with a text/html MIME + another directive, such as an object element with a text/html MIME type.

    6.1.9.1. object-src Pre-request check

    This directive’s pre-request check is as follows:

    @@ -3408,7 +3409,7 @@
    6.1.10. script-src

    The script-src directive restricts the locations from which scripts - may be executed. This includes not only URLs loaded directly into script elements, but also things like inline script blocks and XSLT stylesheets [XSLT] which can trigger script execution. The syntax for the directive’s + may be executed. This includes not only URLs loaded directly into script elements, but also things like inline script blocks and XSLT stylesheets [XSLT] which can trigger script execution. The syntax for the directive’s name and value is described by the following ABNF:

    directive-name  = "script-src"
 directive-value = serialized-source-list
@@ -3421,7 +3422,7 @@ 
    Script responses MUST pass through §4.1.4 Should response to request be blocked by Content
     Security Policy?.
    
      
  • 
-      
    Inline script blocks MUST pass through §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. Their
+      
    Inline script blocks MUST pass through §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. Their
   behavior will be blocked unless every policy allows inline script, either
   implicitly by not specifying a script-src (or default-src) directive,
   or explicitly, by whitelisting "unsafe-inline", a nonce-source or a hash-source that matches
@@ -3469,8 +3470,8 @@ 
    
             
    If this directive’s value does not
-  contain a source expression whose hash-algorithm is a case-sensitive match
-  for source’s hash-algo component, and whose base64-value is a case-sensitive match
+  contain a source expression whose hash-algorithm is a case-sensitive match
+  for source’s hash-algo component, and whose base64-value is a case-sensitive match
   for source’s base64-value, then set bypass due to
   integrity match to false.
    
           
@@ -3483,7 +3484,7 @@ 
    [SRI] to block non-matching resources upon response.
    
        
  • 
         
    If this directive’s value contains a source
-  expression that is an ASCII case-insensitive match for
+  expression that is an ASCII case-insensitive match for
   the "'strict-dynamic'" keyword-source:
    
         
      
          
    1. 
@@ -3530,9 +3531,8 @@ 
      If type is "script attribute":
      
       
        
        
      1. 
-        
        If list contains a source expression which is an ASCII
-  case-insensitive match for the keyword-source "'strict-dynamic'", and does not contain a source expression which is an ASCII case-insensitive
-  match for the keyword-source "'unsafe-hashed-attributes'", return "Blocked".
        
+        
        If list contains a source expression which is an ASCII
+  case-insensitive match for the keyword-source "'strict-dynamic'", and does not contain a source expression which is an ASCII case-insensitive match for the keyword-source "'unsafe-hashed-attributes'", return "Blocked".
        
        
      2. 
         
        If the result of executing §6.6.2.1 Does element match source list for type and source? on element, this directive’s value, type,
   and source, is "Does Not Match", return "Blocked".
        
@@ -3541,8 +3541,8 @@ 
        If type is "script":
        
       
          
        
        1. 
-        
          If list contains a source expression which is an ASCII
-  case-insensitive match for the keyword-source "'strict-dynamic'", return "Blocked".
          
+        
          If list contains a source expression which is an ASCII
+  case-insensitive match for the keyword-source "'strict-dynamic'", return "Blocked".
          
         
          Note: "'strict-dynamic'" is explained in more detail
   in §8.2 Usage of "'strict-dynamic'".
          
        
        2. 
@@ -3566,7 +3566,7 @@ 
          
       
            
        
          1. 
-        
            Stylesheet requests originating from a link element.
            
+        
            Stylesheet requests originating from a link element.
            
        
          2. 
         
            Stylesheet requests originating from the @import rule.
            
        
          3. 
@@ -3577,7 +3577,7 @@ 
            Responses to style requests MUST pass through §4.1.4 Should response to request be blocked by Content
     Security Policy?.
            
      
          4. 
-      
            Inline style blocks MUST pass through §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. The
+      
            Inline style blocks MUST pass through §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. The
   styles will be blocked unless every policy allows inline style, either
   implicitly by not specifying a style-src (or default-src) directive,
   or explicitly, by whitelisting "unsafe-inline", a nonce-source or a hash-source that matches
@@ -3658,7 +3658,7 @@ 
            
     
            6.1.12. worker-src
            
     
            The worker-src directive restricts the URLs which may be loaded as
-  a Worker, SharedWorker, or ServiceWorker. The syntax for the
+  a Worker, SharedWorker, or ServiceWorker. The syntax for the
   directive’s name and value is described by the following ABNF:
            
 
            directive-name  = "worker-src"
 directive-value = serialized-source-list
@@ -3715,18 +3715,18 @@ 
            
     
            6.2.1. base-uri
            
     
            The base-uri directive restricts the URLs which can be used in
-  a Document's base element. The syntax for the directive’s name and
+  a Document's base element. The syntax for the directive’s name and
   value is described by the following ABNF:
            
 
            directive-name  = "base-uri"
 directive-value = serialized-source-list
 
            
-    
            The following algorithm is called during HTML’s set the frozen base url algorithm in order to monitor and enforce this directive:
            
+    
            The following algorithm is called during HTML’s set the frozen base url algorithm in order to monitor and enforce this directive:
            
     
            6.2.1.1.  Is base allowed for document? 
            
     
            Given a URL (base), and a Document (document), this algorithm
-  returns "Allowed" if base may be used as the value of a base element’s href attribute, and "Blocked" otherwise:
            
+  returns "Allowed" if base may be used as the value of a base element’s href attribute, and "Blocked" otherwise:
            
     
              
      
            1. 
-      
              For each policy in document’s global object’s csp list:
              
+      
              For each policy in document’s global object’s csp list:
              
       
                
        
              1. 
         
                Let source list be null.
                
@@ -3737,11 +3737,11 @@ 
                
         
                If source list is null, skip to the next policy.
                
        
              2. 
-        
                If the result of executing §6.6.1.5 Does url match source list in origin with redirect count? on base, source list, document’s relevant settings
+        
                If the result of executing §6.6.1.5 Does url match source list in origin with redirect count? on base, source list, document’s relevant settings
   object’s origin, and 0 is "Does Not Match":
                
         
                  
          
                1. 
-          
                  Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on document’s global
+          
                  Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on document’s global
   object, policy, and "base-uri".
                  
          
                2. 
           
                  Set violation’s resource to "inline".
                  
@@ -3766,10 +3766,10 @@ 
                  media-type = type "/" subtype
 ; type and subtype are defined in RFC 2045
 
            
-    
            If a plugin-types directive is present, instantiation of an embed or object element will fail if any of the following conditions hold:
            
+    
            If a plugin-types directive is present, instantiation of an embed or object element will fail if any of the following conditions hold:
            
     
              
      
            1. 
-      
              The element does not explicitly declare a valid MIME type via a type attribute.
              
+      
              The element does not explicitly declare a valid MIME type via a type attribute.
              
      
            2. 
       
              The declared type does not match one of the items in the directive’s
   value.
              
@@ -3812,7 +3812,7 @@ 
              
         
              Let type be the result of extracting a MIME type from response’s header list.
              
        
            3. 
-        
              If type is not an ASCII case-insensitive match for any item
+        
              If type is not an ASCII case-insensitive match for any item
   in this directive’s value, return "Blocked".
              
       
            
      
          5. 
@@ -3826,13 +3826,13 @@ 
            
      
          6. 
-      
            For each policy in plugin element’s node document’s CSP list:
            
+      
            For each policy in plugin element’s node document’s CSP list:
            
       
              
        
            1. 
         
              If policy contains a directive (directive) whose name is plugin-types:
              
         
                
          
              1. 
-          
                Let type be "application/x-java-applet" if plugin element is an applet element, or plugin element’s type attribute’s
+          
                Let type be "application/x-java-applet" if plugin element is an applet element, or plugin element’s type attribute’s
   value if present, or "null" otherwise.
                
          
              2. 
           
                Return "Blocked" if any of the following are true:
                
@@ -3840,9 +3840,9 @@ 
                
             
                type is null.
                
            
              3. 
-            
                type is not a valid MIME type.
                
+            
                type is not a valid MIME type.
                
            
              4. 
-            
                type is not an ASCII case-insensitive match for any
+            
                type is not an ASCII case-insensitive match for any
   item in directive’s value.
                
           
              
         
            
@@ -3853,16 +3853,16 @@ 
            6.2.3. sandbox
            
     
            The sandbox directive specifies an HTML sandbox policy which the
   user agent will apply to a resource, just as though it had been included in
-  an iframe with a sandbox property.
            
+  an iframe with a sandbox property.
            
     
            The directive’s syntax is described by the following ABNF grammar, with
   the additional requirement that each token value MUST be one of the
-  keywords defined by HTML specification as allowed values for the iframe sandbox attribute [HTML].
            
+  keywords defined by HTML specification as allowed values for the iframe sandbox attribute [HTML].
            
 
            directive-name  = "sandbox"
 directive-value = "" / token *( RWS token )
 
            
     
            This directive has no reporting requirements; it will be ignored entirely when
   delivered in a Content-Security-Policy-Report-Only header, or within
-  a meta element.
            
+  a meta element.
            
     
            6.2.3.1.  sandbox Response Check 
            
     
            This directive’s response check algorithm is as
   follows:
            
@@ -3878,10 +3878,10 @@ 
            serviceworker", "sharedworker", or "worker":
            
       
              
        
            1. 
-        
              If the result of the Parse a sandboxing directive algorithm
+        
              If the result of the Parse a sandboxing directive algorithm
   using this directive’s value as the input
-  contains either the sandboxed scripts browsing context flag or
-  the sandboxed origin browsing context flag flags, return
+  contains either the sandboxed scripts browsing context flag or
+  the sandboxed origin browsing context flag flags, return
   "Blocked".
              
         
              Note: This will need to change if we allow Workers to be sandboxed into
   unique origins, which seems like a pretty reasonable thing to do.
              
@@ -3891,9 +3891,9 @@ 
              
     
              6.2.3.2.  sandbox Initialization 
              
     
              This directive’s initialization algorithm is
-  responsible for adjusting a Document's forced sandboxing flag set according to the sandbox values present in its policies, as
+  responsible for adjusting a Document's forced sandboxing flag set according to the sandbox values present in its policies, as
   follows:
              
-    
              Given a Document or global object (context), a response (response), and a policy (policy):
              
+    
              Given a Document or global object (context), a response (response), and a policy (policy):
              
     
                
      
              1. 
       
                Assert: response is unused.
                
@@ -3902,19 +3902,19 @@ 
                Note: This will need to change if we allow Workers to be sandboxed,
   which seems like a pretty reasonable thing to do.
                
      
              2. 
-      
                Parse a sandboxing directive using this directive’s value as the input, and context’s forced
+      
                Parse a sandboxing directive using this directive’s value as the input, and context’s forced
   sandboxing flag set as the output.
                
     
              
     
              6.2.4. disown-opener
              
     
              The disown-opener directive ensures that a resource
-  will disown its opener when navigated to. The directive’s syntax is
+  will disown its opener when navigated to. The directive’s syntax is
   described by the following ABNF grammar:
              
 
              directive-name  = "disown-opener"
 directive-value = ""
 
              
     
              This directive has no reporting requirements; it will be ignored entirely when
   delivered in a Content-Security-Policy-Report-Only header, or within
-  a meta element.
              
+  a meta element.
              
     
               Not sure this is the right model. We need to ensure that we take care
   of the inverse as
   well, and there might be a cleverer syntax that could encompass both a
@@ -3923,15 +3923,15 @@ 
              6.2.4.1.  disown-opener Initialization 
              
     
              This directive’s initialization algorithm is as
   follows:
              
-    
              Given a Document or global object (context), a response (response), and a policy (policy):
              
+    
              Given a Document or global object (context), a response (response), and a policy (policy):
              
     
                
      
              1. 
       
                Assert: response and policy are unused.
                
      
              2. 
-      
                If context’s responsible browsing context has an opener browsing
-  context, disown its opener.
                
+      
                If context’s responsible browsing context has an opener browsing
+  context, disown its opener.
                
     
              
-    
               What should this do in an iframe? Anything?
              
+    
               What should this do in an iframe? Anything?
              
     
              6.3.  Navigation Directives 
              
     
              6.3.1. form-action
              
     
              The form-action directive restricts the URLs which can be used
@@ -3942,7 +3942,7 @@ 
              
     
              6.3.1.1.  form-action Pre-Navigation Check 
              
     
              Given a request (request), a string (type, "form-submission or
-  "other") and two browsing contexts (source and target), this
+  "other") and two browsing contexts (source and target), this
   algorithm returns "Blocked" if one or more of the ancestors of target violate the frame-ancestors directive delivered with the response, and
   "Allowed" otherwise. This constitutes the form-action' directive’s pre-navigation check:
              
     
                
@@ -3960,7 +3960,7 @@ 
                6.3.2. frame-ancestors
                
     
                The frame-ancestors directive restricts the URLs which can
-  embed the resource using frame, iframe, object, embed, or applet element. Resources can use this directive to avoid many UI
+  embed the resource using frame, iframe, object, embed, or applet element. Resources can use this directive to avoid many UI
   Redressing [UISECURITY] attacks, by avoiding the risk of being embedded into
   potentially hostile contexts.
                
     
                The directive’s syntax is described by the following ABNF grammar:
                
@@ -3971,12 +3971,12 @@ 
                ancestor-source      = scheme-source / host-source / "'self'"

    • The frame-ancestors directive MUST be ignored when contained in a policy - declared via a meta element.

    + declared via a meta element.

    Note: The frame-ancestors directive’s syntax is similar to a source list, but frame-ancestors will not fall back to the default-src directive’s value if one is specified. That is, a policy that declares default-src 'none' will still allow the resource to be embedded by anyone.

    6.3.2.1. frame-ancestors Navigation Response Check

    Given a request (request), a response (navigation response) - and two browsing contexts (source and target), this algorithm + and two browsing contexts (source and target), this algorithm returns "Blocked" if one or more of the ancestors of target violate the frame-ancestors directive delivered with the response, and "Allowed" otherwise. This constitutes the frame-ancestors' directive’s navigation response check:

    @@ -3986,16 +3986,16 @@
    -

    If target is not a nested browsing context, return "Allowed".

    +

    If target is not a nested browsing context, return "Allowed".

  • Let current be target.

  • -

    While current has a parent browsing context (parent):

    +

    While current has a parent browsing context (parent):

    1. Set current to parent.

    2. -

      Let origin be the result of executing the URL parser on the unicode serialization of parent’s active document’s origin.

      +

      Let origin be the result of executing the URL parser on the unicode serialization of parent’s active document’s origin.

    3. If §6.6.1.5 Does url match source list in origin with redirect count? returns Does Not Match when executed upon origin, this directive’s value, navigation response’s url’s origin, and 0, return @@ -4085,7 +4085,7 @@

      If expression matches the nonce-source grammar, - and nonce is a case-sensitive match for expression’s base64-value part, return "Matches".

      + and nonce is a case-sensitive match for expression’s base64-value part, return "Matches".

  • Return "Does Not Match".

    @@ -4101,7 +4101,7 @@
    Note: This is generally used in directives' post-request check algorithms to verify that a given response is reasonable.

    6.6.1.5. Does url match source list in origin with redirect count?
    -

    Given a URL (url), a source list (source list), an origin (origin), and a number (redirect count), this +

    Given a URL (url), a source list (source list), an origin (origin), and a number (redirect count), this algorithm returns "Matches" if the URL matches one or more source expressions in source list, or "Does Not Match" otherwise:

      @@ -4110,8 +4110,8 @@

      If source list is an empty list, return "Does Not Match".

    1. -

      If source list contains a single item which is an ASCII - case-insensitive match for the string "'none'", return "Does Not Match".

      +

      If source list contains a single item which is an ASCII + case-insensitive match for the string "'none'", return "Does Not Match".

      Note: An empty source list (that is, a directive without a value: script-src, as opposed to script-src host1) is equivalent to a source list containing 'none', and will not match any URL.

      @@ -4127,34 +4127,41 @@
      Does Not Match".

    6.6.1.6. Does url match expression in origin with redirect count?
    -

    Given a URL (url), a source expression (expression), an origin (origin), and a number (redirect count), this algorithm +

    Given a URL (url), a source expression (expression), an origin (origin), and a number (redirect count), this algorithm returns "Matches" if url matches expression, and "Does Not Match" otherwise.

    -

    Note: origin is the origin of the resource relative to which the expression should be resolved. "'self'", for instance, will have distinct +

    Note: origin is the origin of the resource relative to which the expression should be resolved. "'self'", for instance, will have distinct meaning depending on that bit of context.

    1. -

      If expression is the string "*", and url’s scheme is a network scheme, return "Matches".

      -

      Note: This logic means that in order to allow resource from non-network scheme, - it has to be explicitly whitelisted: default-src * data: custom-scheme-1: custom-scheme-2:. - In other words, there is no semantic representation of most permissive expression.

      +

      If expression is the string "*", return "Matches" if one or more of + the following conditions is met:

      +
        +
      1. +

        url’s scheme is a network scheme.

        +
      2. +

        url’s scheme is the same as origin’s scheme.

        +
      +

      Note: This logic means that in order to allow resource from a non-network scheme, + it has to be either explicitly whitelisted: default-src * data: custom-scheme-1: custom-scheme-2:, + or the protected resource must be loaded from the same scheme.

    2. If expression matches the scheme-source or host-source grammar:

      1. -

        If expression has a scheme-part that is not an ASCII case-insensitive match for url’s scheme, then +

        If expression has a scheme-part that is not an ASCII case-insensitive match for url’s scheme, then return "Does Not Match" unless one of the following conditions is met:

        1. -

          expression’s scheme-part is an ASCII - case-insensitive match for "http" and url’s scheme is "https"

          +

          expression’s scheme-part is an ASCII + case-insensitive match for "http" and url’s scheme is "https"

        2. -

          expression’s scheme-part is an ASCII - case-insensitive match for "ws" and url’s scheme is "wss", "http" or "https"

          +

          expression’s scheme-part is an ASCII + case-insensitive match for "ws" and url’s scheme is "wss", "http" or "https"

        3. -

          expression’s scheme-part is an ASCII - case-insensitive match for "wss" and url’s scheme is "https"

          +

          expression’s scheme-part is an ASCII + case-insensitive match for "wss" and url’s scheme is "https"

      2. If expression matches the scheme-source grammar, @@ -4190,11 +4197,11 @@

        *" from expression.

      3. If remaining (including the leading U+002E FULL STOP character - (.)) is not an ASCII case-insensitive match for the + (.)) is not an ASCII case-insensitive match for the rightmost characters of url’s host, then return "Does Not Match".

    3. -

      If the first character of expression’s host-part is not an U+002A ASTERISK character (*), and url’s host is not an ASCII case-insensitive match for expression’s host-part, return "Does Not Match".

      +

      If the first character of expression’s host-part is not an U+002A ASTERISK character (*), and url’s host is not an ASCII case-insensitive match for expression’s host-part, return "Does Not Match".

    4. If expression’s host-part matches the IPv4address rule from [RFC3986], and is not "127.0.0.1"; or if expression’s host-part is an IPv6 address, return "Does Not Match".

      @@ -4223,7 +4230,7 @@
      path-part is the U+002F SOLIDUS character (/), and true otherwise.

    5. -

      Let path list be the result of strictly splitting expression’s path-part on the U+002F SOLIDUS +

      Let path list be the result of strictly splitting expression’s path-part on the U+002F SOLIDUS character (/).

    6. If path list has more items than url’s path, return @@ -4241,7 +4248,7 @@

      Percent decode url piece.

    7. -

      If expression piece is not a case-sensitive match +

      If expression piece is not a case-sensitive match for url piece, return "Does Not Match".

    @@ -4249,7 +4256,7 @@
    Matches".

  • -

    If expression is an ASCII case-insensitive match for "'self'", +

    If expression is an ASCII case-insensitive match for "'self'", return "Matches" if one or more of the following conditions is met:

    1. @@ -4300,7 +4307,7 @@
      unknown", return object-src.

    2. If the request’s destination is - "document" and the request’s target browsing context is a nested browsing + "document" and the request’s target browsing context is a nested browsing context, return frame-src.

    @@ -4376,13 +4383,13 @@
    Does Not Match".

    1. -

      Assert: source contains the value of a script element’s text IDL attribute, the value of a style element’s textContent IDL attribute, or the value of one of a script element’s event handler IDL attribute.

      +

      Assert: source contains the value of a script element’s text IDL attribute, the value of a style element’s textContent IDL attribute, or the value of one of a script element’s event handler IDL attribute.

      Note: This means that source will be interpreted with the encoding of the page in which it is embedded. See the integration points in §4.2 Integration with HTML for more detail.

    2. -

      If type element has an attribute whose name is an ASCII - case-insensitive match for the string "<script", or the string +

      If type element has an attribute whose name is an ASCII + case-insensitive match for the string "<script", or the string "<style", then return "Does Not Match".

    3. Let contains nonce or hash and hashes match attributes be false.

      @@ -4392,11 +4399,12 @@

      If expression matches the nonce-source or hash-source grammar, set contains nonce or hash to true.

    4. -

      If expression is an ASCII case-insensitive match for the keyword-source "'unsafe-hashed-attributes'", set hashes match +

      If expression is an ASCII case-insensitive match for the keyword-source "'unsafe-hashed-attributes'", set hashes match attributes to true.

  • -

    If contains nonce or hash is false, and list contains a source expression which is an ASCII case-insensitive match for the string "'unsafe-inline'", then return "Matches".

    +

    If contains nonce or hash is false, and list contains a source expression which is an ASCII case-insensitive match + for the string "'unsafe-inline'", then return "Matches".

    Note: This logic means that if list contains both "'unsafe-inline'" and either nonce-source or hash-source, "'unsafe-inline'" will have no effect.

    @@ -4408,10 +4416,10 @@

    If expression matches the nonce-source grammar, - and element has a nonce attribute whose value is a case-sensitive match for expression’s base64-value part, return "Matches".

    + and element has a nonce attribute whose value is a case-sensitive match for expression’s base64-value part, return "Matches".

    -

    Note: Nonces only apply to inline script and inline style, not to +

    Note: Nonces only apply to inline script and inline style, not to attributes of either element.

  • If type is "script" or "style", or hashes match attributes is true:

    @@ -4425,11 +4433,11 @@

    Let algorithm be null.

  • -

    If expression’s hash-algorithm part is an ASCII case-insensitive match for "sha256", set algorithm to SHA-256.

    +

    If expression’s hash-algorithm part is an ASCII case-insensitive match for "sha256", set algorithm to SHA-256.

  • -

    If expression’s hash-algorithm part is an ASCII case-insensitive match for "sha384", set algorithm to SHA-384.

    +

    If expression’s hash-algorithm part is an ASCII case-insensitive match for "sha384", set algorithm to SHA-384.

  • -

    If expression’s hash-algorithm part is an ASCII case-insensitive match for "sha512", set algorithm to SHA-512.

    +

    If expression’s hash-algorithm part is an ASCII case-insensitive match for "sha512", set algorithm to SHA-512.

  • If algorithm is not null:

      @@ -4437,13 +4445,13 @@
      base64 encoding the result of applying algorithm to source.

    1. -

      If actual is a case-sensitive match for expression’s base64-value part, return +

      If actual is a case-sensitive match for expression’s base64-value part, return "Matches".

    -

    Note: Hashes apply to inline script and inline style. If the +

    Note: Hashes apply to inline script and inline style. If the "'unsafe-hashed-attributes'" source expression is present, they will also apply to event handlers and style attributes.

  • @@ -4537,7 +4545,7 @@

    hash-source and nonce-source expressions will be honored.

  • -

    Script requests which are triggered by non-parser-inserted script elements are allowed.

    +

    Script requests which are triggered by non-parser-inserted script elements are allowed.

    The first change allows you to deploy "'strict-dynamic' in a backwards compatible way, without requiring user-agent sniffing: the policy 'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic' will act like 'unsafe-inline' https: in browsers that support CSP1, https: 'nonce-abcdefg' in browsers that support CSP2, and 'nonce-abcdefg' 'strict-dynamic' in browsers that support CSP3.

    @@ -4562,8 +4570,8 @@

    </scr' + 'ipt>'); -

    dependency.js will load, as the script element created by createElement() is not parser-inserted.

    -

    sadness.js will not load, however, as document.write() produces script elements which are parser-inserted.

    +

    dependency.js will load, as the script element created by createElement() is not parser-inserted.

    +

    sadness.js will not load, however, as document.write() produces script elements which are parser-inserted.

    • 8.3. Usage of "'unsafe-hashed-attributes'"

    This section is not normative.

    @@ -4574,14 +4582,14 @@

    The "'unsafe-hashed-attributes'" source expression aims to make CSP deployment simpler and safer in these situations by allowing developers to whitelist specific handlers via hashes.

    -
    - MegaCorp, Inc. can’t quite get rid of the following HTML on anything +
    + MegaCorp, Inc. can’t quite get rid of the following HTML on anything resembling a reasonable schedule: 
    <button id="action" onclick="doSubmit()">

    Rather than whitelisting "'unsafe-inline'", they decide to use "'unsafe-hashed-attributes'" along with a hash source expression, as follows:

    -
    Content-Security-Policy: 'unsafe-hashed-attributes' 'sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY='
+
    Content-Security-Policy:  script-src 'unsafe-hashed-attributes' 'sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY='

    8.4. Whitelisting external JavaScript with hashes

    @@ -4589,22 +4597,22 @@

    [CSP2], hash source expressions could only whitelist inlined script, but now that Subresource Integrity is widely deployed, we can expand the scope to enable externalized JavaScript as well.

    -

    If multiple sets of integrity metadata are specified for a script, the - request will match a policy’s hash-sources if and only if each item in a script's integrity metadata matches the policy.

    +

    If multiple sets of integrity metadata are specified for a script, the + request will match a policy’s hash-sources if and only if each item in a script's integrity metadata matches the policy.

    MegaCorp, Inc. wishes to whitelist two specific scripts on a page in a way that ensures that the content matches their expectations. They do so by setting the following policy: 
    Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'
    -

    In the presence of that policy, the following script elements would be +

    In the presence of that policy, the following script elements would be whitelisted because they contain only integrity metadata that matches the policy:

    <script integrity="sha256-abc123" ...></script>
 <script integrity="sha512-321cba" ...></script>
 <script integrity="sha256-abc123 sha512-321cba" ...></script>
    -

    While the following script elements would not be whitelisted because they +

    While the following script elements would not be whitelisted because they contain metadata that does not match the policy (even though other metadata does match):

    <script integrity="sha384-xyz789" ...></script>
@@ -4702,7 +4710,7 @@ 
    
       
    This document (see §6.2.3 sandbox)
    
      
    
-      
    script-src
    
+      
    script-src
    
      
    
       
    This document (see §6.1.10 script-src)
    
      
    
@@ -4795,20 +4803,8 @@ 
    ancestor-source-list, in §6.3.2
    
  • base64-value, in §2.2.1
    
  • base-uri, in §6.2.1
-   
  • 
-    blockedURI
-    
    
  • child-src, in §6.1.1
    
  • column number, in §2.3
-   
  • 
-    columnNumber
-    
    
  • connect-src, in §6.1.2
    
  • Content-Security-Policy, in §3.1
    
  • Content Security Policy, in §1
@@ -4821,24 +4817,12 @@ 
    directive-value, in §2.2
    
  • disown-opener, in §6.2.4
    
  • disposition, in §2.1
-   
  • 
-    documentURI
-    
    
  • 
     effective directive
     
-   
  • 
-    effectiveDirective
-    
    
  • embedding document, in §4.2
    
  • enforced, in §4.2
    
  • EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm), in §4.3
@@ -4858,12 +4842,6 @@ 
    inline check, in §2.2
    
  • keyword-source, in §2.2.1
    
  • line number, in §2.3
-   
  • 
-    lineNumber
-    
    
  • manifest-src, in §6.1.7
    
  • media-src, in §6.1.8
    
  • media-type, in §6.2.2
@@ -4874,12 +4852,6 @@ 
    nonce-source, in §2.2.1
    
  • 'none', in §2.2.1
    
  • object-src, in §6.1.9
-   
  • 
-    originalPolicy
-    
    
  • parse a serialized CSP, in §2.1
    
  • path-part, in §2.2.1
    
  • plugin-types, in §6.2.2
@@ -4894,13 +4866,7 @@ 
    post-request check, in §2.2
    
  • pre-navigation check, in §2.2
    
  • pre-request check, in §2.2
-   
  • 
-    referrer
-    
+   
  • referrer, in §2.3
    
  • report-to, in §6.4.2
    
  • report-uri, in §6.4.1
    
  • resource, in §2.3
@@ -4910,9 +4876,6 @@ 
    scheme-source, in §2.2.1
    
  • script-src, in §6.1.10
    
  • SecurityPolicyViolationEvent, in §5.1
-   
  • SecurityPolicyViolationEventInit, in §5.1
-   
  • SecurityPolicyViolationEvent(type), in §5.1
-   
  • SecurityPolicyViolationEvent(type, eventInitDict), in §5.1
    
  • 'self', in §2.2.1
    
  • serialized CSP, in §2.1
    
  • serialized directive, in §2.2
@@ -4924,20 +4887,8 @@ 
    source-expression, in §2.2.1
    
  • source expression, in §2.2.1
    
  • source file, in §2.3
-   
  • 
-    sourceFile
-    
    
  • source lists, in §2.2.1
    
  • status, in §2.3
-   
  • 
-    statusCode
-    
    
  • 'strict-dynamic', in §2.2.1
    
  • style-src, in §6.1.11
    
  • 'unsafe-eval', in §2.2.1
@@ -4945,12 +4896,6 @@ 
    'unsafe-inline', in §2.2.1
    
  • url, in §2.3
    
  • value, in §2.2
-   
  • 
-    violatedDirective
-    
    
  • violation, in §2.3
    
  • violation report, in §5
    
  • worker-src, in §6.1.12
@@ -5010,67 +4955,15 @@ 
    
     [HTML] defines the following terms:
     
    
  • 
-    [HTML5] defines the following terms:
+    [html52] defines the following terms:
     
    
  • 
     [REPORTING] defines the following terms:
@@ -5104,11 +4997,6 @@ 
    digit
      
  • vchar
     
-   
  • 
-    [rfc6454] defines the following terms:
-    
    
  • 
     [rfc7230] defines the following terms:
     
    
  • 
-    [workers] defines the following terms:
+    [CSP1] defines the following terms:
     
    
  • 
     [css-cascade-4] defines the following terms:
@@ -5168,7 +5069,6 @@ 
    Element
      
  • Event
      
  • EventInit
-     
  • ascii case-insensitive
      
  • fire an event
      
  • node document
      
  • textContent
@@ -5177,20 +5077,76 @@ 
    [HTML] defines the following terms:
     
   
   
    References
    
   
    Normative References
    
   
    
+   
    [CSP1]
+   
    Brandon Sterne; Adam Barth. Content Security Policy 1.0. 19 February 2015. NOTE. URL: http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html
    
    [CSS-CASCADE-4]
    
    Elika Etemad; Tab Atkins Jr.. CSS Cascading and Inheritance Level 4. 14 January 2016. CR. URL: http://dev.w3.org/csswg/css-cascade/
    
    [CSSOM]
@@ -5203,6 +5159,8 @@ 
    N
    
    Ian Hickson. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
    
    [HTML5]
    
    Ian Hickson; et al. HTML5. 28 October 2014. REC. URL: https://www.w3.org/html/wg/drafts/html/master/
+   
    [HTML52]
+   
    Steve Faulkner; et al. HTML 5.2. 18 August 2016. WD. URL: https://w3c.github.io/html/
    
    [OOB-REPORTING]
    
    Ilya Gregorik; Mike West. Out-of-band Reporting. URL: https://mikewest.github.io/error-reporting/
    
    [RFC2045]
@@ -5221,8 +5179,6 @@ 
    N
    
    D. Crocker, Ed.; P. Overell. Augmented BNF for Syntax Specifications: ABNF. January 2008. Internet Standard. URL: https://tools.ietf.org/html/rfc5234
    
    [RFC5988]
    
    M. Nottingham. Web Linking. October 2010. Proposed Standard. URL: https://tools.ietf.org/html/rfc5988
-   
    [RFC6454]
-   
    A. Barth. The Web Origin Concept. December 2011. Proposed Standard. URL: https://tools.ietf.org/html/rfc6454
    
    [RFC7230]
    
    R. Fielding, Ed.; J. Reschke, Ed.. Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. June 2014. Proposed Standard. URL: https://tools.ietf.org/html/rfc7230
    
    [RFC7231]
@@ -5239,8 +5195,6 @@ 
    N
    
    Anne van Kesteren. DOM Standard. Living Standard. URL: https://dom.spec.whatwg.org/
    
    [WHATWG-URL]
    
    Anne van Kesteren. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/
-   
    [WORKERS]
-   
    Ian Hickson. Web Workers. 24 September 2015. WD. URL: https://html.spec.whatwg.org/multipage/workers.html
   
    
   
    Informative References
    
   
    
@@ -5274,31 +5228,31 @@ 
    James Clark. XSL Transformations (XSLT) Version 1.0. 16 November 1999. REC. URL: https://www.w3.org/TR/xslt
   
    
   
    IDL Index
    
-
    [Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
+
    [Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
 interface SecurityPolicyViolationEvent : Event {
-    readonly    attribute DOMString      documentURI;
-    readonly    attribute DOMString      referrer;
-    readonly    attribute DOMString      blockedURI;
-    readonly    attribute DOMString      violatedDirective;
-    readonly    attribute DOMString      effectiveDirective;
-    readonly    attribute DOMString      originalPolicy;
-    readonly    attribute DOMString      sourceFile;
-    readonly    attribute unsigned short statusCode;
-    readonly    attribute long           lineNumber;
-    readonly    attribute long           columnNumber;
+    readonly    attribute DOMString      documentURI;
+    readonly    attribute DOMString      referrer;
+    readonly    attribute DOMString      blockedURI;
+    readonly    attribute DOMString      violatedDirective;
+    readonly    attribute DOMString      effectiveDirective;
+    readonly    attribute DOMString      originalPolicy;
+    readonly    attribute DOMString      sourceFile;
+    readonly    attribute unsigned short statusCode;
+    readonly    attribute long           lineNumber;
+    readonly    attribute long           columnNumber;
 };
 
-dictionary SecurityPolicyViolationEventInit : EventInit {
-    DOMString      documentURI;
-    DOMString      referrer;
-    DOMString      blockedURI;
-    DOMString      violatedDirective;
-    DOMString      effectiveDirective;
-    DOMString      originalPolicy;
-    DOMString      sourceFile;
-    unsigned short statusCode;
-    long           lineNumber;
-    long           columnNumber;
+dictionary SecurityPolicyViolationEventInit : EventInit {
+    DOMString      documentURI;
+    DOMString      referrer;
+    DOMString      blockedURI;
+    DOMString      violatedDirective;
+    DOMString      effectiveDirective;
+    DOMString      originalPolicy;
+    DOMString      sourceFile;
+    unsigned short statusCode;
+    long           lineNumber;
+    long           columnNumber;
 };
 
 
    
@@ -5325,7 +5279,7 @@
    • -
    What should this do in an iframe? Anything?
    +
    What should this do in an iframe? Anything?

    - - - - - - - - - - - diff --git a/index.src.html b/index.src.html index 623a61cae5..017b97873e 100644 --- a/index.src.html +++ b/index.src.html @@ -20,12 +20,19 @@

    Content Security Policy Level 3

     spec:dom; type:interface; text:Document
+spec:html
+  type: dfn
+    text: ascii case-insensitive
+    text: case-sensitive
+  type: element
+    text: a
+    text: link
+    text: script
+    text: style
 
     spec: RFC6454; urlPrefix: https://tools.ietf.org/html/rfc6454
   type: dfn
-    text: globally unique identifier; url: section-2.3
-    text: origin; url: section-3.2
     text: the same; url: section-5
 spec: ECMA262; urlPrefix: https://tc39.github.io/ecma262
   type: dfn
@@ -35,86 +42,16 @@ 
    Content Security Policy Level 3
    
     text: eval(); url: sec-eval-x
     text: Function(); url: sec-function-objects
     text: JSON.stringify(); url: sec-json.stringify
-spec: HTML5; urlPrefix: https://www.w3.org/TR/html5/
+spec: HTML52; urlPrefix: https://www.w3.org/TR/html52/
   type: dfn
-    urlPrefix: embedded-content-0.html
-      text: an iframe srcdoc document
     urlPrefix: browsers.html
-      text: active document
-      text: ancestor browsing context
-      text: browsing context
-      text: create a document object
-      text: disown its opener
-      text: opener browsing context
       text: nested browsing context
-      text: parent browsing context
-      text: nested through; url: browsing-context-nested-through
-      text: forced sandboxing flag set
-      text: parse a sandboxing directive
-      text: sandboxed scripts browsing context flag
-      text: sandboxed origin browsing context flag
-      text: unicode serialization; url: unicode-serialization-of-an-origin
     urlPrefix: dom.html
       text: CSP list; for: document; url: concept-document-csp-list
     urlPrefix: webappapis.html
-      text: environment settings object; url: settings-object
-      text: global object
-      text: relevant global object
       text: global object; for: settings object; url: concept-settings-object-global
-      text: incumbent settings object
-      text: current settings object
-      text: relevant settings object; url: relevant-settings-object-for-a-global-object
-      text: responsible browsing context
-      text: queue a task
-      text: event handler IDL attributes
-    urlPrefix: infrastructure.html
-      text: valid MIME type
-      text: case-sensitive; url: case-sensitive
-      text: ASCII case-insensitive match; url: ascii-case-insensitive
-      text: reflect
-      text: strictly split a string
-      text: strip leading and trailing whitespace
-      text: collect a sequence of characters
-      text: space characters
-      text: split a string on spaces
-      text: split a string on commas
-    urlPrefix: document-metadata.html
-      text: set the frozen base url
     urlPrefix: scripting-1.html
       text: parser-inserted
-      text: prepare a script
-  type: element
-    urlPrefix: document-metadata.html
-      text: base; url: the-base-element
-      text: head; url: the-head-element
-      text: link; url: the-link-element
-      text: meta; url: the-meta-element
-      text: style; url: the-style-element
-    urlPrefix: embedded-content-0.html
-      text: embed; url: the-embed-element
-      text: object; url: the-object-element
-      text: iframe; url: the-iframe-element
-    urlPrefix: scripting-1.html
-      text: script; url: the-script-element
-    urlPrefix: text-level-semantics.html
-      text: a; url: the-a-element
-    urlPrefix: obsolete.html
-      text: applet; url: the-applet-element
-      text: frame
-  type: element-attr
-    urlPrefix: document-metadata.html
-      text: content; for: meta; url: attr-meta-content
-      text: http-equiv; for: meta; url: attr-meta-http-equiv
-    urlPrefix: embedded-content-0.html
-      text: srcdoc; for: iframe; url: attr-iframe-srcdoc
-    urlPrefix: scripting-1.html
-      text: src; for: script; url: attr-script-src
-  type: interface
-    urlPrefix: browsers.html
-      text: Window; url: dom-window
-  type: attribute
-    urlPrefix: dom.html
-      text: referrer; for: Document; url: dom-document-referrer
 spec: FETCH; urlPrefix: https://fetch.spec.whatwg.org/
   type: dfn
     text: fetch; url: concept-fetch
@@ -177,9 +114,6 @@ 
    Content Security Policy Level 3
    
 spec: SERVICE-WORKERS; urlPrefix: https://www.w3.org/TR/service-workers/
   type: interface
     text: ServiceWorker; url: service-worker-interface
-spec: WORKERS; urlPrefix: https://www.w3.org/TR/workers/
-  type: interface
-    text: Worker
 spec: CSSOM; urlPrefix: https://www.w3.org/TR/cssom/
   type: dfn
     text: insert a css rule
@@ -228,23 +162,8 @@ 
    Content Security Policy Level 3
    
 
 spec: HTML; urlPrefix: https://html.spec.whatwg.org/multipage/
   type: dfn
-    urlPrefix: workers.html
-      text: run a worker
-      text: the worker's documents
-    urlPrefix: browsers.html
-      text: initialising a new Document object; url: initialise-the-document-object
-      text: process a navigate response
-      text: process a navigate fetch
-    urlPrefix: semantics.html
-      text: update a style block
-      text: Content-Security-Policy http-equiv processing instructions; url: attr-meta-http-equiv-content-security-policy
-    urlPrefix: webappapis.html
-      text: realm's global object; url: concept-realm-global-object
-  type: element-attr
     urlPrefix: semantics.html
-      text: ping; for: a
-    urlPrefix: scripting.html
-      text: nonce; for: script; url: attr-script-nonce
+      text: Content Security Policy state; url: attr-meta-http-equiv-content-security-policy
 
 spec: SHA2; urlPrefix: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
   type: dfn
@@ -577,7 +496,7 @@ 
    Directives
    
       otherwise specified.
 
   5.  An initialization, which takes a {{Document}}
-      or global object, a response, and a policy as
+      or global object, a response, and a policy as
       arguments. This algorithm is executed during [[#initialize-document-csp]],
       and has no effect unless otherwise specified.
 
@@ -669,11 +588,11 @@ 
    Source Lists
    
   
    Violations
    
 
   A violation represents an action or resource which goes against the
-  set of policy objects associated with a global object.
+  set of policy objects associated with a global object.
 
   Each violation has a
   global object, which
-  is the global object whose policy has been violated.
+  is the global object whose policy has been violated.
 
   Each violation has a url
   which is its global object's {{URL}}.
@@ -718,7 +637,7 @@ 
    
     Create a violation object for |global|, |policy|, and |directive|
   
    
 
-  Given a global object (|global|), a policy (|policy|), and a
+  Given a global object (|global|), a policy (|policy|), and a
   string (|directive|), the following algorithm creates a new violation
   object, and populates it with an initial set of data:
 
@@ -864,8 +783,8 @@ 
    
   
    
 
   A {{Document}} may deliver a policy via one or more HTML <{meta}> elements
-  whose <{meta/http-equiv}> attributes are an ASCII case-insensitive
-  match for the string "`Content-Security-Policy`". For example:
+  whose <{meta/http-equiv}> attributes are an ASCII case-insensitive
+  match for the string "`Content-Security-Policy`". For example:
 
   
    
     
    @@ -873,8 +792,8 @@ 
    
     
    
   
    
 
-  Implementation details can be found in HTML's `Content-Security-Policy`
-  `http-equiv` processing instructions [[!HTML]].
+  Implementation details can be found in HTML's Content Security Policy
+  state `http-equiv` processing instructions [[!HTML]].
 
   Note: The `Content-Security-Policy-Report-Only` header is not
   supported inside a <{meta}> element. Neither are the `report-uri`,
@@ -924,9 +843,9 @@ 
    
   2.  [[#should-block-response]] is called as part of step #13 of its Main
       Fetch algorithm.
 
-  A policy is generally enforced upon a global object, but the
+  A policy is generally enforced upon a global object, but the
   user agent needs to parse any policy
-  delivered via an HTTP response header field before any global object
+  delivered via an HTTP response header field before any global object
   is created in order to handle directives that require knowledge of a
   response's details. To that end:
   
@@ -1098,13 +1017,13 @@ 
    
       ISSUE(w3c/html#187): This concept is missing from W3C's Workers.
 
   2.  A policy is enforced or monitored for a
-      global object by inserting it into the global object's
+      global object by inserting it into the global object's
       CSP list.
 
   3.  [[#initialize-global-object-csp]] is called during the initialising a
       new `Document` object and run a worker algorithms in order to
       bind a set of policy objects associated with a response to a
-      newly created global object.
+      newly created global object.
 
   4.  [[#should-block-inline]] is called during the prepare a script and
       update a `style` block algorithms in order to determine whether or
@@ -1199,7 +1118,7 @@ 
    
     Initialize a global object's `CSP list`
   
    
 
-  Given a global object (|global|), and a response
+  Given a global object (|global|), and a response
   (|response|), the user agent performs the following steps in order
   to initialize |global|'s CSP list:
 
@@ -1213,7 +1132,7 @@ 
    
 
       4.  For each |document| in |documents|:
 
-          1.  For each |policy| in |document|'s global
+          1.  For each |policy| in |document|'s global
               object's CSP list:
 
               1.  Insert an alias to |policy| in |global|'s
@@ -1238,7 +1157,7 @@ 
    
 
   1.  Let |result| be "`Allowed`".
 
-  2.  For each |policy| in |element|'s {{Document}}'s global object's
+  2.  For each |policy| in |element|'s {{Document}}'s global object's
       CSP list:
 
       1.  For each |directive| in |policy|:
@@ -1358,8 +1277,8 @@ 
    
   if not:
 
   1.  Let |globals| be a list containing |callerRealm|'s
-      global object and |calleeRealm|'s
-      global object.
+      global object and |calleeRealm|'s
+      global object.
 
   2.  For each |global| in |globals|:
 
@@ -2452,7 +2371,7 @@ 
    
           Integrity [[!SRI]] to block non-matching resources upon response.
 
       3.  If this directive's value contains a source
-          expression that is an ASCII case-insensitive match for
+          expression that is an ASCII case-insensitive match for
           the "`'strict-dynamic'`" keyword-source:
 
           1.  If the |request|'s parser metadata is
@@ -2510,10 +2429,10 @@ 
    
   1.  If |type| is "`script attribute`":
       
       1.  If |list| contains a source expression which is an ASCII
-          case-insensitive match for the keyword-source
+          case-insensitive match for the keyword-source
           "`'strict-dynamic'`", and does not contain a
-          source expression which is an ASCII case-insensitive
-          match for the keyword-source
+          source expression which is an ASCII case-insensitive
+          match for the keyword-source
           "`'unsafe-hashed-attributes'`", return "`Blocked`".
 
       2.  If the result of executing [[#match-element-to-source-list]] on
@@ -2523,7 +2442,7 @@ 
    
   2.  If |type| is "`script`":
 
       1.  If |list| contains a source expression which is an ASCII
-          case-insensitive match for the keyword-source
+          case-insensitive match for the keyword-source
           "`'strict-dynamic'`", return "`Blocked`".
 
           Note: "`'strict-dynamic'`" is explained in more detail
@@ -2750,7 +2669,7 @@ 
    
   returns "`Allowed`" if |base| may be used as the value of a <{base}>
   element's <{base/href}> attribute, and "`Blocked`" otherwise:
 
-  1.  For each |policy| in |document|'s global object's
+  1.  For each |policy| in |document|'s global object's
       csp list:
 
       1.  Let |source list| be `null`.
@@ -2767,7 +2686,7 @@ 
    
           object's origin, and `0` is "`Does Not Match`":
 
           1.  Let |violation| be the result of executing
-              [[#create-violation-for-global]] on |document|'s global
+              [[#create-violation-for-global]] on |document|'s global
               object, |policy|, and "`base-uri`".
 
           2.  Set |violation|'s resource to "`inline`".
@@ -2857,7 +2776,7 @@ 
    
       1.  Let |type| be the result of extracting a MIME type from
           |response|'s header list.
 
-      2.  If |type| is not an ASCII case-insensitive match for any item
+      2.  If |type| is not an ASCII case-insensitive match for any item
           in this directive's value, return "`Blocked`".
 
   3.  Return "`Allowed`".
@@ -2888,7 +2807,7 @@ 
    
 
                 2.  |type| is not a valid MIME type.
 
-                3.  |type| is not an ASCII case-insensitive match for any
+                3.  |type| is not an ASCII case-insensitive match for any
                     item in |directive|'s value.
 
     2.  Return "`Allowed`".
@@ -2952,7 +2871,7 @@ 
    
   according to the `sandbox` values present in its policies, as
   follows:
 
-  Given a {{Document}} or global object (|context|), a response
+  Given a {{Document}} or global object (|context|), a response
   (|response|), and a policy (|policy|):
 
   1.  Assert: |response| is unused.
@@ -2995,7 +2914,7 @@ 
    
   This directive's initialization algorithm is as
   follows:
 
-  Given a {{Document}} or global object (|context|), a response
+  Given a {{Document}} or global object (|context|), a response
   (|response|), and a policy (|policy|):
 
   1.  Assert: |response| and |policy| are unused.
@@ -3095,8 +3014,8 @@ 
    
         1.  Set |current| to |parent|.
 
         2.  Let |origin| be the result of executing the URL parser on the
-            unicode serialization of |parent|'s active document's
-            origin.
+            unicode serialization
+            of |parent|'s active document's origin.
 
         3.  If [[#match-url-to-source-list]] returns `Does Not Match` when
             executed upon |origin|, this directive's
@@ -3261,7 +3180,7 @@ 
    
   2.  If |source list| is an empty list, return "`Does Not Match`".
 
   3.  If |source list| contains a single item which is an ASCII
-      case-insensitive match for the string "`'none'`", return "`Does Not
+      case-insensitive match for the string "`'none'`", return "`Does Not
       Match`".
 
       Note: An empty source list (that is, a directive without a value: `script-src`,
@@ -3304,20 +3223,20 @@ 
    
       `host-source` grammar:
 
       1.  If |expression| has a `scheme-part` that is not an
-          ASCII case-insensitive match for |url|'s {{URL/scheme}}, then
+          ASCII case-insensitive match for |url|'s {{URL/scheme}}, then
           return "`Does Not Match`" unless one of the following conditions is
           met:
          
           1.  |expression|'s `scheme-part` is an ASCII
-              case-insensitive match for "`http`" and |url|'s {{URL/scheme}}
+              case-insensitive match for "`http`" and |url|'s {{URL/scheme}}
               is "`https`"
               
           2.  |expression|'s `scheme-part` is an ASCII
-              case-insensitive match for "`ws`" and |url|'s {{URL/scheme}}
+              case-insensitive match for "`ws`" and |url|'s {{URL/scheme}}
               is "`wss`", "`http`" or "`https`"
 
           3.  |expression|'s `scheme-part` is an ASCII
-              case-insensitive match for "`wss`" and |url|'s {{URL/scheme}}
+              case-insensitive match for "`wss`" and |url|'s {{URL/scheme}}
               is "`https`"
 
       2.  If |expression| matches the `scheme-source` grammar,
@@ -3357,13 +3276,13 @@ 
    
               |expression|.
 
           2.  If |remaining| (including the leading U+002E FULL STOP character
-              (`.`)) is not an ASCII case-insensitive match for the
+              (`.`)) is not an ASCII case-insensitive match for the
               rightmost characters of |url|'s {{URL/host}}, then return "`Does
               Not Match`".
 
       4.  If the first character of |expression|'s `host-part`
           is not an U+002A ASTERISK character (`*`), and |url|'s {{URL/host}}
-          is not an ASCII case-insensitive match for |expression|'s
+          is not an ASCII case-insensitive match for |expression|'s
           `host-part`, return "`Does Not Match`".
 
       5.  If |expression|'s `host-part` matches the
@@ -3424,7 +3343,7 @@ 
    
 
       9. Return "`Matches`".
 
-  4.  If |expression| is an ASCII case-insensitive match for "`'self'`",
+  4.  If |expression| is an ASCII case-insensitive match for "`'self'`",
       return "`Matches`" if one or more of the following conditions is met:
 
       1.  |origin| is the same as |url|'s {{URL/origin}}
@@ -3529,7 +3448,7 @@ 
    
       in [[#html-integration]] for more detail.
 
   2.  If |type| |element| has an attribute whose name is an ASCII
-      case-insensitive match for the string "` match for the string "`
           `hash-source` grammar, set |contains nonce or hash|
           to `true`.
 
-      2.  If |expression| is an ASCII case-insensitive match for the
+      2.  If |expression| is an ASCII case-insensitive match for the
           `keyword-source`
           "`'unsafe-hashed-attributes'`", set |hashes match
           attributes| to `true`.
 
   5.  If |contains nonce or hash| is `false`, and |list| contains a
-      source expression which is an ASCII case-insensitive match
+      source expression which is an ASCII case-insensitive match
       for the string "'unsafe-inline'", then return "`Matches`".
 
       Note: This logic means that if |list| contains both "'unsafe-inline'"
@@ -3575,15 +3494,15 @@ 
    
               1.  Let |algorithm| be `null`.
 
               2.  If |expression|'s `hash-algorithm` part is an
-                  ASCII case-insensitive match for "sha256", set
+                  ASCII case-insensitive match for "sha256", set
                   |algorithm| to SHA-256.
 
               3.  If |expression|'s `hash-algorithm` part is an
-                  ASCII case-insensitive match for "sha384", set
+                  ASCII case-insensitive match for "sha384", set
                   |algorithm| to SHA-384.
 
               4.  If |expression|'s `hash-algorithm` part is an
-                  ASCII case-insensitive match for "sha512", set
+                  ASCII case-insensitive match for "sha512", set
                   |algorithm| to SHA-512.
 
               5.  If |algorithm| is not `null`: