diff --git a/index.html b/index.html index 50f1b33af9..2340cc7abd 100644 --- a/index.html +++ b/index.html @@ -1421,7 +1421,7 @@
The resources which can be requested (and subsequently embedded or
- executed) on behalf of a specific Document
or Worker
Document
or Worker
The execution of inline script
report-uri
directive is deprecated in favor of the new report-to
directive, which relies on [OOB-REPORTING] as infrastructure.
The 'strict-dynamic'
source expression will now allow script which
- executes on a page to load more script via non-parser-inserted script
elements. Details are in §8.2 Usage of "'strict-dynamic'".
script
elements. Details are in §8.2 Usage of "'strict-dynamic'".
The 'unsafe-hashed-attributes'
source expression will now allow event
handlers and style attributes to match hash source expressions. Details
in §8.3 Usage of "'unsafe-hashed-attributes'".
The source expression matching has been changed to require explicit whitelisting - of any non-network scheme, rather than local scheme, as described - in §6.6.1.6 Does url match expression in origin with redirect count?.
+ of any non-network scheme, rather than local scheme, + unless that non-network scheme is the same as the scheme of protected resource, + as described in §6.6.1.6 Does url match expression in origin with redirect count?.Hash-based source expressions may now whitelist external scripts if the script
element that triggers the request specifies a set of integrity
+
Hash-based source expressions may now whitelist external scripts if the script
element that triggers the request specifies a set of integrity
metadata which is whitelisted by the current policy. Details in §8.4 Whitelisting external JavaScript with hashes.
The disown-opener
directive ensures that a resource can’t be opened
@@ -1859,7 +1860,7 @@
A policy defines a set of allowed and
- restricted behaviors, and may be applied to a Window
or WorkerGlobalScope
as described in §4.2.2 Initialize a global object’s CSP list.
Window
or WorkerGlobalScope
as described in §4.2.2 Initialize a global object’s CSP list.
Each policy has an associated directive set, which is a set of directives that define the policy’s implications when applied.
@@ -1877,17 +1878,17 @@Let policy be a new policy with an empty directive set, and a disposition of disposition.
For each token returned by strictly splitting serialized
+ For each token returned by strictly splitting serialized
CSP on the U+003B SEMICOLON character ( Strip leading and trailing whitespace from token. Strip leading and trailing whitespace from token. If token is an empty string, skip the remaining substeps
and continue to the next item. Let directive name be the result of collecting a sequence of
- characters from token which are not space
+ Let directive name be the result of collecting a sequence of
+ characters from token which are not space
characters. If policy’s directive set contains a directive whose name is directive
@@ -1895,7 +1896,7 @@ Let directive value be the result of splitting token on
+ Let directive value be the result of splitting token on
spaces. Let directive be a new directive whose name is directive name, and value is directive value. Let policies be an empty list. For each token returned by splitting list on commas: For each token returned by splitting list on commas: Let policy be the result of executing §2.1.1 Parse a serialized CSP as disposition on token with disposition. Directives have six associated algorithms: Directives have a number of associated algorithms: A pre-request check, which takes a request and a policy as an argument, and is executed during §4.1.3 Should request be blocked by Content Security Policy?. This algorithm returns " An initialization, which takes a An initialization, which takes a A pre-navigation check, which takes a request, type string, and two browsing contexts as arguments, and
+ A pre-navigation check, which takes a request, type string, and two browsing contexts as arguments, and
is executed during §4.2.4 Should navigation request of type from source in target be blocked
by Content Security Policy?. It returns
" A navigation response check, which takes a request, a response and two browsing contexts as
+ A navigation response check, which takes a request, a response and two browsing contexts as
arguments, and is executed during §4.2.5 Should navigation response to navigation request of type from source
in target be blocked by Content Security Policy?.
It returns " A violation represents an action or resource which goes against the
- set of policy objects associated with a global object.;
):
-
RWS
Allowed
" unless
@@ -1963,16 +1964,16 @@ §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?
Allowed
" unless
otherwise specified.Document
or global object, a response, and a policy as
+ Document
or global object, a response, and a policy as
arguments. This algorithm is executed during §4.2.1 Initialize a Document's CSP list,
and has no effect unless otherwise specified.Allowed
" unless otherwise specified.Allowed
" unless otherwise specified.2.3. Violations
Each violation has a global object, which - is the global object whose policy has been violated.
+ is the global object whose policy has been violated.Each violation has a url which is its global object’s URL
.
Each violation has a status which is a non-negative integer representing the HTTP status code of the resource for @@ -2065,7 +2066,7 @@
Given a global object (global), a policy (policy), and a +
Given a global object (global), a policy (policy), and a string (directive), the following algorithm creates a new violation object, and populates it with an initial set of data:
If global is a Window
object, set violation’s referrer to global’s document
's referrer
.
If global is a Window
object, set violation’s referrer to global’s document
's referrer
.
Set violation’s status to the HTTP status code
for the resource associated with violation’s global
@@ -2094,7 +2095,7 @@ Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on request’s client’s global object, policy, and directive. Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on request’s client’s global object, policy, and directive. Set violation’s resource to request’s url. Note: We use request’s url, and not its current url, as the latter might contain information
@@ -2108,7 +2109,7 @@
-
policy
A policy may also be declared inline in an HTML document via a meta
element’s http-equiv
attribute, as described in §3.3 The <meta> element.
A policy may also be declared inline in an HTML document via a meta
element’s http-equiv
attribute, as described in §3.3 The <meta> element.
Content-Security-Policy
HTTP Response Header Field The Content-Security-Policy
HTTP response header field
is the preferred mechanism for delivering a policy from a server to a client.
@@ -2152,28 +2153,28 @@
Note: The Content-Security-Policy-Report-Only
header is not supported inside a meta
element.
Note: The Content-Security-Policy-Report-Only
header is not supported inside a meta
element.
<meta>
element A Document
may deliver a policy via one or more HTML meta
elements
- whose http-equiv
attributes are an ASCII case-insensitive
- match for the string "Content-Security-Policy
". For example:
A Document
may deliver a policy via one or more HTML meta
elements
+ whose http-equiv
attributes are an ASCII case-insensitive match for the string "Content-Security-Policy
". For example:
Implementation details can be found in HTML’s Content-Security-Policy
http-equiv
processing instructions [HTML].
Note: The Content-Security-Policy-Report-Only
header is not supported inside a meta
element. Neither are the report-uri
, frame-ancestors
, and sandbox
directives.
Authors are strongly encouraged to place meta
elements as early
- in the document as possible, because policies in meta
elements are not
+
Implementation details can be found in HTML’s Content Security Policy
+ state http-equiv
processing instructions [HTML].
Note: The Content-Security-Policy-Report-Only
header is not supported inside a meta
element. Neither are the report-uri
, frame-ancestors
, and sandbox
directives.
Authors are strongly encouraged to place meta
elements as early
+ in the document as possible, because policies in meta
elements are not
applied to content which precedes them. In particular, note that resources
fetched or prefetched using the Link
HTTP response header
- field, and resources fetched or prefetched using link
and script
elements which precede a meta
-delivered policy will not be blocked.
Note: A policy specified via a meta
element will be enforced along with
+ field, and resources fetched or prefetched using link
and script
elements which precede a meta
-delivered policy will not be blocked.
Note: A policy specified via a meta
element will be enforced along with
any other policies active for the protected resource, regardless
of where they’re specified. The general impact of enforcing multiple
policies is described in §8.1 The effect of multiple policies.
Note: Modifications to the content
attribute of a meta
element
+
Note: Modifications to the content
attribute of a meta
element
after the element has been parsed will be ignored.
A policy is generally enforced upon a global object, but the +
A policy is generally enforced upon a global object, but the user agent needs to parse any policy - delivered via an HTTP response header field before any global object is created in order to handle directives that require knowledge of a response’s details. To that end:
+ delivered via an HTTP response header field before any global object is created in order to handle directives that require knowledge of a response’s details. To that end:A response has an associated CSP list which @@ -2237,7 +2238,7 @@
Let CSP list be request’s client’s global object’s CSP list.
+Let CSP list be request’s client’s global object’s CSP list.
For each policy in CSP list:
Blocked
or Allowed
and reports violations based on request’s client’s Content Security Policy.
Let CSP list be request’s client’s global object’s CSP list.
+Let CSP list be request’s client’s global object’s CSP list.
Let result be "Allowed
".
Blocked
or Allowed
, and reports violations based on request’s client’s Content Security Policy.
Let CSP list be request’s client’s global object’s CSP list.
+Let CSP list be request’s client’s global object’s CSP list.
Let result be "Allowed
".
This concept is missing from W3C’s Workers. <https://github.com/w3c/html/issues/187>
A policy is enforced or monitored for a global object by inserting it into the global object’s CSP list.
+A policy is enforced or monitored for a global object by inserting it into the global object’s CSP list.
§4.2.2 Initialize a global object’s CSP list is called during the initialising a
new Document
object and run a worker algorithms in order to
bind a set of policy objects associated with a response to a
- newly created global object.
§4.2.3 Should element’s inline type behavior be blocked by Content Security Policy? is called during the prepare a script and update a style
block algorithms in order to determine whether or
+
§4.2.3 Should element’s inline type behavior be blocked by Content Security Policy? is called during the prepare a script and update a style
block algorithms in order to determine whether or
not an inline script or style block is allowed to execute/render.
§4.2.3 Should element’s inline type behavior be blocked by Content Security Policy? is called during handling of inline event
handlers (like onclick
) and inline style
attributes in order to
determine whether or not they ought to be allowed to execute/render.
Policy is enforced during processing of the meta
element’s http-equiv
.
Policy is enforced during processing of the meta
element’s http-equiv
.
A Document
's embedding document is the Document
through which the Document
's browsing context is nested.
A Document
's embedding document is the Document
through which the Document
's browsing context is nested.
HTML populates each request’s cryptographic nonce metadata and parser metadata with relevant data from the @@ -2364,12 +2365,12 @@
§6.2.1.1 Is base allowed for document? is called during §6.2.1.1 Is base allowed for document? is called during §6.2.2.2 Should plugin element be blocked a priori by Content
- Security Policy?: is called during the processing of base
's set the frozen
+ base
's set the frozen
base URL algorithm to ensure that the href
attribute’s value
is valid.object
, embed
, and applet
elements to determine whether they may trigger a fetch.object
, embed
, and applet
elements to determine whether they may trigger a fetch.
Note: Fetched plugin resources are handled in §4.1.4 Should response to request be blocked by Content Security Policy?.
This hook is missing from W3C’s HTML. <https://github.com/w3c/html/issues/547>
@@ -2384,7 +2385,7 @@Document
's CSP list
Given a Document
(document), and a response (response), the
- user agent performs the following steps in order to initialize document’s CSP list:
If response’s url’s scheme
is a local scheme:
If document has an embedding document (embedding), then add embedding to documents.
If document has an opener browsing context, then add its active document to documents.
+If document has an opener browsing context, then add its active document to documents.
For each doc in documents:
Note: local scheme includes about:
, and this algorithm will
- therefore alias the embedding document’s policies for an iframe srcdoc
Document
.
srcdoc
Document
.
Note: We do all this to ensure that a page cannot bypass its policy by embedding a frame or popping up a new window containing content it
controls (blob:
resources, or document.write()
).
For each policy in response’s CSP list, insert policy into document’s CSP list.
+For each policy in response’s CSP list, insert policy into document’s CSP list.
For each policy in document’s CSP list:
+For each policy in document’s CSP list:
For each directive in policy:
@@ -2424,7 +2425,7 @@CSP list
Given a global object (global), and a response (response), the user agent performs the following steps in order +
Given a global object (global), and a response (response), the user agent performs the following steps in order to initialize global’s CSP list:
Let documents be an empty list.
Add each of global’s documents to documents.
+Add each of global’s documents to documents.
For each document in documents:
For each policy in document’s global
+ For each policy in document’s global
object’s CSP list:
Note: local scheme includes
about:
, and this algorithm will
- therefore alias the embedding document’s policies for an iframe srcdoc
Document
.
srcdoc
Document
.
For each policy in response’s CSP list, insert policy into global’s CSP list.
Let result be "Allowed
".
For each policy in element’s Document
's global object’s CSP list:
For each policy in element’s Document
's global object’s CSP list:
For each directive in policy:
@@ -2470,8 +2471,8 @@Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on the current settings - object’s global object, policy, +
Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on the current settings
+ object’s global object, policy,
and "style-src
" if type is "style
" or "style-attribute
",
or "script-src
" otherwise.
Given a request (navigation request), a string (type, either
- "form-submission
" or "other
"), and two browsing contexts (source and target), this algorithm return "Blocked
" if the active policy blocks
+ "form-submission
" or "other
"), and two browsing contexts (source and target), this algorithm return "Blocked
" if the active policy blocks
the navigation, and "Allowed
" otherwise:
Let result be "Allowed
".
For each policy in source’s active document’s CSP list:
+For each policy in source’s active document’s CSP list:
For each directive in policy:
@@ -2504,7 +2505,7 @@If directive’s pre-navigation check returns "Allowed
" when executed upon navigation request, type, source, and target, skip to the next directive.
Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on source’s relevant global
+ Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on source’s relevant global
object, policy, and directive’s name. Set violation’s resource to navigation
@@ -2523,7 +2524,7 @@ Given a request (navigation request),, a string (type, either
" Let globals be a list containing callerRealm’s global object and calleeRealm’s global object. Let globals be a list containing callerRealm’s global object and calleeRealm’s global object. For each global in globals:4.2.5. Should navigation response to navigation request of type from source in target be blocked by Content Security Policy?
form-submission
" or "other
"), a response navigation
- response, and two browsing contexts (source and target), this algorithm
+ responseBlocked
" if the active policy blocks the navigation, and "Allowed
"
otherwise:
@@ -2565,7 +2566,7 @@
-
@@ -2579,7 +2580,7 @@
directive
default-src
", then set source-list to that directive’s value.
If source-list is non-null, and does not contain a source
- expression which is an ASCII case-insensitive match for the
+ expression which is an ASCII case-insensitive match for the
string "'unsafe-eval'
", then throw an EvalError
exception.
[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)] +[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)] interface SecurityPolicyViolationEvent : Event { - readonly attribute DOMString documentURI; - readonly attribute DOMString referrer; - readonly attribute DOMString blockedURI; - readonly attribute DOMString violatedDirective; - readonly attribute DOMString effectiveDirective; - readonly attribute DOMString originalPolicy; - readonly attribute DOMString sourceFile; - readonly attribute unsigned short statusCode; - readonly attribute long lineNumber; - readonly attribute long columnNumber; + readonly attribute DOMString documentURI; + readonly attribute DOMString referrer; + readonly attribute DOMString blockedURI; + readonly attribute DOMString violatedDirective; + readonly attribute DOMString effectiveDirective; + readonly attribute DOMString originalPolicy; + readonly attribute DOMString sourceFile; + readonly attribute unsigned short statusCode; + readonly attribute long lineNumber; + readonly attribute long columnNumber; }; -dictionary SecurityPolicyViolationEventInit : EventInit { - DOMString documentURI; - DOMString referrer; - DOMString blockedURI; - DOMString violatedDirective; - DOMString effectiveDirective; - DOMString originalPolicy; - DOMString sourceFile; - unsigned short statusCode; - long lineNumber; - long columnNumber; +dictionary SecurityPolicyViolationEventInit : EventInit { + DOMString documentURI; + DOMString referrer; + DOMString blockedURI; + DOMString violatedDirective; + DOMString effectiveDirective; + DOMString originalPolicy; + DOMString sourceFile; + unsigned short statusCode; + long lineNumber; + long columnNumber; };5.2. Obtain the deprecated serialization of violation
@@ -2681,47 +2682,47 @@- +
violation’s url
- - +
violation’s referrer
- - +
violation’s resource
- - +
violation’s effective directive
- - +
violation’s effective directive
- - +
violation’s policy
- - +
violation’s source file
- - +
violation’s status
- - +
violation’s line number
- - +
violation’s column number
Note: Both effectiveDirective
and violatedDirective
are the same value.
+
Note: Both effectiveDirective
and violatedDirective
are the same value.
This is intentional to maintain backwards compatibility.
If violation’s policy’s directive
@@ -2749,7 +2750,7 @@ violation’s global object’s origin violation’s global object’s origin violation’s global object’s relevant
+ violation’s global object’s relevant
settings object Let settings object be violation’s global
- object’s relevant settings object.
’s relevant settings object.
value
Execute [OOB-REPORTING]'s Queue data as type for endpoint group on settings algorithm with the following arguments:
@@ -2864,8 +2865,8 @@child-src
The child-src directive governs the creation of nested browsing
- contexts (e.g. iframe
and frame
navigations) and Worker execution
+
The child-src directive governs the creation of nested browsing
+ contexts (e.g. iframe
and frame
navigations) and Worker execution
contexts. The syntax for the directive’s name and value is described by the
following ABNF:
directive-name = "child-src" @@ -2876,11 +2877,11 @@
- -
destination is "
+document
", and whose target browsing context is a nested browsing - context (e.g. requests which will populate aniframe
orframe
element)destination is "
document
", and whose target browsing context is a nested browsing + context (e.g. requests which will populate aniframe
orframe
element)destination is either "
serviceworker
", - "sharedworker
", or "worker
" (which are fed to the run a worker algorithm forServiceWorker
,SharedWorker
, andWorker
, + "sharedworker
", or "worker
" (which are fed to the run a worker algorithm forServiceWorker
,SharedWorker
, andWorker
, respectively).@@ -2931,7 +2932,7 @@serialized-source-list
This directive controls requests which transmit or receive data from - other origins. This includes APIs like
fetch()
, [XHR], [EVENTSOURCE], [BEACON], anda
'sping
. This directive also controls + other origins. This includes APIs likefetch()
, [XHR], [EVENTSOURCE], [BEACON], anda
'sping
. This directive also controls WebSocket [WEBSOCKETS] connections, though those aren’t technically part of Fetch.@@ -3147,7 +3148,7 @@-Allowed".
6.1.5.
-frame-src
The frame-src directive restricts the URLs which may be loaded into nested browsing contexts. The syntax for the directive’s name and value +
The frame-src directive restricts the URLs which may be loaded into nested browsing contexts. The syntax for the directive’s name and value is described by the following ABNF:
directive-name = "frame-src" directive-value = serialized-source-list @@ -3169,7 +3170,7 @@
Assert: policy is unused.
- If request’s type is "
document
" and target browsing context is a nested browsing +If request’s type is "
document
" and target browsing context is a nested browsing context:If plugin content is loaded without an associated URL (perhaps an
object
element lacks adata
attribute, but loads some default plugin based +If plugin content is loaded without an associated URL (perhaps an
object
element lacks adata
attribute, but loads some default plugin based on the specifiedtype
), it MUST be blocked ifobject-src
's value is'none'
, but will otherwise be allowed.Note: The
object-src
directive acts upon any request made on behalf of - anobject
,embed
, orapplet
element. This includes requests - which would populate the nested browsing context generated by the + anobject
,embed
, orapplet
element. This includes requests + which would populate the nested browsing context generated by the former two (also including navigations). This is true even when the data is semantically equivalent to content which would otherwise be restricted by - another directive, such as anobject
element with atext/html
MIME + another directive, such as anobject
element with atext/html
MIME type.6.1.9.1.
object-src
Pre-request checkThis directive’s pre-request check is as follows:
@@ -3408,7 +3409,7 @@6.1.10.
script-src
The script-src directive restricts the locations from which scripts - may be executed. This includes not only URLs loaded directly into
script
elements, but also things like inline script blocks and XSLT stylesheets [XSLT] which can trigger script execution. The syntax for the directive’s + may be executed. This includes not only URLs loaded directly intoscript
elements, but also things like inline script blocks and XSLT stylesheets [XSLT] which can trigger script execution. The syntax for the directive’s name and value is described by the following ABNF:directive-name = "script-src" directive-value = serialized-source-list @@ -3421,7 +3422,7 @@Script responses MUST pass through §4.1.4 Should response to request be blocked by Content Security Policy?.
- Inline
script
blocks MUST pass through §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. Their +Inline
script
blocks MUST pass through §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. Their behavior will be blocked unless every policy allows inline script, either implicitly by not specifying ascript-src
(ordefault-src
) directive, or explicitly, by whitelisting "unsafe-inline
", a nonce-source or a hash-source that matches @@ -3469,8 +3470,8 @@
If this directive’s value does not - contain a source expression whose hash-algorithm is a case-sensitive match - for source’s
@@ -3483,7 +3484,7 @@hash-algo
component, and whose base64-value is a case-sensitive match + contain a source expression whose hash-algorithm is a case-sensitive match + for source’shash-algo
component, and whose base64-value is a case-sensitive match for source’sbase64-value
, then set bypass due to integrity match tofalse
.[SRI] to block non-matching resources upon response.
If this directive’s value contains a source - expression that is an ASCII case-insensitive match for + expression that is an ASCII case-insensitive match for the "
'strict-dynamic'
" keyword-source:
- @@ -3530,9 +3531,8 @@
If type is "
script attribute
":
- -
If list contains a source expression which is an ASCII - case-insensitive match for the keyword-source "
+'strict-dynamic'
", and does not contain a source expression which is an ASCII case-insensitive - match for the keyword-source "'unsafe-hashed-attributes'
", return "Blocked
".If list contains a source expression which is an ASCII + case-insensitive match for the keyword-source "
'strict-dynamic'
", and does not contain a source expression which is an ASCII case-insensitive match for the keyword-source "'unsafe-hashed-attributes'
", return "Blocked
".If the result of executing §6.6.2.1 Does element match source list for type and source? on element, this directive’s value, type, and source, is "
@@ -3541,8 +3541,8 @@Does Not Match
", return "Blocked
".If type is "
script
":
- -
If list contains a source expression which is an ASCII - case-insensitive match for the keyword-source "
+'strict-dynamic'
", return "Blocked
".If list contains a source expression which is an ASCII + case-insensitive match for the keyword-source "
'strict-dynamic'
", return "Blocked
".Note: "
'strict-dynamic'
" is explained in more detail in §8.2 Usage of "'strict-dynamic'".- @@ -3566,7 +3566,7 @@
- -
Stylesheet requests originating from a
+link
element.Stylesheet requests originating from a
link
element.Stylesheet requests originating from the
@import
rule.- @@ -3577,7 +3577,7 @@
Responses to style requests MUST pass through §4.1.4 Should response to request be blocked by Content Security Policy?.
- -
Inline
style
blocks MUST pass through §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. The +Inline
style
blocks MUST pass through §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. The styles will be blocked unless every policy allows inline style, either implicitly by not specifying astyle-src
(ordefault-src
) directive, or explicitly, by whitelisting "unsafe-inline
", a nonce-source or a hash-source that matches @@ -3658,7 +3658,7 @@
6.1.12.
worker-src
The worker-src directive restricts the URLs which may be loaded as - a
Worker
,SharedWorker
, orServiceWorker
. The syntax for the + aWorker
,SharedWorker
, orServiceWorker
. The syntax for the directive’s name and value is described by the following ABNF:directive-name = "worker-src" directive-value = serialized-source-list @@ -3715,18 +3715,18 @@-
6.2.1.
base-uri
The base-uri directive restricts the
URL
s which can be used in - aDocument
'sbase
element. The syntax for the directive’s name and + aDocument
'sbase
element. The syntax for the directive’s name and value is described by the following ABNF:directive-name = "base-uri" directive-value = serialized-source-list-The following algorithm is called during HTML’s set the frozen base url algorithm in order to monitor and enforce this directive:
+The following algorithm is called during HTML’s set the frozen base url algorithm in order to monitor and enforce this directive:
6.2.1.1. Is base allowed for document?
Given a
+ returns "URL
(base), and aDocument
(document), this algorithm - returns "Allowed
" if base may be used as the value of abase
element’shref
attribute, and "Blocked
" otherwise:Allowed
" if base may be used as the value of abase
element’shref
attribute, and "Blocked
" otherwise:
- -
For each policy in document’s global object’s csp list:
+For each policy in document’s global object’s csp list:
Let source list be
@@ -3737,11 +3737,11 @@null
.
If source list is
null
, skip to the next policy.- -
If the result of executing §6.6.1.5 Does url match source list in origin with redirect count? on base, source list, document’s relevant settings +
If the result of executing §6.6.1.5 Does url match source list in origin with redirect count? on base, source list, document’s relevant settings object’s origin, and
0
is "Does Not Match
":
- -
Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on document’s global +
Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on document’s global object, policy, and "
base-uri
".Set violation’s resource to "
@@ -3766,10 +3766,10 @@inline
".media-type = type "/" subtype ; type and subtype are defined in RFC 2045
If a
+plugin-types
directive is present, instantiation of anembed
orobject
element will fail if any of the following conditions hold:If a
plugin-types
directive is present, instantiation of anembed
orobject
element will fail if any of the following conditions hold:
- -
The element does not explicitly declare a valid MIME type via a
+type
attribute.The element does not explicitly declare a valid MIME type via a
type
attribute.The declared type does not match one of the items in the directive’s value.
@@ -3812,7 +3812,7 @@
Let type be the result of extracting a MIME type from response’s header list.
- -
If type is not an ASCII case-insensitive match for any item +
If type is not an ASCII case-insensitive match for any item in this directive’s value, return "
Blocked
".- @@ -3826,13 +3826,13 @@
- -
For each policy in plugin element’s node document’s CSP list:
+For each policy in plugin element’s node document’s CSP list:
@@ -3853,16 +3853,16 @@
If policy contains a directive (directive) whose name is
plugin-types
:
- -
Let type be "
application/x-java-applet
" if plugin element is anapplet
element, or plugin element’stype
attribute’s +Let type be "
application/x-java-applet
" if plugin element is anapplet
element, or plugin element’stype
attribute’s value if present, or "null
" otherwise.Return "
@@ -3840,9 +3840,9 @@Blocked
" if any of the following are true:
type is
null
.- -
type is not a valid MIME type.
+type is not a valid MIME type.
- -
type is not an ASCII case-insensitive match for any +
type is not an ASCII case-insensitive match for any item in directive’s value.
6.2.3.
sandbox
The sandbox directive specifies an HTML sandbox policy which the user agent will apply to a resource, just as though it had been included in - an
+ aniframe
with asandbox
property.iframe
with asandbox
property.The directive’s syntax is described by the following ABNF grammar, with the additional requirement that each token value MUST be one of the - keywords defined by HTML specification as allowed values for the
+ keywords defined by HTML specification as allowed values for theiframe
sandbox
attribute [HTML].iframe
sandbox
attribute [HTML].directive-name = "sandbox" directive-value = "" / token *( RWS token )This directive has no reporting requirements; it will be ignored entirely when delivered in a
+ aContent-Security-Policy-Report-Only
header, or within - ameta
element.meta
element.6.2.3.1.
sandbox
Response CheckThis directive’s response check algorithm is as follows:
@@ -3878,10 +3878,10 @@serviceworker", "
sharedworker
", or "worker
":
- -
If the result of the Parse a sandboxing directive algorithm +
If the result of the Parse a sandboxing directive algorithm using this directive’s value as the input - contains either the sandboxed scripts browsing context flag or - the sandboxed origin browsing context flag flags, return + contains either the sandboxed scripts browsing context flag or + the sandboxed origin browsing context flag flags, return "
Blocked
".Note: This will need to change if we allow Workers to be sandboxed into unique origins, which seems like a pretty reasonable thing to do.
@@ -3891,9 +3891,9 @@
6.2.3.2.
sandbox
InitializationThis directive’s initialization algorithm is - responsible for adjusting a
-Document
's forced sandboxing flag set according to thesandbox
values present in its policies, as + responsible for adjusting aDocument
's forced sandboxing flag set according to thesandbox
values present in its policies, as follows:Given a
+Document
or global object (context), a response (response), and a policy (policy):Given a
Document
or global object (context), a response (response), and a policy (policy):
Assert: response is unused.
@@ -3902,19 +3902,19 @@Note: This will need to change if we allow Workers to be sandboxed, which seems like a pretty reasonable thing to do.
- -
Parse a sandboxing directive using this directive’s value as the input, and context’s forced +
Parse a sandboxing directive using this directive’s value as the input, and context’s forced sandboxing flag set as the output.
6.2.4.
disown-opener
The
disown-opener
directive ensures that a resource - will disown its opener when navigated to. The directive’s syntax is + will disown its opener when navigated to. The directive’s syntax is described by the following ABNF grammar:directive-name = "disown-opener" directive-value = ""This directive has no reporting requirements; it will be ignored entirely when delivered in a
+ aContent-Security-Policy-Report-Only
header, or within - ameta
element.meta
element.Not sure this is the right model. We need to ensure that we take care of the inverse as well, and there might be a cleverer syntax that could encompass both a @@ -3923,15 +3923,15 @@
6.2.4.1. disown-opener
InitializationThis directive’s initialization algorithm is as follows:
-Given a
+Document
or global object (context), a response (response), and a policy (policy):Given a
Document
or global object (context), a response (response), and a policy (policy):-
Assert: response and policy are unused.
- -
If context’s responsible browsing context has an opener browsing - context, disown its opener.
+If context’s responsible browsing context has an opener browsing + context, disown its opener.
What should this do in an
+iframe
? Anything?What should this do in an
iframe
? Anything?6.3. Navigation Directives
6.3.1.
form-action
The form-action directive restricts the
URL
s which can be used @@ -3942,7 +3942,7 @@
6.3.1.1.
form-action
Pre-Navigation CheckGiven a request (request), a string (type, "
form-submission
or - "other
") and two browsing contexts (source and target), this + "other
") and two browsing contexts (source and target), this algorithm returns "Blocked
" if one or more of the ancestors of target violate theframe-ancestors
directive delivered with the response, and "Allowed
" otherwise. This constitutes theform-action
' directive’s pre-navigation check:The frame-ancestors directive restricts the
URL
s which can - embed the resource usingframe
,iframe
,object
,embed
, orapplet
element. Resources can use this directive to avoid many UI + embed the resource usingframe
,iframe
,object
,embed
, orapplet
element. Resources can use this directive to avoid many UI Redressing [UISECURITY] attacks, by avoiding the risk of being embedded into potentially hostile contexts.The directive’s syntax is described by the following ABNF grammar:
@@ -3971,12 +3971,12 @@
ancestor-source = scheme-source / host-source / "'self'"The
+ declared via aframe-ancestors
directive MUST be ignored when contained in a policy - declared via ameta
element.meta
element.Note: The
frame-ancestors
directive’s syntax is similar to a source list, butframe-ancestors
will not fall back to thedefault-src
directive’s value if one is specified. That is, a policy that declaresdefault-src 'none'
will still allow the resource to be embedded by anyone.6.3.2.1.
frame-ancestors
Navigation Response CheckGiven a request (request), a response (navigation response) - and two browsing contexts (source and target), this algorithm + and two browsing contexts (source and target), this algorithm returns "
@@ -3986,16 +3986,16 @@Blocked
" if one or more of the ancestors of target violate theframe-ancestors
directive delivered with the response, and "Allowed
" otherwise. This constitutes theframe-ancestors
' directive’s navigation response check:-
If target is not a nested browsing context, return "
+Allowed
".If target is not a nested browsing context, return "
Allowed
".Let current be target.
- While current has a parent browsing context (parent):
+While current has a parent browsing context (parent):
Set current to parent.
- -
Let origin be the result of executing the URL parser on the unicode serialization of parent’s active document’s origin.
+Let origin be the result of executing the URL parser on the unicode serialization of parent’s active document’s origin.
If §6.6.1.5 Does url match source list in origin with redirect count? returns
Does Not Match
when executed upon origin, this directive’s value, navigation response’s url’sorigin
, and0
, return @@ -4085,7 +4085,7 @@
If expression matches the
+ and nonce is a case-sensitive match for expression’snonce-source
grammar, - and nonce is a case-sensitive match for expression’sbase64-value
part, return "Matches
".base64-value
part, return "Matches
".Return "
@@ -4101,7 +4101,7 @@Does Not Match
".Note: This is generally used in directives' post-request check algorithms to verify that a given response is reasonable.
6.6.1.5. Does url match source list in origin with redirect count?
-Given a
URL
(url), a source list (source list), an origin (origin), and a number (redirect count), this +Given a
URL
(url), a source list (source list), an origin (origin), and a number (redirect count), this algorithm returns "Matches
" if the URL matches one or more source expressions in source list, or "Does Not Match
" otherwise:@@ -4110,8 +4110,8 @@
If source list is an empty list, return "
Does Not Match
".- -
If source list contains a single item which is an ASCII - case-insensitive match for the string "
+'none'
", return "Does Not Match
".If source list contains a single item which is an ASCII + case-insensitive match for the string "
'none'
", return "Does Not Match
".Note: An empty source list (that is, a directive without a value:
@@ -4127,34 +4127,41 @@script-src
, as opposed toscript-src host1
) is equivalent to a source list containing'none'
, and will not match any URL.Does Not Match".
6.6.1.6. Does url match expression in origin with redirect count?
-Given a
URL
(url), a source expression (expression), an origin (origin), and a number (redirect count), this algorithm +Given a
-URL
(url), a source expression (expression), an origin (origin), and a number (redirect count), this algorithm returns "Matches
" if url matches expression, and "Does Not Match
" otherwise.Note: origin is the origin of the resource relative to which the expression should be resolved. "
'self'
", for instance, will have distinct +Note: origin is the origin of the resource relative to which the expression should be resolved. "
'self'
", for instance, will have distinct meaning depending on that bit of context.@@ -4249,7 +4256,7 @@
- -
If expression is the string "*", and url’s
-scheme
is a network scheme, return "Matches
".Note: This logic means that in order to allow resource from non-network scheme, - it has to be explicitly whitelisted:
+default-src * data: custom-scheme-1: custom-scheme-2:
. - In other words, there is no semantic representation of most permissive expression.If expression is the string "*", return "
+Matches
" if one or more of + the following conditions is met:+
+- +
url’s
+scheme
is a network scheme.- + +
Note: This logic means that in order to allow resource from a non-network scheme, + it has to be either explicitly whitelisted:
default-src * data: custom-scheme-1: custom-scheme-2:
, + or the protected resource must be loaded from the same scheme.If expression matches the
scheme-source
orhost-source
grammar:
- -
If expression has a
scheme-part
that is not an ASCII case-insensitive match for url’sscheme
, then +If expression has a
scheme-part
that is not an ASCII case-insensitive match for url’sscheme
, then return "Does Not Match
" unless one of the following conditions is met:
- -
expression’s
+scheme-part
is an ASCII - case-insensitive match for "http
" and url’sscheme
is "https
"expression’s
scheme-part
is an ASCII + case-insensitive match for "http
" and url’sscheme
is "https
"- -
expression’s
+scheme-part
is an ASCII - case-insensitive match for "ws
" and url’sscheme
is "wss
", "http
" or "https
"expression’s
scheme-part
is an ASCII + case-insensitive match for "ws
" and url’sscheme
is "wss
", "http
" or "https
"- -
expression’s
+scheme-part
is an ASCII - case-insensitive match for "wss
" and url’sscheme
is "https
"expression’s
scheme-part
is an ASCII + case-insensitive match for "wss
" and url’sscheme
is "https
"If expression matches the
scheme-source
grammar, @@ -4190,11 +4197,11 @@*" from expression.
If remaining (including the leading U+002E FULL STOP character - (
.
)) is not an ASCII case-insensitive match for the + (.
)) is not an ASCII case-insensitive match for the rightmost characters of url’shost
, then return "Does Not Match
".- -
If the first character of expression’s
+host-part
is not an U+002A ASTERISK character (*
), and url’shost
is not an ASCII case-insensitive match for expression’shost-part
, return "Does Not Match
".If the first character of expression’s
host-part
is not an U+002A ASTERISK character (*
), and url’shost
is not an ASCII case-insensitive match for expression’shost-part
, return "Does Not Match
".If expression’s
@@ -4223,7 +4230,7 @@host-part
matches the IPv4address rule from [RFC3986], and is not "127.0.0.1
"; or if expression’shost-part
is an IPv6 address, return "Does Not Match
".
path-part
is the U+002F SOLIDUS character (/
), andtrue
otherwise.- -
Let path list be the result of strictly splitting expression’s
path-part
on the U+002F SOLIDUS +Let path list be the result of strictly splitting expression’s
path-part
on the U+002F SOLIDUS character (/
).If path list has more items than url’s
path
, return @@ -4241,7 +4248,7 @@
Percent decode url piece.
- -
If expression piece is not a case-sensitive match +
If expression piece is not a case-sensitive match for url piece, return "
Does Not Match
".Matches".
- If expression is an ASCII case-insensitive match for "
'self'
", +If expression is an ASCII case-insensitive match for "
'self'
", return "Matches
" if one or more of the following conditions is met:
- @@ -4300,7 +4307,7 @@
unknown", return
object-src
.If the request’s destination is - "
document
" and the request’s target browsing context is a nested browsing + "document
" and the request’s target browsing context is a nested browsing context, returnframe-src
.@@ -4376,13 +4383,13 @@ Does Not Match".
- -
Assert: source contains the value of a
+script
element’stext
IDL attribute, the value of astyle
element’stextContent
IDL attribute, or the value of one of ascript
element’s event handler IDL attribute.Assert: source contains the value of a
script
element’stext
IDL attribute, the value of astyle
element’stextContent
IDL attribute, or the value of one of ascript
element’s event handler IDL attribute.Note: This means that source will be interpreted with the encoding of the page in which it is embedded. See the integration points in §4.2 Integration with HTML for more detail.
- -
If type element has an attribute whose name is an ASCII - case-insensitive match for the string "
<script
", or the string +If type element has an attribute whose name is an ASCII + case-insensitive match for the string "
<script
", or the string "<style
", then return "Does Not Match
".Let contains nonce or hash and hashes match attributes be
@@ -4392,11 +4399,12 @@false
.
If expression matches the
nonce-source
orhash-source
grammar, set contains nonce or hash totrue
.- -
If expression is an ASCII case-insensitive match for the
keyword-source
"'unsafe-hashed-attributes'
", set hashes match +If expression is an ASCII case-insensitive match for the
keyword-source
"'unsafe-hashed-attributes'
", set hashes match attributes totrue
.- If contains nonce or hash is
+false
, and list contains a source expression which is an ASCII case-insensitive match for the string "'unsafe-inline'", then return "Matches
".If contains nonce or hash is
false
, and list contains a source expression which is an ASCII case-insensitive match + for the string "'unsafe-inline'", then return "Matches
".Note: This logic means that if list contains both "'unsafe-inline'" and either
@@ -4408,10 +4416,10 @@nonce-source
orhash-source
, "'unsafe-inline'" will have no effect.
If expression matches the
+ and element has anonce-source
grammar, - and element has anonce
attribute whose value is a case-sensitive match for expression’sbase64-value
part, return "Matches
".nonce
attribute whose value is a case-sensitive match for expression’sbase64-value
part, return "Matches
". -Note: Nonces only apply to inline
script
and inlinestyle
, not to +Note: Nonces only apply to inline
script
and inlinestyle
, not to attributes of either element.If type is "
@@ -4425,11 +4433,11 @@script
" or "style
", or hashes match attributes istrue
:
Let algorithm be
null
.- If expression’s
+hash-algorithm
part is an ASCII case-insensitive match for "sha256", set algorithm to SHA-256.If expression’s
hash-algorithm
part is an ASCII case-insensitive match for "sha256", set algorithm to SHA-256.- If expression’s
+hash-algorithm
part is an ASCII case-insensitive match for "sha384", set algorithm to SHA-384.If expression’s
hash-algorithm
part is an ASCII case-insensitive match for "sha384", set algorithm to SHA-384.- If expression’s
+hash-algorithm
part is an ASCII case-insensitive match for "sha512", set algorithm to SHA-512.If expression’s
hash-algorithm
part is an ASCII case-insensitive match for "sha512", set algorithm to SHA-512.If algorithm is not
null
:@@ -4437,13 +4445,13 @@
-base64 encoding the result of applying algorithm to source.
- -
If actual is a case-sensitive match for expression’s
base64-value
part, return +If actual is a case-sensitive match for expression’s
base64-value
part, return "Matches
".Note: Hashes apply to inline
script
and inlinestyle
. If the +Note: Hashes apply to inline
script
and inlinestyle
. If the "'unsafe-hashed-attributes'
" source expression is present, they will also apply to event handlers and style attributes.@@ -4537,7 +4545,7 @@ hash-source and nonce-source expressions will be honored.
- Script requests which are triggered by non-parser-inserted
+script
elements are allowed.Script requests which are triggered by non-parser-inserted
script
elements are allowed.The first change allows you to deploy "
@@ -4562,8 +4570,8 @@'strict-dynamic'
in a backwards compatible way, without requiring user-agent sniffing: the policy'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'
will act like'unsafe-inline' https:
in browsers that support CSP1,https: 'nonce-abcdefg'
in browsers that support CSP2, and'nonce-abcdefg' 'strict-dynamic'
in browsers that support CSP3.</scr' + 'ipt>'); -
-
dependency.js
will load, as thescript
element created bycreateElement()
is not parser-inserted.+
sadness.js
will not load, however, asdocument.write()
producesscript
elements which are parser-inserted.+
dependency.js
will load, as thescript
element created bycreateElement()
is not parser-inserted.
sadness.js
will not load, however, asdocument.write()
producesscript
elements which are parser-inserted.8.3. Usage of "
'unsafe-hashed-attributes'
"This section is not normative.
@@ -4574,14 +4582,14 @@The "
'unsafe-hashed-attributes'
" source expression aims to make CSP deployment simpler and safer in these situations by allowing developers to whitelist specific handlers via hashes. -- MegaCorp, Inc. can’t quite get rid of the following HTML on anything +- - - - - - - - - - - diff --git a/index.src.html b/index.src.html index 623a61cae5..017b97873e 100644 --- a/index.src.html +++ b/index.src.html @@ -20,12 +20,19 @@+ MegaCorp, Inc. can’t quite get rid of the following HTML on anything resembling a reasonable schedule:<button id="action" onclick="doSubmit()">Rather than whitelisting "
-'unsafe-inline'
", they decide to use "'unsafe-hashed-attributes'
" along with a hash source expression, as follows:Content-Security-Policy: 'unsafe-hashed-attributes' 'sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY=' +Content-Security-Policy: script-src 'unsafe-hashed-attributes' 'sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY='8.4. Whitelisting external JavaScript with hashes
@@ -4589,22 +4597,22 @@[CSP2], hash source expressions could only whitelist inlined script, but now that Subresource Integrity is widely deployed, we can expand the scope to enable externalized JavaScript as well. -
If multiple sets of integrity metadata are specified for a
+script
, the - request will match a policy’s hash-sources if and only if each item in ascript
's integrity metadata matches the policy.If multiple sets of integrity metadata are specified for a
script
, the + request will match a policy’s hash-sources if and only if each item in ascript
's integrity metadata matches the policy.MegaCorp, Inc. wishes to whitelist two specific scripts on a page in a way that ensures that the content matches their expectations. They do so by setting the following policy:- +Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'-In the presence of that policy, the following
script
elements would be +In the presence of that policy, the following
script
elements would be whitelisted because they contain only integrity metadata that matches the policy:<script integrity="sha256-abc123" ...></script> <script integrity="sha512-321cba" ...></script> <script integrity="sha256-abc123 sha512-321cba" ...></script>-While the following
script
elements would not be whitelisted because they +While the following
script
elements would not be whitelisted because they contain metadata that does not match the policy (even though other metadata does match):<script integrity="sha384-xyz789" ...></script> @@ -4702,7 +4710,7 @@
This document (see §6.2.3 sandbox)
- + This document (see §6.1.10 script-src)
@@ -4795,20 +4803,8 @@ ancestor-source-list, in §6.3.2
base64-value, in §2.2.1 base-uri, in §6.2.1 - - blockedURI - -
- attribute for SecurityPolicyViolationEvent, in §5.1 -
- dict-member for SecurityPolicyViolationEventInit, in §5.1 -
child-src, in §6.1.1 column number, in §2.3 - - columnNumber - -
- attribute for SecurityPolicyViolationEvent, in §5.1 -
- dict-member for SecurityPolicyViolationEventInit, in §5.1 -
connect-src, in §6.1.2 Content-Security-Policy, in §3.1 Content Security Policy, in §1 @@ -4821,24 +4817,12 @@ directive-value, in §2.2
disown-opener, in §6.2.4 disposition, in §2.1 - - documentURI - -
- attribute for SecurityPolicyViolationEvent, in §5.1 -
- dict-member for SecurityPolicyViolationEventInit, in §5.1 -
effective directive -
- dfn for violation, in §2.3
- dfn for request, in §6.6.1.7
- effectiveDirective - -
- attribute for SecurityPolicyViolationEvent, in §5.1 -
- dict-member for SecurityPolicyViolationEventInit, in §5.1 -
embedding document, in §4.2 enforced, in §4.2 EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm), in §4.3 @@ -4858,12 +4842,6 @@ inline check, in §2.2
keyword-source, in §2.2.1 line number, in §2.3 - - lineNumber - -
- attribute for SecurityPolicyViolationEvent, in §5.1 -
- dict-member for SecurityPolicyViolationEventInit, in §5.1 -
manifest-src, in §6.1.7 media-src, in §6.1.8 media-type, in §6.2.2 @@ -4874,12 +4852,6 @@ nonce-source, in §2.2.1
'none', in §2.2.1 object-src, in §6.1.9 - - originalPolicy - -
- attribute for SecurityPolicyViolationEvent, in §5.1 -
- dict-member for SecurityPolicyViolationEventInit, in §5.1 -
parse a serialized CSP, in §2.1 path-part, in §2.2.1 plugin-types, in §6.2.2 @@ -4894,13 +4866,7 @@ post-request check, in §2.2
pre-navigation check, in §2.2 pre-request check, in §2.2 - - referrer - -
+- dfn for violation, in §2.3 -
- attribute for SecurityPolicyViolationEvent, in §5.1 -
- dict-member for SecurityPolicyViolationEventInit, in §5.1 -
referrer, in §2.3 report-to, in §6.4.2 report-uri, in §6.4.1 resource, in §2.3 @@ -4910,9 +4876,6 @@ scheme-source, in §2.2.1
script-src, in §6.1.10 SecurityPolicyViolationEvent, in §5.1 - SecurityPolicyViolationEventInit, in §5.1 - SecurityPolicyViolationEvent(type), in §5.1 - SecurityPolicyViolationEvent(type, eventInitDict), in §5.1 'self', in §2.2.1 serialized CSP, in §2.1 serialized directive, in §2.2 @@ -4924,20 +4887,8 @@ source-expression, in §2.2.1
source expression, in §2.2.1 source file, in §2.3 - - sourceFile - -
- attribute for SecurityPolicyViolationEvent, in §5.1 -
- dict-member for SecurityPolicyViolationEventInit, in §5.1 -
source lists, in §2.2.1 status, in §2.3 - - statusCode - -
- attribute for SecurityPolicyViolationEvent, in §5.1 -
- dict-member for SecurityPolicyViolationEventInit, in §5.1 -
'strict-dynamic', in §2.2.1 style-src, in §6.1.11 'unsafe-eval', in §2.2.1 @@ -4945,12 +4896,6 @@ 'unsafe-inline', in §2.2.1
url, in §2.3 value, in §2.2 - - violatedDirective - -
- attribute for SecurityPolicyViolationEvent, in §5.1 -
- dict-member for SecurityPolicyViolationEventInit, in §5.1 -
violation, in §2.3 violation report, in §5 worker-src, in §6.1.12 @@ -5010,67 +4955,15 @@ [HTML] defines the following terms:
-
- content-security-policy http-equiv processing instructions -
- initialising a new document object -
- nonce -
- ping -
- process a navigate fetch -
- process a navigate response -
- realm's global object -
- run a worker -
- the worker's documents -
- update a style block +
- content security policy state
- [HTML5] defines the following terms: + [html52] defines the following terms: -
- Window -
- a -
- active document -
- an iframe srcdoc document -
- applet -
- ascii case-insensitive match -
- base -
- browsing context -
- case-sensitive -
- collect a sequence of characters -
- content -
- csp list -
- current settings object -
- disown its opener -
- embed -
- event handler idl attributes -
- forced sandboxing flag set -
- frame -
- global object -
- http-equiv -
- iframe -
- link -
- meta -
- nested browsing context -
- nested through -
- object -
- opener browsing context -
- parent browsing context -
- parse a sandboxing directive -
- parser-inserted -
- prepare a script -
- referrer -
- relevant global object -
- relevant settings object -
- responsible browsing context -
- sandboxed origin browsing context flag -
- sandboxed scripts browsing context flag -
- script -
- set the frozen base url -
- space characters -
- split a string on commas -
- split a string on spaces -
- strictly split a string -
- strip leading and trailing whitespace -
- style -
- unicode serialization -
- valid mime type +
- csp list +
- global object +
- nested browsing context +
- parser-inserted
[REPORTING] defines the following terms: @@ -5104,11 +4997,6 @@ digit
vchar - - [rfc6454] defines the following terms: - -
- origin -
[rfc7230] defines the following terms: @@ -5152,9 +5040,22 @@
url serializer
- [workers] defines the following terms: + [CSP1] defines the following terms: [css-cascade-4] defines the following terms: @@ -5168,7 +5069,6 @@ Element
Event EventInit - ascii case-insensitive fire an event node document textContent @@ -5177,20 +5077,76 @@ [HTML] defines the following terms:
- SharedWorker +
- Window +
- Worker
- WorkerGlobalScope +
- a +
- active document +
- an iframe srcdoc document +
- applet +
- ascii case-insensitive +
- base +
- browsing context +
- case-sensitive +
- collect a sequence of characters +
- content +
- current settings object
- data +
- disown its opener
- document +
- embed +
- event handler idl attribute +
- forced sandboxing flag set +
- frame +
- global object
- href +
- http-equiv +
- iframe +
- initialising a new document object +
- link +
- meta +
- nested through +
- nonce +
- object +
- opener browsing context +
- parent browsing context +
- parse a sandboxing directive +
- ping +
- prepare a script +
- process a navigate fetch +
- process a navigate response +
- referrer +
- relevant global object +
- relevant settings object +
- responsible browsing context +
- run a worker
- sandbox +
- sandboxed origin browsing context flag +
- sandboxed scripts browsing context flag +
- script +
- set the frozen base url
- setInterval()
- setTimeout() +
- space characters +
- split a string on commas +
- split a string on spaces +
- strictly split a string +
- strip leading and trailing whitespace +
- style
- text +
- the realm's global object +
- the worker's documents
- type +
- unicode serialisation of an origin +
- update a style block +
- valid mime type
References
Normative References
+
- [CSP1] +
- Brandon Sterne; Adam Barth. Content Security Policy 1.0. 19 February 2015. NOTE. URL: http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html
- [CSS-CASCADE-4]
- Elika Etemad; Tab Atkins Jr.. CSS Cascading and Inheritance Level 4. 14 January 2016. CR. URL: http://dev.w3.org/csswg/css-cascade/
- [CSSOM] @@ -5203,6 +5159,8 @@
N
- Ian Hickson. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
- [HTML5]
- Ian Hickson; et al. HTML5. 28 October 2014. REC. URL: https://www.w3.org/html/wg/drafts/html/master/ +
- [HTML52] +
- Steve Faulkner; et al. HTML 5.2. 18 August 2016. WD. URL: https://w3c.github.io/html/
- [OOB-REPORTING]
- Ilya Gregorik; Mike West. Out-of-band Reporting. URL: https://mikewest.github.io/error-reporting/
- [RFC2045] @@ -5221,8 +5179,6 @@
N
- D. Crocker, Ed.; P. Overell. Augmented BNF for Syntax Specifications: ABNF. January 2008. Internet Standard. URL: https://tools.ietf.org/html/rfc5234
- [RFC5988]
- M. Nottingham. Web Linking. October 2010. Proposed Standard. URL: https://tools.ietf.org/html/rfc5988 -
- [RFC6454] -
- A. Barth. The Web Origin Concept. December 2011. Proposed Standard. URL: https://tools.ietf.org/html/rfc6454
- [RFC7230]
- R. Fielding, Ed.; J. Reschke, Ed.. Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. June 2014. Proposed Standard. URL: https://tools.ietf.org/html/rfc7230
- [RFC7231] @@ -5239,8 +5195,6 @@
N
- Anne van Kesteren. DOM Standard. Living Standard. URL: https://dom.spec.whatwg.org/
- [WHATWG-URL]
- Anne van Kesteren. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/ -
- [WORKERS] -
- Ian Hickson. Web Workers. 24 September 2015. WD. URL: https://html.spec.whatwg.org/multipage/workers.html
Informative References
@@ -5274,31 +5228,31 @@
James Clark. XSL Transformations (XSLT) Version 1.0. 16 November 1999. REC. URL: https://www.w3.org/TR/xslt
IDL Index
-[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)] +[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)] interface SecurityPolicyViolationEvent : Event { - readonly attribute DOMString documentURI; - readonly attribute DOMString referrer; - readonly attribute DOMString blockedURI; - readonly attribute DOMString violatedDirective; - readonly attribute DOMString effectiveDirective; - readonly attribute DOMString originalPolicy; - readonly attribute DOMString sourceFile; - readonly attribute unsigned short statusCode; - readonly attribute long lineNumber; - readonly attribute long columnNumber; + readonly attribute DOMString documentURI; + readonly attribute DOMString referrer; + readonly attribute DOMString blockedURI; + readonly attribute DOMString violatedDirective; + readonly attribute DOMString effectiveDirective; + readonly attribute DOMString originalPolicy; + readonly attribute DOMString sourceFile; + readonly attribute unsigned short statusCode; + readonly attribute long lineNumber; + readonly attribute long columnNumber; }; -dictionary SecurityPolicyViolationEventInit : EventInit { - DOMString documentURI; - DOMString referrer; - DOMString blockedURI; - DOMString violatedDirective; - DOMString effectiveDirective; - DOMString originalPolicy; - DOMString sourceFile; - unsigned short statusCode; - long lineNumber; - long columnNumber; +dictionary SecurityPolicyViolationEventInit : EventInit { + DOMString documentURI; + DOMString referrer; + DOMString blockedURI; + DOMString violatedDirective; + DOMString effectiveDirective; + DOMString originalPolicy; + DOMString sourceFile; + unsigned short statusCode; + long lineNumber; + long columnNumber; };@@ -5325,7 +5279,7 @@↵
Content Security Policy Level 3
spec:dom; type:interface; text:Document +spec:html + type: dfn + text: ascii case-insensitive + text: case-sensitive + type: element + text: a + text: link + text: script + text: style
spec: RFC6454; urlPrefix: https://tools.ietf.org/html/rfc6454 type: dfn - text: globally unique identifier; url: section-2.3 - text: origin; url: section-3.2 text: the same; url: section-5 spec: ECMA262; urlPrefix: https://tc39.github.io/ecma262 type: dfn @@ -35,86 +42,16 @@Content Security Policy Level 3
text: eval(); url: sec-eval-x text: Function(); url: sec-function-objects text: JSON.stringify(); url: sec-json.stringify -spec: HTML5; urlPrefix: https://www.w3.org/TR/html5/ +spec: HTML52; urlPrefix: https://www.w3.org/TR/html52/ type: dfn - urlPrefix: embedded-content-0.html - text: an iframe srcdoc document urlPrefix: browsers.html - text: active document - text: ancestor browsing context - text: browsing context - text: create a document object - text: disown its opener - text: opener browsing context text: nested browsing context - text: parent browsing context - text: nested through; url: browsing-context-nested-through - text: forced sandboxing flag set - text: parse a sandboxing directive - text: sandboxed scripts browsing context flag - text: sandboxed origin browsing context flag - text: unicode serialization; url: unicode-serialization-of-an-origin urlPrefix: dom.html text: CSP list; for: document; url: concept-document-csp-list urlPrefix: webappapis.html - text: environment settings object; url: settings-object - text: global object - text: relevant global object text: global object; for: settings object; url: concept-settings-object-global - text: incumbent settings object - text: current settings object - text: relevant settings object; url: relevant-settings-object-for-a-global-object - text: responsible browsing context - text: queue a task - text: event handler IDL attributes - urlPrefix: infrastructure.html - text: valid MIME type - text: case-sensitive; url: case-sensitive - text: ASCII case-insensitive match; url: ascii-case-insensitive - text: reflect - text: strictly split a string - text: strip leading and trailing whitespace - text: collect a sequence of characters - text: space characters - text: split a string on spaces - text: split a string on commas - urlPrefix: document-metadata.html - text: set the frozen base url urlPrefix: scripting-1.html text: parser-inserted - text: prepare a script - type: element - urlPrefix: document-metadata.html - text: base; url: the-base-element - text: head; url: the-head-element - text: link; url: the-link-element - text: meta; url: the-meta-element - text: style; url: the-style-element - urlPrefix: embedded-content-0.html - text: embed; url: the-embed-element - text: object; url: the-object-element - text: iframe; url: the-iframe-element - urlPrefix: scripting-1.html - text: script; url: the-script-element - urlPrefix: text-level-semantics.html - text: a; url: the-a-element - urlPrefix: obsolete.html - text: applet; url: the-applet-element - text: frame - type: element-attr - urlPrefix: document-metadata.html - text: content; for: meta; url: attr-meta-content - text: http-equiv; for: meta; url: attr-meta-http-equiv - urlPrefix: embedded-content-0.html - text: srcdoc; for: iframe; url: attr-iframe-srcdoc - urlPrefix: scripting-1.html - text: src; for: script; url: attr-script-src - type: interface - urlPrefix: browsers.html - text: Window; url: dom-window - type: attribute - urlPrefix: dom.html - text: referrer; for: Document; url: dom-document-referrer spec: FETCH; urlPrefix: https://fetch.spec.whatwg.org/ type: dfn text: fetch; url: concept-fetch @@ -177,9 +114,6 @@Content Security Policy Level 3
spec: SERVICE-WORKERS; urlPrefix: https://www.w3.org/TR/service-workers/ type: interface text: ServiceWorker; url: service-worker-interface -spec: WORKERS; urlPrefix: https://www.w3.org/TR/workers/ - type: interface - text: Worker spec: CSSOM; urlPrefix: https://www.w3.org/TR/cssom/ type: dfn text: insert a css rule @@ -228,23 +162,8 @@Content Security Policy Level 3
spec: HTML; urlPrefix: https://html.spec.whatwg.org/multipage/ type: dfn - urlPrefix: workers.html - text: run a worker - text: the worker's documents - urlPrefix: browsers.html - text: initialising a new Document object; url: initialise-the-document-object - text: process a navigate response - text: process a navigate fetch - urlPrefix: semantics.html - text: update a style block - text: Content-Security-Policy http-equiv processing instructions; url: attr-meta-http-equiv-content-security-policy - urlPrefix: webappapis.html - text: realm's global object; url: concept-realm-global-object - type: element-attr urlPrefix: semantics.html - text: ping; for: a - urlPrefix: scripting.html - text: nonce; for: script; url: attr-script-nonce + text: Content Security Policy state; url: attr-meta-http-equiv-content-security-policy spec: SHA2; urlPrefix: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf type: dfn @@ -577,7 +496,7 @@Directives
otherwise specified. 5. An initialization, which takes a {{Document}} - or global object, a response, and a policy as + or global object, a response, and a policy as arguments. This algorithm is executed during [[#initialize-document-csp]], and has no effect unless otherwise specified. @@ -669,11 +588,11 @@Source Lists
Violations
A violation represents an action or resource which goes against the - set of policy objects associated with a global object. + set of policy objects associated with a global object. Each violation has a global object, which - is the global object whose policy has been violated. + is the global object whose policy has been violated. Each violation has a url which is its global object's {{URL}}. @@ -718,7 +637,7 @@Create a violation object for |global|, |policy|, and |directive|
- Given a global object (|global|), a policy (|policy|), and a + Given a global object (|global|), a policy (|policy|), and a string (|directive|), the following algorithm creates a new violation object, and populates it with an initial set of data: @@ -864,8 +783,8 @@A {{Document}} may deliver a policy via one or more HTML <{meta}> elements - whose <{meta/http-equiv}> attributes are an ASCII case-insensitive - match for the string "`Content-Security-Policy`". For example: + whose <{meta/http-equiv}> attributes are an ASCII case-insensitive + match for the string "`Content-Security-Policy`". For example:
- Implementation details can be found in HTML's `Content-Security-Policy` - `http-equiv` processing instructions [[!HTML]]. + Implementation details can be found in HTML's Content Security Policy + state `http-equiv` processing instructions [[!HTML]]. Note: The `Content-Security-Policy-Report-Only` header is not supported inside a <{meta}> element. Neither are the `report-uri`, @@ -924,9 +843,9 @@@@ -873,8 +792,8 @@
2. [[#should-block-response]] is called as part of step #13 of its Main Fetch algorithm. - A policy is generally enforced upon a global object, but the + A policy is generally enforced upon a global object, but the user agent needs to parse any policy - delivered via an HTTP response header field before any global object + delivered via an HTTP response header field before any global object is created in order to handle directives that require knowledge of a response's details. To that end: @@ -1098,13 +1017,13 @@
ISSUE(w3c/html#187): This concept is missing from W3C's Workers. 2. A policy is enforced or monitored for a - global object by inserting it into the global object's + global object by inserting it into the global object's CSP list. 3. [[#initialize-global-object-csp]] is called during the initialising a new `Document` object and run a worker algorithms in order to bind a set of policy objects associated with a response to a - newly created global object. + newly created global object. 4. [[#should-block-inline]] is called during the prepare a script and update a `style` block algorithms in order to determine whether or @@ -1199,7 +1118,7 @@
Initialize a global object's `CSP list`
- Given a global object (|global|), and a response + Given a global object (|global|), and a response (|response|), the user agent performs the following steps in order to initialize |global|'s CSP list: @@ -1213,7 +1132,7 @@4. For each |document| in |documents|: - 1. For each |policy| in |document|'s global + 1. For each |policy| in |document|'s global object's CSP list: 1. Insert an alias to |policy| in |global|'s @@ -1238,7 +1157,7 @@
1. Let |result| be "`Allowed`". - 2. For each |policy| in |element|'s {{Document}}'s global object's + 2. For each |policy| in |element|'s {{Document}}'s global object's CSP list: 1. For each |directive| in |policy|: @@ -1358,8 +1277,8 @@
if not: 1. Let |globals| be a list containing |callerRealm|'s - global object and |calleeRealm|'s - global object. + global object and |calleeRealm|'s + global object. 2. For each |global| in |globals|: @@ -2452,7 +2371,7 @@
Integrity [[!SRI]] to block non-matching resources upon response. 3. If this directive's value contains a source - expression that is an ASCII case-insensitive match for + expression that is an ASCII case-insensitive match for the "`'strict-dynamic'`" keyword-source: 1. If the |request|'s parser metadata is @@ -2510,10 +2429,10 @@
1. If |type| is "`script attribute`": 1. If |list| contains a source expression which is an ASCII - case-insensitive match for the keyword-source + case-insensitive match for the keyword-source "`'strict-dynamic'`", and does not contain a - source expression which is an ASCII case-insensitive - match for the keyword-source + source expression which is an ASCII case-insensitive + match for the keyword-source "`'unsafe-hashed-attributes'`", return "`Blocked`". 2. If the result of executing [[#match-element-to-source-list]] on @@ -2523,7 +2442,7 @@
2. If |type| is "`script`": 1. If |list| contains a source expression which is an ASCII - case-insensitive match for the keyword-source + case-insensitive match for the keyword-source "`'strict-dynamic'`", return "`Blocked`". Note: "`'strict-dynamic'`" is explained in more detail @@ -2750,7 +2669,7 @@
returns "`Allowed`" if |base| may be used as the value of a <{base}> element's <{base/href}> attribute, and "`Blocked`" otherwise: - 1. For each |policy| in |document|'s global object's + 1. For each |policy| in |document|'s global object's csp list: 1. Let |source list| be `null`. @@ -2767,7 +2686,7 @@
object's origin, and `0` is "`Does Not Match`": 1. Let |violation| be the result of executing - [[#create-violation-for-global]] on |document|'s global + [[#create-violation-for-global]] on |document|'s global object, |policy|, and "`base-uri`". 2. Set |violation|'s resource to "`inline`". @@ -2857,7 +2776,7 @@
1. Let |type| be the result of extracting a MIME type from |response|'s header list. - 2. If |type| is not an ASCII case-insensitive match for any item + 2. If |type| is not an ASCII case-insensitive match for any item in this directive's value, return "`Blocked`". 3. Return "`Allowed`". @@ -2888,7 +2807,7 @@
2. |type| is not a valid MIME type. - 3. |type| is not an ASCII case-insensitive match for any + 3. |type| is not an ASCII case-insensitive match for any item in |directive|'s value. 2. Return "`Allowed`". @@ -2952,7 +2871,7 @@
according to the `sandbox` values present in its policies, as follows: - Given a {{Document}} or global object (|context|), a response + Given a {{Document}} or global object (|context|), a response (|response|), and a policy (|policy|): 1. Assert: |response| is unused. @@ -2995,7 +2914,7 @@
This directive's initialization algorithm is as follows: - Given a {{Document}} or global object (|context|), a response + Given a {{Document}} or global object (|context|), a response (|response|), and a policy (|policy|): 1. Assert: |response| and |policy| are unused. @@ -3095,8 +3014,8 @@
1. Set |current| to |parent|. 2. Let |origin| be the result of executing the URL parser on the - unicode serialization of |parent|'s active document's - origin. + unicode serialization + of |parent|'s active document's origin. 3. If [[#match-url-to-source-list]] returns `Does Not Match` when executed upon |origin|, this directive's @@ -3261,7 +3180,7 @@
2. If |source list| is an empty list, return "`Does Not Match`". 3. If |source list| contains a single item which is an ASCII - case-insensitive match for the string "`'none'`", return "`Does Not + case-insensitive match for the string "`'none'`", return "`Does Not Match`". Note: An empty source list (that is, a directive without a value: `script-src`, @@ -3304,20 +3223,20 @@
`host-source` grammar: 1. If |expression| has a `scheme-part` that is not an - ASCII case-insensitive match for |url|'s {{URL/scheme}}, then + ASCII case-insensitive match for |url|'s {{URL/scheme}}, then return "`Does Not Match`" unless one of the following conditions is met: 1. |expression|'s `scheme-part` is an ASCII - case-insensitive match for "`http`" and |url|'s {{URL/scheme}} + case-insensitive match for "`http`" and |url|'s {{URL/scheme}} is "`https`" 2. |expression|'s `scheme-part` is an ASCII - case-insensitive match for "`ws`" and |url|'s {{URL/scheme}} + case-insensitive match for "`ws`" and |url|'s {{URL/scheme}} is "`wss`", "`http`" or "`https`" 3. |expression|'s `scheme-part` is an ASCII - case-insensitive match for "`wss`" and |url|'s {{URL/scheme}} + case-insensitive match for "`wss`" and |url|'s {{URL/scheme}} is "`https`" 2. If |expression| matches the `scheme-source` grammar, @@ -3357,13 +3276,13 @@
|expression|. 2. If |remaining| (including the leading U+002E FULL STOP character - (`.`)) is not an ASCII case-insensitive match for the + (`.`)) is not an ASCII case-insensitive match for the rightmost characters of |url|'s {{URL/host}}, then return "`Does Not Match`". 4. If the first character of |expression|'s `host-part` is not an U+002A ASTERISK character (`*`), and |url|'s {{URL/host}} - is not an ASCII case-insensitive match for |expression|'s + is not an ASCII case-insensitive match for |expression|'s `host-part`, return "`Does Not Match`". 5. If |expression|'s `host-part` matches the @@ -3424,7 +3343,7 @@
9. Return "`Matches`". - 4. If |expression| is an ASCII case-insensitive match for "`'self'`", + 4. If |expression| is an ASCII case-insensitive match for "`'self'`", return "`Matches`" if one or more of the following conditions is met: 1. |origin| is the same as |url|'s {{URL/origin}} @@ -3529,7 +3448,7 @@
in [[#html-integration]] for more detail. 2. If |type| |element| has an attribute whose name is an ASCII - case-insensitive match for the string "`