From 5064a629f22bef29839ab4dc6f1ceef17f010bc5 Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@google.com>
Date: Thu, 3 Sep 2015 09:57:59 +0200
Subject: [PATCH] Fix #88: add the 'Content-Security-Policy' pragma directive

Content Security Policy defines a new value for the <meta> element's
'http-equiv' content attribute[1]. This patch integrates that
definition into HTML.

[1]: https://w3c.github.io/webappsec/specs/content-security-policy/#delivery-html-meta-element
---
 source | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/source b/source
index 972dacf045c..4a6f1af0a5d 100644
--- a/source
+++ b/source
@@ -3459,6 +3459,27 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
 
    </dd>
 
+
+   <dt>Content Security Policy</dt>
+
+   <dd>
+
+    <p>The following terms are defined in <cite>Content Security Policy</cite>: <ref spec="CSP"></p>
+
+    <ul class="brief">
+     <li><dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec/specs/content-security-policy/#security-policy">Content Security Policy</dfn></li>
+     <li><dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec/specs/content-security-policy/#directives">Content Security Policy directive</dfn></li>
+     <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec/specs/content-security-policy/#policy-syntax">Content Security Policy syntax</dfn></li>
+     <li><dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec/specs/content-security-policy/#enforce">enforce the policy</dfn></li>
+     <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec/specs/content-security-policy/#directive-frame-ancestors"><code data-x="">frame-ancestors</code> directive</dfn></li>
+     <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec/specs/content-security-policy/#parse-the-policy">parse the policy</dfn> algorithm</li>
+     <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec/specs/content-security-policy/#directive-reflected-xss"><code data-x="">reflected-xss</code> directive</dfn></li>
+     <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec/specs/content-security-policy/#directive-report-uri"><code data-x="">report-uri</code> directive</dfn></li>
+     <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec/specs/content-security-policy/#directive-sandbox"><code data-x="">sandbox</code> directive</dfn></li>
+    </ul>
+
+   </dd>
+
   </dl>
 
   <p>This specification does not <em>require</em> support of any particular network protocol, style
@@ -14132,6 +14153,10 @@ gave me some of the songs they wrote. I love sharing my music.&lt;/p>
      <td><span data-x="attr-meta-http-equiv-x-ua-compatible">X-UA-Compatible</span>
      <td><code data-x="">x-ua-compatible</code>
      <td>
+    <tr>
+     <td><span data-x="attr-meta-http-equiv-content-security-policy">Content security policy</span>
+     <td><code data-x="">Content-Security-Policy</code>
+     <td>
   </table>
 
 <!--
@@ -14523,6 +14548,57 @@ people expect to have work and what is necessary.
 
    </dd>
 
+
+   <dt><dfn data-x="attr-meta-http-equiv-content-security-policy">Content security policy state</dfn> (<code data-x="">http-equiv="content-security-policy"</code>)
+
+   <dd>
+
+    <div w-nodev>
+
+    <p>This pragma <span data-x="enforce the policy">enforces</span> a <span>Content Security
+    Policy</span> on a <code>Document</code>. <ref spec="CSP"></p>
+
+    <ol>
+     <li><p>If the <code>meta</code> element is not a child of a <code>head</code> element,
+     abort these steps.</p></li>
+
+     <li><p>If the <code>meta</code> element has no <code data-x="attr-meta-content">content</code>
+     attribute, or if that attribute's value is the empty string, then abort these steps.</p></li>
+
+     <li><p>Let <var>policy</var> be the result of executing Content Security Policy's <span>parse
+     the policy</span> algorithm on the <code>meta</code> element's
+     <code data-x="attr-meta-content">content</code> attribute's value.</p></li>
+
+     <li><p>Remove all occurrences of the <code
+     data-x="reflected-xss directive">reflected-xss</code>, <code
+     data-x="report-uri directive">report-uri</code>, <code
+     data-x="frame-ancestors directive">frame-ancestors</code>, and <code
+     data-x="sandbox directive">sandbox</code> <span data-x="Content Security Policy
+     directive">directives</span> from <var>policy</var>.</p></li>
+
+     <li><p><span>Enforce the policy</span> <var>policy</var>.</p></li>
+    </ol>
+
+    </div>
+
+    <p>For <code>meta</code> elements with an <code data-x="attr-meta-http-equiv">http-equiv</code>
+    attribute in the <span data-x="attr-meta-http-equiv-content-security-policy">Content security
+    policy state</span>, the <code data-x="attr-meta-content">content</code> attribute must have a
+    value consisting of a <span data-x="Content Security Policy syntax">valid Content Security
+    Policy</span>, which will be <span data-x="enforce the policy">enforced</span> upon the current
+    document. <ref spec="CSP"></p>
+
+    <div class="example">
+
+     <p>A page might choose to mitigate the risk of cross-site scripting attacks by preventing the
+     execution of inline JavaScript, as well as blocking all plugin content, using a policy such
+     as the following:
+
+     <pre>&lt;meta http-equiv="Content-Security-Policy" content="script-src 'self'; object-src 'none'"></pre>
+
+    </div>
+   </dd>
+
   </dl>
 
   <p>There must not be more than one <code>meta</code> element with any particular state in the