From ceed787d572ed8acfd1755b9b3d2b1dd9605b94d Mon Sep 17 00:00:00 2001 From: ryandel8834 Date: Tue, 2 Aug 2016 14:40:31 +0200 Subject: [PATCH] Add another navigation hook for 'form-action'. The initial pass at whatwg/html#1230 was too simple. Let's complexify it up a little bit, shall we? --- index.html | 305 +++++++++++++++++++++++++++++++++---------------- index.src.html | 142 ++++++++++++++++++----- 2 files changed, 320 insertions(+), 127 deletions(-) diff --git a/index.html b/index.html index cffde8f..ba84751 100644 --- a/index.html +++ b/index.html @@ -1421,7 +1421,7 @@

Content Security Policy Level 3

-

Editor’s Draft,

+

Editor’s Draft,

This version: @@ -1534,7 +1534,9 @@

Table of Contents

  • 4.2.1 Initialize a Document's CSP list
  • 4.2.2 Initialize a global object’s CSP list
  • 4.2.3 Should element’s inline type behavior be blocked by Content Security Policy? -
  • 4.2.4 Should navigation response in context be blocked by Content Security Policy? +
  • 4.2.4 Should navigation request of type from source in target be blocked + by Content Security Policy? +
  • 4.2.5 Should navigation response to navigation request of type from source in target be blocked by Content Security Policy?
  • 4.3 Integration with ECMAScript @@ -1641,7 +1643,7 @@

    Table of Contents

  • 6.2.2 plugin-types
      -
    1. 6.2.2.1 plugin-types Response Check +
    2. 6.2.2.1 plugin-types Post-Request Check
    3. 6.2.2.2 Should plugin element be blocked a priori by Content Security Policy?:
    @@ -1659,11 +1661,15 @@

    Table of Contents

  • 6.3 Navigation Directives
      -
    1. 6.3.1 form-action +
    2. + 6.3.1 form-action +
        +
      1. 6.3.1.1 form-action Pre-Navigation Check +
    3. 6.3.2 frame-ancestors
        -
      1. 6.3.2.1 frame-ancestors Navigation Check +
      2. 6.3.2.1 frame-ancestors Navigation Response Check
  • @@ -1934,13 +1940,19 @@

    §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. This algorithm returns "Allowed" unless otherwise specified.

  • -

    An initialization, which takes a Document or global object, a response, and a policy as +

    An initialization, which takes a Document or global object, a response, and a policy as arguments. This algorithm is executed during §4.2.1 Initialize a Document's CSP list, and has no effect unless otherwise specified.

  • -

    A navigation check, which takes a response and a browsing context as arguments, and is executed - during process a navigate response. It returns "Allowed" unless - otherwise specified.

    +

    A pre-navigation check, which takes a request, type string, and two browsing contexts as arguments, and + is executed during §4.2.4 Should navigation request of type from source in target be blocked + by Content Security Policy?. It returns + "Allowed" unless otherwise specified.

    +
  • +

    A navigation response check, which takes a request, a response and two browsing contexts as + arguments, and is executed during §4.2.5 Should navigation response to navigation request of type from source + in target be blocked by Content Security Policy?. + It returns "Allowed" unless otherwise specified.

    2.2.1. Source Lists

    Many directives' values consist of source lists: sets @@ -2009,9 +2021,9 @@

    URL matches a source list if the algorithm in §6.1.13.3 Does url match source list? returns Matches.

    2.3. Violations

    A violation represents an action or resource which goes against the - set of policy objects associated with a global object.

    + set of policy objects associated with a global object.

    Each violation has a global object, which - is the global object whose policy has been violated.

    + is the global object whose policy has been violated.

    Each violation has a url which is its global object’s URL.

    Each violation has a status which is a non-negative integer representing the HTTP status code of the resource for @@ -2031,7 +2043,7 @@

    Each violation has a column number, which is a non-negative integer.

    2.3.1. Create a violation object for global, policy, and directive

    -

    Given a global object (global), a policy (policy), and a +

    Given a global object (global), a policy (policy), and a string (directive), the following algorithm creates a new violation object, and populates it with an initial set of data:

    1. @@ -2165,9 +2177,9 @@

      is called as part of step #13 of its Main Fetch algorithm.

    -

    A policy is generally enforced upon a global object, but the +

    A policy is generally enforced upon a global object, but the user agent needs to parse any policy - delivered via an HTTP response header field before any global object is created in order to handle directives that require knowledge of a response’s details. To that end:

    + delivered via an HTTP response header field before any global object is created in order to handle directives that require knowledge of a response’s details. To that end:

    1. A response has an associated CSP list which @@ -2304,12 +2316,12 @@

      §4.2.2 Initialize a global object’s CSP list algorithm.

      This concept is missing from W3C’s Workers. <https://github.com/w3c/html/issues/187>

    2. -

      A policy is enforced or monitored for a global object by inserting it into the global object’s CSP list.

      +

      A policy is enforced or monitored for a global object by inserting it into the global object’s CSP list.

    3. §4.2.2 Initialize a global object’s CSP list is called during the initialising a new Document object and run a worker algorithms in order to bind a set of policy objects associated with a response to a - newly created global object.

      + newly created global object.

    4. §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy? is called during the prepare a script and update a style block algorithms in order to determine whether or not an inline script or style block is allowed to execute/render.

      @@ -2341,8 +2353,11 @@

      This hook is missing from WHATWG’s HTML. <https://github.com/whatwg/html/issues/1618>

      This hook is missing from W3C’s HTML. <https://github.com/w3c/html/issues/547>

    5. -

      §4.2.4 Should navigation response in context be blocked by Content Security Policy? is called during the process a navigate - response algorithm to apply directive’s navigation check.

      +

      §4.2.4 Should navigation request of type from source in target be blocked + by Content Security Policy? is called during the process a + navigate fetch algorithm, and §4.2.5 Should navigation response to navigation request of type from source + in target be blocked by Content Security Policy? is called during the process a navigate response algorithm to + apply directive’s navigation checks.

      Upstream this to HTML. <https://github.com/whatwg/html/issues/1230>

      W3C’s HTML is not based on Fetch, and does not have a process a navigate response algorithm into which to hook. <https://github.com/w3c/html/issues/548>

      @@ -2389,7 +2404,7 @@

      4.2.2. Initialize a global object’s CSP list

      -

      Given a global object (global), and a response (response), the user agent performs the following steps in order +

      Given a global object (global), and a response (response), the user agent performs the following steps in order to initialize global’s CSP list:

      1. @@ -2403,7 +2418,7 @@

        -

        For each policy in document’s global +

        For each policy in document’s global object’s CSP list:

        1. @@ -2425,7 +2440,7 @@

          Let result be "Allowed".

        2. -

          For each policy in element’s Document's global object’s CSP list:

          +

          For each policy in element’s Document's global object’s CSP list:

          1. For each directive in policy:

            @@ -2451,31 +2466,68 @@

            Return result.

          -

          4.2.4. Should navigation response in context be blocked by Content Security Policy?

          -

          Given a response navigation response, and a browsing context (context), this algorithm returns "Blocked" if the active policy blocks +

          4.2.4. Should navigation request of type from source in target be blocked + by Content Security Policy?

          +

          Given a request (navigation request), a string (type, either + "form-submission" or "other"), and two browsing contexts (source and target), this algorithm return "Blocked" if the active policy blocks the navigation, and "Allowed" otherwise:

          1. Let result be "Allowed".

          2. -

            For each policy in navigation response’s CSP list:

            +

            For each policy in source’s active document’s CSP list:

            1. For each directive in policy:

              1. -

                If directive’s navigation check returns - "Allowed" when executed upon navigation response and context, - skip to the next directive.

                +

                If directive’s pre-navigation check returns "Allowed" when executed upon navigation request, type, source, and target, skip to the next directive.

              2. -

                Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on null, policy, and directive’s name.

                +

                Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on source’s relevant global + object, policy, and directive’s name.

              3. Set violation’s resource to navigation - response’s URL.

                + request’s URL.

              4. Execute §5.3 Report a violation on violation.

              5. If policy’s disposition is "enforce", then + set result to "Blocked".

                +
              +
            +
          3. +

            Return result.

            +
          +

          4.2.5. Should navigation response to navigation request of type from source in target be blocked by Content Security Policy?

          +

          Given a request (navigation request),, a string (type, either + "form-submission" or "other"), a response navigation + response, and two browsing contexts (source and target), this algorithm + returns "Blocked" if the active policy blocks the navigation, and "Allowed" + otherwise:

          +
            +
          1. +

            Let result be "Allowed".

            +
          2. +

            For each policy in navigation response’s CSP list:

            +
              +
            1. +

              For each directive in policy:

              +
                +
              1. +

                If directive’s navigation response check returns "Allowed" when executed upon navigation request, type, navigation response, source, and target, skip to the next directive.

                +
              2. +

                Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on null, policy, and directive’s name.

                +

                Note: We use null for the global object, as no global exists: + we haven’t processed the navigation to create a Document yet.

                +
              3. +

                Set violation’s resource to navigation + response’s URL.

                +
              4. +

                Execute §5.3 Report a violation on violation.

                +
              5. +

                If policy’s disposition is "enforce", then set result to "Blocked".

            @@ -2503,8 +2555,8 @@

            Let source-list be null.

          3. -

            If policy contains a directive whose name is "script-src", then set source-list to that directive’s value.

            -

            Otherwise if policy contains a directive whose name is "default-src", then set source-list to that directive’s value.

            +

            If policy contains a directive whose name is "script-src", then set source-list to that directive’s value.

            +

            Otherwise if policy contains a directive whose name is "default-src", then set source-list to that directive’s value.

          4. If source-list is non-null, and does not contain a source expression which is an ASCII case-insensitive match for the @@ -2566,7 +2618,7 @@

            "blocked-uri"

            -

            The result of executing the URL serializer on violation’s resource, with the exclude fragment flag set.

            +

            The result of executing the URL serializer on violation’s resource, with the exclude fragment flag set.

            "effective-directive"

            @@ -2619,7 +2671,7 @@

            blockedURI

            -

            violation’s resource

            +

            violation’s resource

            effectiveDirective

            @@ -2832,10 +2884,10 @@

            If name is not frame-src or worker-src, return "Allowed".

          5. -

            If policy contains a directive whose name is name, return "Allowed"

            +

            If policy contains a directive whose name is name, return "Allowed"

          6. Return the result of executing the pre-request - check for the directive whose name is name on request and policy, using this directive’s value for the comparison.

            + check for the directive whose name is name on request and policy, using this directive’s value for the comparison.

          This directive’s post-request check is as follows:

          Given a request (request), a response (response), and a policy (policy):

          @@ -2845,10 +2897,10 @@

          If name is not frame-src or worker-src, return "Allowed".

        3. -

          If policy contains a directive whose name is name, return "Allowed"

          +

          If policy contains a directive whose name is name, return "Allowed"

        4. Return the result of executing the post-request - check for the directive whose name is name on request and policy, using this directive’s value for the comparison.

          + check for the directive whose name is name on request and policy, using this directive’s value for the comparison.

        6.1.2. connect-src

        The connect-src directive restricts the URLs which can be loaded @@ -2981,15 +3033,15 @@

        If name is null, return "Allowed".

      2. -

        If policy contains a directive whose name is name, return "Allowed".

        +

        If policy contains a directive whose name is name, return "Allowed".

      3. -

        If name is "frame-src" or "worker-src", and policy contains a directive whose name is "child-src", +

        If name is "frame-src" or "worker-src", and policy contains a directive whose name is "child-src", return "Allowed".

        Note: It would be lovely to remove this special case. Perhaps "effective directive" could return "child-src" and that could delegate out in the same way this algorithm does?

      4. -

        Otherwise, return the result of executing the pre-request check for the directive whose name is name on request and policy, using +

        Otherwise, return the result of executing the pre-request check for the directive whose name is name on request and policy, using this directive’s value for the comparison.

      This directive’s post-request check is as follows:

      @@ -3000,15 +3052,15 @@

      If name is null, return "Allowed".

    6. -

      If policy contains a directive whose name is name, return "Allowed".

      +

      If policy contains a directive whose name is name, return "Allowed".

    7. -

      If name is "frame-src" or "worker-src", and policy contains a directive whose name is "child-src", +

      If name is "frame-src" or "worker-src", and policy contains a directive whose name is "child-src", return "Allowed".

      Note: It would be lovely to remove this special case. Perhaps "effective directive" could return "child-src" and that could delegate out in the same way this algorithm does?

    8. -

      Otherwise, return the result of executing the post-request check for the directive whose name is name on request and policy, using +

      Otherwise, return the result of executing the post-request check for the directive whose name is name on request and policy, using this directive’s value for the comparison.

    6.1.4. font-src

    @@ -3795,7 +3847,7 @@
    6.1.13.5. Get the effective directive for request

    Each fetch directive controls a specific type of request. Given - a request (request), the following algorithm returns either null or the name of the request’s effective directive:

    + a request (request), the following algorithm returns either null or the name of the request’s effective directive:

    1. Switch on request’s type, and execute @@ -3984,12 +4036,12 @@

      Allowed" if base may be used as the value of a base element’s href attribute, and "Blocked" otherwise:

      1. -

        For each policy in document’s global object’s csp list:

        +

        For each policy in document’s global object’s csp list:

        1. Let source list be null.

        2. -

          If a directive whose name is +

          If a directive whose name is "base-uri" is present in policy’s directive set, set source list to that directive’s value.

        3. @@ -3998,14 +4050,14 @@
          §6.1.13.3 Does url match source list? on base and source list is "Does Not Match":

          1. -

            Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on document’s global +

            Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on document’s global object, policy, and "base-uri".

          2. -

            Set violation’s resource to "inline".

            +

            Set violation’s resource to "inline".

          3. Execute §5.3 Report a violation on violation.

          4. -

            If policy’s disposition is "enforce", +

            If policy’s disposition is "enforce", return "Blocked".

        @@ -4055,8 +4107,8 @@

        </object>

    • -
    6.2.2.1. plugin-types Response Check
    -

    This directive’s response check algorithm is as +

    6.2.2.1. plugin-types Post-Request Check
    +

    This directive’s post-request check algorithm is as follows:

    Given a request (request), a response (response), and a policy (policy):

      @@ -4119,7 +4171,7 @@

      Content-Security-Policy-Report-Only header, or within a meta element.

      6.2.3.1. Algorithms
      -

      This directive’s response check algorithm is as +

      This directive’s response check algorithm is as follows:

      Given a request (request), a response (response), and a policy (policy):

        @@ -4142,10 +4194,10 @@
        This directive’s initialization algorithm is responsible for adjusting a Document's forced sandboxing flag set according to the sandbox values present in its policies, as follows:

        -

        Given a Document or global object (context), a response (response), and a policy (policy):

        +

        Given a Document or global object (context), a response (response), and a policy (policy):

        1. -

          If policy’s disposition is not "Enforce", or context is not a Document, then abort this algorithm.

          +

          If policy’s disposition is not "Enforce", or context is not a Document, then abort this algorithm.

          Note: This will need to change if we allow Workers to be sandboxed, which seems like a pretty reasonable thing to do.

        2. @@ -4170,7 +4222,7 @@

          6.2.4.1. Algorithms

          This directive’s initialization algorithm is as follows:

          -

          Given a Document or global object (context), a response (response), and a policy (policy):

          +

          Given a Document or global object (context), a response (response), and a policy (policy):

          1. If context’s responsible browsing context has an opener browsing @@ -4180,8 +4232,29 @@

            <

            6.3. Navigation Directives

            6.3.1. form-action

            The form-action directive restricts the URLs which can be used - as the target of a form submissions.

            -

            Define the hooks into HTML’s navigation and form submission algorithms.

            + as the target of a form submissions from a given context. The directive’s syntax is + described by the following ABNF grammar:

            +
            directive-name  = "form-action"
+directive-value = serialized-source-list
+
            +
            6.3.1.1. form-action Pre-Navigation Check
            +

            Given a request (request), a string (type, "form-submission or + "other") and two browsing contexts (source and target), this + algorithm returns "Blocked" if one or more of the ancestors of target violate the frame-ancestors directive delivered with the response, and + "Allowed" otherwise. This constitutes the form-action' directive’s pre-navigation check:

            +
              +
            1. +

              Assert: source and target are unused in this algorithm, as form-action is concerned only with details of the outgoing request.

              +
            2. +

              If type is "form-submission":

              +
                +
              1. +

                If the result of executing §6.1.13.3 Does url match source list? on request’s url and this directive’s value is "Does Not Match", return + "Blocked".

                +
              +
            3. +

              Return "Allowed".

              +

            6.3.2. frame-ancestors

            The frame-ancestors directive restricts the URLs which can embed the resource using frame, iframe, object, embed, or applet element. Resources can use this directive to avoid many UI @@ -4198,15 +4271,21 @@

            meta element.

            Note: The frame-ancestors directive’s syntax is similar to a source list, but frame-ancestors will not fall back to the default-src directive’s value if one is specified. That is, a policy that declares default-src 'none' will still allow the resource to be embedded by anyone.

            -
            6.3.2.1. frame-ancestors Navigation Check
            -

            Given a response (navigation response) and a browsing context (context), this algorithm returns "Blocked" if the navigation violates - the frame-ancestors directive, and "Allowed" otherwise. This constitutes - the frame-ancestors' directive’s navigation check:

            +
            6.3.2.1. frame-ancestors Navigation Response Check
            +

            Given a request (request), a response (navigation response) + and two browsing contexts (source and target), this algorithm + returns "Blocked" if one or more of the ancestors of target violate the frame-ancestors directive delivered with the response, and "Allowed" + otherwise. This constitutes the frame-ancestors' directive’s navigation + response check:

            1. -

              If context is not a nested browsing context, return "Allowed".

              +

              Assert: request, navigation response, and source are unused in + this algorithm, as frame-ancestors is concerned only with target’s + ancestors.

              +
            2. +

              If target is not a nested browsing context, return "Allowed".

            3. -

              Let current be context.

              +

              Let current be target.

            4. While current has a parent browsing context (parent):

                @@ -4216,7 +4295,7 @@
                URL parser on the unicode serialization of parent’s active document’s origin.

              1. If §6.1.13.3 Does url match source list? returns Does Not Match when - executed upon origin and this directive’s value, return "Blocked".

                + executed upon origin and this directive’s value, return "Blocked".

            5. Return "Allowed".

              @@ -4265,7 +4344,7 @@

              Extensions to CSP MUST register themselves via the process outlined in [RFC7762]. In particular, note the criteria discussed in Section 4.2 of that document.

              -

              New directives SHOULD use the pre-request check, post-request check, response +

              New directives SHOULD use the pre-request check, post-request check, response check, and initialization hooks in order to integrate themselves into Fetch and HTML.

              @@ -4640,14 +4719,14 @@

              media-type-list, in §6.2.2
            6. monitored, in §4.2
            7. name, in §2.2 -
            8. navigation check, in §2.2 +
            9. navigation response check, in §2.2
            10. nonce-source, in §2.2.1
            11. 'none', in §2.2.1
            12. object-src, in §6.1.9
            13. parse a serialized CSP, in §2.1
            14. path-part, in §2.2.1
            15. plugin-types, in §6.2.2 -
            16. plugin-types Response Check, in §6.2.2 +
            17. plugin-types Post-Request Check, in §6.2.2
            18. policy

    What should this do in an iframe? Anything?
    -
    Define the hooks into HTML’s navigation and form submission algorithms.
    @@ -5281,13 +5370,15 @@

    6.2.1.1. Is base allowed for document?
  • 6.2.2.1. - plugin-types Response Check + plugin-types Post-Request Check
  • 6.2.2.2. Should plugin element be blocked a priori by Content Security Policy?:
  • 6.2.3.1. Algorithms (2) -
  • 6.3.2.1. - frame-ancestors Navigation Check +
  • 6.3.1.1. + form-action Pre-Navigation Check +
  • 6.3.2.1. + frame-ancestors Navigation Response Check @@ -5363,10 +5456,8 @@

    4.1.4. Should response to request be blocked by Content Security Policy? -
  • 6.2.2.1. - plugin-types Response Check -
  • 6.2.3.1. Algorithms -
  • 6.5. +
  • 6.2.3.1. Algorithms +
  • 6.5. Directives Defined in Other Documents @@ -5391,15 +5482,24 @@

    - #directive-navigation-checkReferenced in: + + diff --git a/index.src.html b/index.src.html index e21f980..10c7b39 100644 --- a/index.src.html +++ b/index.src.html @@ -62,6 +62,7 @@

    Content Security Policy Level 3

    urlPrefix: webappapis.html text: environment settings object; url: settings-object text: global object + text: relevant global object text: global object; for: settings object; url: concept-settings-object-global text: incumbent settings object text: current settings object @@ -244,6 +245,7 @@

    Content Security Policy Level 3

    text: Content-Security-Policy http-equiv processing instructions; url: attr-meta-http-equiv-content-security-policy text: realm's global object; url: concept-realm-global-object text: process a navigate response + text: process a navigate fetch type: element-attr text: ping; for: a text: nonce; for: script; url: attr-script-nonce @@ -576,10 +578,15 @@

    Directives

    arguments. This algorithm is executed during [[#initialize-document-csp]], and has no effect unless otherwise specified. - 6. A navigation check, which takes a - response and a browsing context as arguments, and is executed - during process a navigate response. It returns "`Allowed`" unless - otherwise specified. + 6. A pre-navigation check, which takes a + request, type string, and two browsing contexts as arguments, and + is executed during [[#should-block-navigation-request]]. It returns + "`Allowed`" unless otherwise specified. + + 7. A navigation response check, which takes a + request, a response and two browsing contexts as + arguments, and is executed during [[#should-block-navigation-response]]. + It returns "`Allowed`" unless otherwise specified.

    Source Lists

    @@ -1138,8 +1145,10 @@

    ISSUE(w3c/html#547): This hook is missing from W3C's HTML. - 10. [[#should-block-navigation]] is called during the process a navigate - response algorithm to apply directive's navigation check. + 10. [[#should-block-navigation-request]] is called during the process a + navigate fetch algorithm, and [[#should-block-navigation-response]] + is called during the process a navigate response algorithm to + apply directive's navigation checks. ISSUE(whatwg/html#1230): Upstream this to HTML. @@ -1257,14 +1266,54 @@

    3. Return |result|. -

    - Should |navigation response| in |context| be blocked by Content Security Policy? +

    + Should |navigation request| of |type| from |source| in |target| be blocked + by Content Security Policy?

    - Given a response |navigation response|, and a browsing context - (|context|), this algorithm returns "`Blocked`" if the active policy blocks + Given a request (|navigation request|), a string (|type|, either + "`form-submission`" or "`other`"), and two browsing contexts (|source| + and |target|), this algorithm return "`Blocked`" if the active policy blocks the navigation, and "`Allowed`" otherwise: +
      + 1. Let |result| be "`Allowed`". + + 2. For each |policy| in |source|'s active document's + CSP list: + + 1. For each |directive| in |policy|: + + 1. If |directive|'s pre-navigation check + returns "`Allowed`" when executed upon |navigation request|, + |type|, |source|, and |target|, skip to the next |directive|. + + 2. Otherwise, let |violation| be the result of executing + [[#create-violation-for-global]] on |source|'s relevant global + object, |policy|, and |directive|'s name. + + 3. Set |violation|'s resource to |navigation + request|'s URL. + + 4. Execute [[#report-violation]] on |violation|. + + 5. If |policy|'s disposition is "`enforce`", then + set |result| to "`Blocked`". + + 3. Return |result|. +
    + +

    + Should |navigation response| to |navigation request| of |type| from |source| + in |target| be blocked by Content Security Policy? +

    + + Given a request (|navigation request|),, a string (|type|, either + "`form-submission`" or "`other`"), a response |navigation + response|, and two browsing contexts (|source| and |target|), this algorithm + returns "`Blocked`" if the active policy blocks the navigation, and "`Allowed`" + otherwise: +
      1. Let |result| be "`Allowed`". @@ -1273,14 +1322,18 @@

      1. For each |directive| in |policy|: - 1. If |directive|'s navigation check returns - "`Allowed`" when executed upon |navigation response| and |context|, - skip to the next |directive|. + 1. If |directive|'s navigation response check + returns "`Allowed`" when executed upon |navigation request|, |type|, + |navigation response|, |source|, and |target|, skip to the next + |directive|. 2. Otherwise, let |violation| be the result of executing [[#create-violation-for-global]] on `null`, |policy|, and |directive|'s name. + Note: We use `null` for the global object, as no global exists: + we haven't processed the navigation to create a Document yet. + 3. Set |violation|'s resource to |navigation response|'s URL. @@ -3067,10 +3120,10 @@

      `plugin-types`

      - `plugin-types` Response Check + `plugin-types` Post-Request Check
      - This directive's response check algorithm is as + This directive's post-request check algorithm is as follows: Given a request (|request|), a response (|response|), and a @@ -3220,9 +3273,38 @@

      `form-action`

      The form-action directive restricts the {{URL}}s which can be used - as the target of a form submissions. + as the target of a form submissions from a given context. The directive's syntax is + described by the following ABNF grammar: + + 
      +    directive-name  = "form-action"
+    directive-value = serialized-source-list
+
      + +
      + `form-action` Pre-Navigation Check +
      + + Given a request (|request|), a string (|type|, "`form-submission` or + "`other`") and two browsing contexts (|source| and |target|), this + algorithm returns "`Blocked`" if one or more of the ancestors of |target| + violate the `frame-ancestors` directive delivered with the response, and + "`Allowed`" otherwise. This constitutes the `form-action`' directive's + pre-navigation check: + +
        + 1. Assert: |source| and |target| are unused in this algorithm, as + `form-action` is concerned only with details of the outgoing request. + + 2. If |type| is "`form-submission`": - ISSUE: Define the hooks into HTML's navigation and form submission algorithms. + 1. If the result of executing [[#match-url-to-source-list]] on + |request|'s url and this directive's + value is "`Does Not Match`", return + "`Blocked`". + + 3. Return "`Allowed`". +

      `frame-ancestors`

      @@ -3250,21 +3332,27 @@

      `frame-ancestors`

      directive's value if one is specified. That is, a policy that declares `default-src 'none'` will still allow the resource to be embedded by anyone. -
      - `frame-ancestors` Navigation Check +
      + `frame-ancestors` Navigation Response Check
      - Given a response (|navigation response|) and a browsing context - (|context|), this algorithm returns "`Blocked`" if the navigation violates - the `frame-ancestors` directive, and "`Allowed`" otherwise. This constitutes - the `frame-ancestors`' directive's navigation check: + Given a request (|request|), a response (|navigation response|) + and two browsing contexts (|source| and |target|), this algorithm + returns "`Blocked`" if one or more of the ancestors of |target| violate the + `frame-ancestors` directive delivered with the response, and "`Allowed`" + otherwise. This constitutes the `frame-ancestors`' directive's navigation + response check:
        - 1. If |context| is not a nested browsing context, return "`Allowed`". + 1. Assert: |request|, |navigation response|, and |source| are unused in + this algorithm, as `frame-ancestors` is concerned only with |target|'s + ancestors. + + 2. If |target| is not a nested browsing context, return "`Allowed`". - 2. Let |current| be |context|. + 3. Let |current| be |target|. - 3. While |current| has a parent browsing context (|parent|): + 4. While |current| has a parent browsing context (|parent|): 1. Set |current| to |parent|. @@ -3276,7 +3364,7 @@
        executed upon |origin| and this directive's value, return "`Blocked`". - 4. Return "`Allowed`". + 5. Return "`Allowed`".