diff --git a/index.html b/index.html index 5e11f9b..cffde8f 100644 --- a/index.html +++ b/index.html @@ -1534,6 +1534,7 @@
Document
's CSP list
CSP list
frame-ancestors
Directives have five associated algorithms:
+Directives have six associated algorithms:
A pre-request check, which takes a request and a policy as an argument, and is executed during §4.1.3 Should request be blocked by Content Security Policy?. This algorithm returns "Allowed
" unless
@@ -1933,9 +1934,13 @@
Allowed
" unless
otherwise specified.
An initialization, which takes a Document
or global object, a response, and a policy as
+
An initialization, which takes a Document
or global object, a response, and a policy as
arguments. This algorithm is executed during §4.2.1 Initialize a Document's CSP list,
and has no effect unless otherwise specified.
A navigation check, which takes a response and a browsing context as arguments, and is executed
+ during process a navigate response. It returns "Allowed
" unless
+ otherwise specified.
Many directives' values consist of source lists: sets @@ -2004,9 +2009,9 @@
Matches
.
A violation represents an action or resource which goes against the - set of policy objects associated with a global object.
+ set of policy objects associated with a global object.Each violation has a global object, which - is the global object whose policy has been violated.
+ is the global object whose policy has been violated.Each violation has a url which is its global object’s URL
.
Each violation has a status which is a non-negative integer representing the HTTP status code of the resource for @@ -2026,7 +2031,7 @@
Given a global object (global), a policy (policy), and a +
Given a global object (global), a policy (policy), and a string (directive), the following algorithm creates a new violation object, and populates it with an initial set of data:
A policy is generally enforced upon a global object, but the +
A policy is generally enforced upon a global object, but the user agent needs to parse any policy - delivered via an HTTP response header field before any global object is created in order to handle directives that require knowledge of a response’s details. To that end:
+ delivered via an HTTP response header field before any global object is created in order to handle directives that require knowledge of a response’s details. To that end:A response has an associated CSP list which @@ -2299,12 +2304,12 @@
This concept is missing from W3C’s Workers. <https://github.com/w3c/html/issues/187>
A policy is enforced or monitored for a global object by inserting it into the global object’s CSP list.
+A policy is enforced or monitored for a global object by inserting it into the global object’s CSP list.
§4.2.2 Initialize a global object’s CSP list is called during the initialising a
new Document
object and run a worker algorithms in order to
bind a set of policy objects associated with a response to a
- newly created global object.
§4.2.3 Should element’s inline type behavior be blocked by Content Security Policy? is called during the prepare a script and update a style
block algorithms in order to determine whether or
not an inline script or style block is allowed to execute/render.
This hook is missing from W3C’s HTML. <https://github.com/w3c/html/issues/547>
+§4.2.4 Should navigation response in context be blocked by Content Security Policy? is called during the process a navigate + response algorithm to apply directive’s navigation check.
+Upstream this to HTML. <https://github.com/whatwg/html/issues/1230>
+W3C’s HTML is not based on Fetch, and does not + have a process a navigate response algorithm into which to hook. <https://github.com/w3c/html/issues/548>
Document
's CSP list
Given a Document
(document), and a response (response), the
@@ -2378,7 +2389,7 @@
CSP list
Given a global object (global), and a response (response), the user agent performs the following steps in order +
Given a global object (global), and a response (response), the user agent performs the following steps in order to initialize global’s CSP list:
For each policy in document’s global
+ For each policy in document’s global
object’s CSP list: Let result be " For each policy in element’s For each policy in element’s For each directive in policy:
Allowed
".Document
's global object’s CSP list:Document
's global object’s CSP list:
Allowed" when executed upon element, type, and source,
skip to the next directive.
Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on the incumbent settings
- object, policy, and "style-src
" if type is "style
" or
- "style-attribute
", or "script-src
" otherwise.
Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on the current settings
+ object’s global object, policy,
+ and "style-src
" if type is "style
" or "style-attribute
",
+ or "script-src
" otherwise.
Set violation’s resource to "inline
".
Execute §5.3 Report a violation on violation.
If policy’s disposition is "enforce
", then
+ set result to "Blocked
".
Return result.
+ +Given a response navigation response, and a browsing context (context), this algorithm returns "Blocked
" if the active policy blocks
+ the navigation, and "Allowed
" otherwise:
Let result be "Allowed
".
For each policy in navigation response’s CSP list:
+For each directive in policy:
+If directive’s navigation check returns
+ "Allowed
" when executed upon navigation response and context,
+ skip to the next directive.
Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on null
, policy, and directive’s name.
Execute §5.3 Report a violation on violation.
+If policy’s disposition is "enforce
", then
set result to "Blocked
".
Let source-list be null.
If policy contains a directive whose name is "script-src
", then set source-list to that directive’s value.
Otherwise if policy contains a directive whose name is "default-src
", then set source-list to that directive’s value.
If policy contains a directive whose name is "script-src
", then set source-list to that directive’s value.
Otherwise if policy contains a directive whose name is "default-src
", then set source-list to that directive’s value.
If source-list is non-null, and does not contain a source expression which is an ASCII case-insensitive match for the @@ -2523,7 +2566,7 @@
"blocked-uri
"
The result of executing the URL serializer on violation’s resource, with the exclude fragment
flag set.
The result of executing the URL serializer on violation’s resource, with the exclude fragment
flag set.
"effective-directive
"
violation’s resource
+violation’s resource
If name is not frame-src
or worker-src
, return "Allowed
".
If policy contains a directive whose name is name, return "Allowed
"
If policy contains a directive whose name is name, return "Allowed
"
Return the result of executing the pre-request - check for the directive whose name is name on request and policy, using this directive’s value for the comparison.
+ check for the directive whose name is name on request and policy, using this directive’s value for the comparison.This directive’s post-request check is as follows:
Given a request (request), a response (response), and a policy (policy):
@@ -2802,10 +2845,10 @@If name is not frame-src
or worker-src
, return "Allowed
".
If policy contains a directive whose name is name, return "Allowed
"
If policy contains a directive whose name is name, return "Allowed
"
Return the result of executing the post-request - check for the directive whose name is name on request and policy, using this directive’s value for the comparison.
+ check for the directive whose name is name on request and policy, using this directive’s value for the comparison.connect-src
The connect-src directive restricts the URLs which can be loaded @@ -2938,15 +2981,15 @@
If name is null
, return "Allowed
".
If policy contains a directive whose name is name, return "Allowed
".
If policy contains a directive whose name is name, return "Allowed
".
If name is "frame-src
" or "worker-src
", and policy contains a directive whose name is "child-src
",
+
If name is "frame-src
" or "worker-src
", and policy contains a directive whose name is "child-src
",
return "Allowed
".
Note: It would be lovely to remove this special case. Perhaps "effective
directive" could return "child-src
" and that could delegate out in the
same way this algorithm does?
Otherwise, return the result of executing the pre-request check for the directive whose name is name on request and policy, using +
Otherwise, return the result of executing the pre-request check for the directive whose name is name on request and policy, using this directive’s value for the comparison.
This directive’s post-request check is as follows:
@@ -2957,15 +3000,15 @@If name is null
, return "Allowed
".
If policy contains a directive whose name is name, return "Allowed
".
If policy contains a directive whose name is name, return "Allowed
".
If name is "frame-src
" or "worker-src
", and policy contains a directive whose name is "child-src
",
+
If name is "frame-src
" or "worker-src
", and policy contains a directive whose name is "child-src
",
return "Allowed
".
Note: It would be lovely to remove this special case. Perhaps "effective
directive" could return "child-src
" and that could delegate out in the
same way this algorithm does?
Otherwise, return the result of executing the post-request check for the directive whose name is name on request and policy, using +
Otherwise, return the result of executing the post-request check for the directive whose name is name on request and policy, using this directive’s value for the comparison.
font-src
Each fetch directive controls a specific type of request. Given
- a request (request), the following algorithm returns either null
or the name of the request’s effective directive:
null
or the name of the request’s effective directive:
Switch on request’s type, and execute @@ -3941,12 +3984,12 @@
base
element’s href
attribute, and "Blocked
" otherwise:
For each policy in document’s global object’s csp list:
+For each policy in document’s global object’s csp list:
Let source list be null
.
If a directive whose name is +
If a directive whose name is
"base-uri
" is present in policy’s directive
set, set source list to that directive’s value.
Does Not Match
":
Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on document’s global
+ Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on document’s global
object, policy, and " Set violation’s resource to " Set violation’s resource to " Execute §5.3 Report a violation on violation. If policy’s disposition is " If policy’s disposition is "base-uri
".inline
".inline
".enforce
",
+ enforce
",
return "Blocked
".
Document
's forced sandboxing flag set according to the sandbox
values present in its policies, as
follows:
- Given a Document
or global object (context), a response (response), and a policy (policy):
Given a Document
or global object (context), a response (response), and a policy (policy):
If policy’s disposition is not "Enforce
", or context is not a Document
, then abort this algorithm.
If policy’s disposition is not "Enforce
", or context is not a Document
, then abort this algorithm.
Note: This will need to change if we allow Workers to be sandboxed, which seems like a pretty reasonable thing to do.
This directive’s initialization algorithm is as follows:
-Given a Document
or global object (context), a response (response), and a policy (policy):
Given a Document
or global object (context), a response (response), and a policy (policy):
If context’s responsible browsing context has an opener browsing
@@ -4155,31 +4198,29 @@ meta element.
Note: The frame-ancestors
directive’s syntax is similar to a source
list, but frame-ancestors
will not fall back to the default-src
directive’s value if one is specified. That is, a policy that declares default-src 'none'
will still allow the resource to be embedded by anyone.
This directive’s response check is as follows:
-Given a request (request), a response (response), and a policy (policy):
-frame-ancestors
Navigation Check Given a response (navigation response) and a browsing context (context), this algorithm returns "Blocked
" if the navigation violates
+ the frame-ancestors
directive, and "Allowed
" otherwise. This constitutes
+ the frame-ancestors
' directive’s navigation check:
If context is not a nested browsing context, return "Allowed
".
If request’s destination is "document
" and the request’s target browsing
- context is a nested browsing context:
Let current be context.
+While current has a parent browsing context (parent):
For each ancestor of the request’s target browsing context’s ancestor - browsing contexts:
-Let origin-as-url be the result of executing the URL - parser on the unicode serialization of ancestor’s active document’s origin.
-If §6.1.13.3 Does url match source list? returns Does Not Match
when
- executed upon origin-as-url and this directive’s value, return "Blocked
".
Set current to parent.
+Let origin be the result of executing the URL parser on the unicode serialization of parent’s active document’s origin.
+If §6.1.13.3 Does url match source list? returns Does Not Match
when
+ executed upon origin and this directive’s value, return "Blocked
".
Return "Allowed
".
Rewrite this in terms of HTML’s navigation algorithm.
Various algorithms in this document hook into the reporting process by constructing a violation object via §2.3.2 Create a violation object for request, policy, and directive or §2.3.1 Create a violation object for global, policy, and directive, and passing that object to §5.3 Report a violation to deliver the report.
@@ -4224,7 +4265,7 @@Extensions to CSP MUST register themselves via the process outlined in [RFC7762]. In particular, note the criteria discussed in Section 4.2 of that document.
-New directives SHOULD use the pre-request check, post-request check, response
+ New directives SHOULD use the pre-request check, post-request check, response
check, and initialization hooks in order to
integrate themselves into Fetch and HTML.nonce-source
expression as part of a policy, the server MUST generate a unique value each time it
+
If a server delivers a nonce-source expression as part of a policy, the server MUST generate a unique value each time it transmits a policy. The generated value SHOULD be at least 128 bits long (before encoding), and SHOULD be generated via a cryptographically secure random number generator in order to ensure that the value is difficult for @@ -4374,7 +4415,7 @@
Policy enforced on a resource SHOULD NOT interfere with the operation +
Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets. These kinds of features generally advance the user’s priority over page authors, as espoused in [HTML-DESIGN].
@@ -4599,6 +4640,7 @@