Content Security Policy Level 3
-Editor’s Draft,
+Editor’s Draft,
- This version:
@@ -1534,7 +1534,9 @@
Table of Contents
- 4.2.1 Initialize a
Document'sCSP list- 4.2.2 Initialize a global object’s
CSP list- 4.2.3 Should element’s inline type behavior be blocked by Content Security Policy? -
- 4.2.4 Should navigation response in context be blocked by Content Security Policy? +
- 4.2.4 Should navigation request of type from source in target be blocked + by Content Security Policy? +
- 4.2.5 Should navigation response to navigation request of type from source in target be blocked by Content Security Policy?
- 4.3 Integration with ECMAScript @@ -1641,7 +1643,7 @@
Table of Contents
- 6.2.2
plugin-types-
-
- 6.2.2.1
plugin-typesResponse Check + - 6.2.2.1
plugin-typesPost-Request Check - 6.2.2.2 Should plugin element be blocked a priori by Content Security Policy?:
Table of Contents
- 6.3 Navigation Directives
- @@ -1934,13 +1940,19 @@
§4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. This algorithm returns "
Allowed" unless otherwise specified.- -
An initialization, which takes a
Documentor global object, a response, and a policy as +An initialization, which takes a
Documentor global object, a response, and a policy as arguments. This algorithm is executed during §4.2.1 Initialize a Document's CSP list, and has no effect unless otherwise specified.- -
A navigation check, which takes a response and a browsing context as arguments, and is executed - during process a navigate response. It returns "
+Allowed" unless - otherwise specified.A pre-navigation check, which takes a request, type string, and two browsing contexts as arguments, and + is executed during §4.2.4 Should navigation request of type from source in target be blocked + by Content Security Policy?. It returns + "
+Allowed" unless otherwise specified.- +
A navigation response check, which takes a request, a response and two browsing contexts as + arguments, and is executed during §4.2.5 Should navigation response to navigation request of type from source + in target be blocked by Content Security Policy?. + It returns "
Allowed" unless otherwise specified.2.2.1. Source Lists
Many directives' values consist of source lists: sets @@ -2009,9 +2021,9 @@
URL matches a source list if the algorithm in §6.1.13.3 Does url match source list? returns
Matches.2.3. Violations
A violation represents an action or resource which goes against the - set of policy objects associated with a global object.
+ set of policy objects associated with a global object.Each violation has a global object, which - is the global object whose policy has been violated.
+ is the global object whose policy has been violated.Each violation has a url which is its global object’s
URL.Each violation has a status which is a non-negative integer representing the HTTP status code of the resource for @@ -2031,7 +2043,7 @@
Each violation has a column number, which is a non-negative integer.
2.3.1. Create a violation object for global, policy, and directive
-Given a global object (global), a policy (policy), and a +
Given a global object (global), a policy (policy), and a string (directive), the following algorithm creates a new violation object, and populates it with an initial set of data:
-
@@ -2165,9 +2177,9 @@
is called as part of step #13 of its Main Fetch algorithm.
A policy is generally enforced upon a global object, but the +
A policy is generally enforced upon a global object, but the user agent needs to parse any policy - delivered via an HTTP response header field before any global object is created in order to handle directives that require knowledge of a response’s details. To that end:
+ delivered via an HTTP response header field before any global object is created in order to handle directives that require knowledge of a response’s details. To that end:-
A response has an associated CSP list which @@ -2304,12 +2316,12 @@
§4.2.2 Initialize a global object’s CSP list algorithm.
This concept is missing from W3C’s Workers. <https://github.com/w3c/html/issues/187>
- -
A policy is enforced or monitored for a global object by inserting it into the global object’s CSP list.
+A policy is enforced or monitored for a global object by inserting it into the global object’s CSP list.
§4.2.2 Initialize a global object’s CSP list is called during the initialising a new
+ newly created global object.Documentobject and run a worker algorithms in order to bind a set of policy objects associated with a response to a - newly created global object.§4.2.3 Should element’s inline type behavior be blocked by Content Security Policy? is called during the prepare a script and update a
@@ -2341,8 +2353,11 @@styleblock algorithms in order to determine whether or not an inline script or style block is allowed to execute/render.This hook is missing from WHATWG’s HTML. <https://github.com/whatwg/html/issues/1618>
This hook is missing from W3C’s HTML. <https://github.com/w3c/html/issues/547>
- -
§4.2.4 Should navigation response in context be blocked by Content Security Policy? is called during the process a navigate - response algorithm to apply directive’s navigation check.
+§4.2.4 Should navigation request of type from source in target be blocked + by Content Security Policy? is called during the process a + navigate fetch algorithm, and §4.2.5 Should navigation response to navigation request of type from source + in target be blocked by Content Security Policy? is called during the process a navigate response algorithm to + apply directive’s navigation checks.
Upstream this to HTML. <https://github.com/whatwg/html/issues/1230>
W3C’s HTML is not based on Fetch, and does not have a process a navigate response algorithm into which to hook. <https://github.com/w3c/html/issues/548>
@@ -2389,7 +2404,7 @@4.2.2. Initialize a global object’s
-CSP listGiven a global object (global), and a response (response), the user agent performs the following steps in order +
Given a global object (global), and a response (response), the user agent performs the following steps in order to initialize global’s CSP list:
-
@@ -2403,7 +2418,7 @@
-
For each policy in document’s global +
For each policy in document’s global object’s CSP list:
-
@@ -2425,7 +2440,7 @@
Let result be "
Allowed". -
-
For each policy in element’s
+Document's global object’s CSP list:For each policy in element’s
Document's global object’s CSP list:-
For each directive in policy:
@@ -2451,31 +2466,68 @@Return result.
4.2.4. Should navigation response in context be blocked by Content Security Policy?
-Given a response navigation response, and a browsing context (context), this algorithm returns "
Blocked" if the active policy blocks +4.2.4. Should navigation request of type from source in target be blocked + by Content Security Policy?
+Given a request (navigation request), a string (type, either + "
form-submission" or "other"), and two browsing contexts (source and target), this algorithm return "Blocked" if the active policy blocks the navigation, and "Allowed" otherwise:-
Let result be "
Allowed". -
-
For each policy in navigation response’s CSP list:
+For each policy in source’s active document’s CSP list:
-
For each directive in policy:
-
-
If directive’s navigation check returns - "
+Allowed" when executed upon navigation response and context, - skip to the next directive.If directive’s pre-navigation check returns "
Allowed" when executed upon navigation request, type, source, and target, skip to the next directive. -
-
Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on
+null, policy, and directive’s name.Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on source’s relevant global + object, policy, and directive’s name.
-
Set violation’s resource to navigation - response’s URL.
+ request’s URL.
-
-
-
-
-
@@ -2425,7 +2440,7 @@
-
Execute §5.3 Report a violation on violation.
-
If policy’s disposition is "
+enforce", then + set result to "Blocked".
- -
- +
Return result.
+ +4.2.5. Should navigation response to navigation request of type from source in target be blocked by Content Security Policy?
+Given a request (navigation request),, a string (type, either + "
+form-submission" or "other"), a response navigation + response, and two browsing contexts (source and target), this algorithm + returns "Blocked" if the active policy blocks the navigation, and "Allowed" + otherwise:-
+
-
+
Let result be "
+Allowed". -
+
For each policy in navigation response’s CSP list:
+-
+
-
+
For each directive in policy:
+-
+
-
+
If directive’s navigation response check returns "
+Allowed" when executed upon navigation request, type, navigation response, source, and target, skip to the next directive. -
+
Otherwise, let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on
+null, policy, and directive’s name.Note: We use
+nullfor the global object, as no global exists: + we haven’t processed the navigation to create a Document yet. - + +
-
+
Execute §5.3 Report a violation on violation.
+ -
+
If policy’s disposition is "
enforce", then set result to "Blocked".
-
+
Let source-list be null.
-
+
-
-
If policy contains a directive whose name is "
-script-src", then set source-list to that directive’s value.Otherwise if policy contains a directive whose name is "
+default-src", then set source-list to that directive’s value.If policy contains a directive whose name is "
+script-src", then set source-list to that directive’s value.Otherwise if policy contains a directive whose name is "
default-src", then set source-list to that directive’s value. -
If source-list is non-null, and does not contain a source expression which is an ASCII case-insensitive match for the @@ -2566,7 +2618,7 @@
"
blocked-uri"- -
The result of executing the URL serializer on violation’s resource, with the
+exclude fragmentflag set.The result of executing the URL serializer on violation’s resource, with the
exclude fragmentflag set."
effective-directive"- @@ -2619,7 +2671,7 @@
- -
violation’s resource
+violation’s resource
- @@ -2832,10 +2884,10 @@
If name is not
frame-srcorworker-src, return "Allowed".- -
If policy contains a directive whose name is name, return "
+Allowed"If policy contains a directive whose name is name, return "
Allowed"Return the result of executing the pre-request - check for the directive whose name is name on request and policy, using this directive’s value for the comparison.
+ check for the directive whose name is name on request and policy, using this directive’s value for the comparison. - -
This directive’s post-request check is as follows:
Given a request (request), a response (response), and a policy (policy):
@@ -2845,10 +2897,10 @@If name is not
frame-srcorworker-src, return "Allowed".- -
If policy contains a directive whose name is name, return "
+Allowed"If policy contains a directive whose name is name, return "
Allowed"Return the result of executing the post-request - check for the directive whose name is name on request and policy, using this directive’s value for the comparison.
+ check for the directive whose name is name on request and policy, using this directive’s value for the comparison.6.1.2.
connect-srcThe connect-src directive restricts the URLs which can be loaded @@ -2981,15 +3033,15 @@
If name is
null, return "Allowed".- -
If policy contains a directive whose name is name, return "
+Allowed".If policy contains a directive whose name is name, return "
Allowed".- -
If name is "
frame-src" or "worker-src", and policy contains a directive whose name is "child-src", +If name is "
frame-src" or "worker-src", and policy contains a directive whose name is "child-src", return "Allowed".Note: It would be lovely to remove this special case. Perhaps "effective directive" could return "
child-src" and that could delegate out in the same way this algorithm does?- -
Otherwise, return the result of executing the pre-request check for the directive whose name is name on request and policy, using +
Otherwise, return the result of executing the pre-request check for the directive whose name is name on request and policy, using this directive’s value for the comparison.
This directive’s post-request check is as follows:
@@ -3000,15 +3052,15 @@If name is
null, return "Allowed".- -
If policy contains a directive whose name is name, return "
+Allowed".If policy contains a directive whose name is name, return "
Allowed".- -
If name is "
frame-src" or "worker-src", and policy contains a directive whose name is "child-src", +If name is "
frame-src" or "worker-src", and policy contains a directive whose name is "child-src", return "Allowed".Note: It would be lovely to remove this special case. Perhaps "effective directive" could return "
child-src" and that could delegate out in the same way this algorithm does?- -
Otherwise, return the result of executing the post-request check for the directive whose name is name on request and policy, using +
Otherwise, return the result of executing the post-request check for the directive whose name is name on request and policy, using this directive’s value for the comparison.
6.1.4.
@@ -3795,7 +3847,7 @@font-src6.1.13.5. Get the effective directive for request
Each fetch directive controls a specific type of request. Given - a request (request), the following algorithm returns either
+ a request (request), the following algorithm returns eithernullor the name of the request’s effective directive:nullor the name of the request’s effective directive:-
Switch on request’s type, and execute @@ -3984,12 +4036,12 @@
Allowed" if base may be used as the value of a
baseelement’shrefattribute, and "Blocked" otherwise:-
-
For each policy in document’s global object’s csp list:
+For each policy in document’s global object’s csp list:
-
Let source list be
null. -
-
If a directive whose name is +
If a directive whose name is "
base-uri" is present in policy’s directive set, set source list to that directive’s value. -
@@ -3998,14 +4050,14 @@
§6.1.13.3 Does url match source list? on base and source list is "
Does Not Match":-
-
Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on document’s global +
Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on document’s global object, policy, and "
base-uri".- -
Set violation’s resource to "
+inline".Set violation’s resource to "
inline".Execute §5.3 Report a violation on violation.
- -
If policy’s disposition is "
enforce", +If policy’s disposition is "
enforce", return "Blocked". - -
-
-
</object>
-
-
-
- 4.2.1 Initialize a
6.2.2.1. plugin-types Response Check
- This directive’s response check algorithm is as +
6.2.2.1. plugin-types Post-Request Check
+ This directive’s post-request check algorithm is as follows:
Given a request (request), a response (response), and a policy (policy):
-
@@ -4119,7 +4171,7 @@
-
-
If policy’s disposition is not "
+Enforce", or context is not aDocument, then abort this algorithm.If policy’s disposition is not "
Enforce", or context is not aDocument, then abort this algorithm.Note: This will need to change if we allow Workers to be sandboxed, which seems like a pretty reasonable thing to do.
-
@@ -4170,7 +4222,7 @@
6.2.4.1. Algorithms -
If context’s responsible browsing context has an opener browsing @@ -4180,8 +4232,29 @@
+<
6.3. Navigation Directives
6.3.1.
form-actionThe form-action directive restricts the
-URLs which can be used - as the target of a form submissions.Define the hooks into HTML’s navigation and form submission algorithms.
+ as the target of a form submissions from a given context. The directive’s syntax is + described by the following ABNF grammar:directive-name = "form-action" +directive-value = serialized-source-list +
+6.3.1.1.
+form-actionPre-Navigation CheckGiven a request (request), a string (type, "
+form-submissionor + "other") and two browsing contexts (source and target), this + algorithm returns "Blocked" if one or more of the ancestors of target violate theframe-ancestorsdirective delivered with the response, and + "Allowed" otherwise. This constitutes theform-action' directive’s pre-navigation check:-
+
-
+
Assert: source and target are unused in this algorithm, as
+form-actionis concerned only with details of the outgoing request. -
+
If type is "
+form-submission":-
+
-
+
If the result of executing §6.1.13.3 Does url match source list? on request’s url and this directive’s value is "
+Does Not Match", return + "Blocked".
-
+
-
+
Return "
+Allowed".
6.3.2.
frame-ancestorsThe frame-ancestors directive restricts the
URLs which can embed the resource usingframe,iframe,object,embed, orappletelement. Resources can use this directive to avoid many UI @@ -4198,15 +4271,21 @@meta element.Note: The
-frame-ancestorsdirective’s syntax is similar to a source list, butframe-ancestorswill not fall back to thedefault-srcdirective’s value if one is specified. That is, a policy that declaresdefault-src 'none'will still allow the resource to be embedded by anyone.6.3.2.1.
-frame-ancestorsNavigation CheckGiven a response (navigation response) and a browsing context (context), this algorithm returns "
+Blocked" if the navigation violates - theframe-ancestorsdirective, and "Allowed" otherwise. This constitutes - theframe-ancestors' directive’s navigation check:6.3.2.1.
+frame-ancestorsNavigation Response CheckGiven a request (request), a response (navigation response) + and two browsing contexts (source and target), this algorithm + returns "
Blocked" if one or more of the ancestors of target violate theframe-ancestorsdirective delivered with the response, and "Allowed" + otherwise. This constitutes theframe-ancestors' directive’s navigation + response check:-
-
If context is not a nested browsing context, return "
+Allowed".Assert: request, navigation response, and source are unused in + this algorithm, as
+frame-ancestorsis concerned only with target’s + ancestors. -
+
If target is not a nested browsing context, return "
Allowed". -
-
Let current be context.
+Let current be target.
-
While current has a parent browsing context (parent):
-
@@ -4216,7 +4295,7 @@
-
If §6.1.13.3 Does url match source list? returns
+ executed upon origin and this directive’s value, return "Does Not Matchwhen - executed upon origin and this directive’s value, return "Blocked".Blocked".
URL parser on the unicode serialization of parent’s active document’s origin.
-
-
Return "
@@ -4265,7 +4344,7 @@Allowed".Extensions to CSP MUST register themselves via the process outlined in [RFC7762]. In particular, note the criteria discussed in Section 4.2 of that document.
-New directives SHOULD use the pre-request check, post-request check, response +
New directives SHOULD use the pre-request check, post-request check, response check, and initialization hooks in order to integrate themselves into Fetch and HTML.
@@ -4640,14 +4719,14 @@media-type-list
, in §6.2.2- monitored, in §4.2
- name, in §2.2 -
- navigation check, in §2.2 +
- navigation response check, in §2.2
- nonce-source, in §2.2.1
- 'none', in §2.2.1
- object-src, in §6.1.9
- parse a serialized CSP, in §2.1
- path-part, in §2.2.1
- plugin-types, in §6.2.2 -
- plugin-types Response Check, in §6.2.2 +
- plugin-types Post-Request Check, in §6.2.2
- policy
-
@@ -4656,6 +4735,7 @@
- post-request check, in §2.2 +
- pre-navigation check, in §2.2
- pre-request check, in §2.2
- referrer, in §2.3
- report-to, in §6.4.2
@@ -4755,6 +4835,7 @@
initialising a new document object
- nonce
- ping +
- process a navigate fetch
- process a navigate response
- realm's global object
- run a worker @@ -4785,7 +4866,7 @@
fire
- forced sandboxing flag set
- frame -
- global object +
- global object
- http-equiv
- iframe
- link @@ -4799,6 +4880,7 @@
parser-inserted
- prepare a script
- referrer +
- relevant global object
- relevant settings object
- responsible browsing context
- sandboxed origin browsing context flag @@ -5084,7 +5166,6 @@
↵
port-part, in §2.2.1
-
+
Content-Security-Policy-Report-Only header, or within
a meta element.
6.2.3.1. Algorithms
- This directive’s response check algorithm is as
+
This directive’s response check algorithm is as
follows:
Given a request (request), a response (response), and a policy (policy):
@@ -4142,10 +4194,10 @@ This directive’s initialization algorithm is
responsible for adjusting a Document's forced sandboxing flag set according to the sandbox values present in its policies, as
follows:
- Given a Document or global object (context), a response (response), and a policy (policy):
+ Given a Document or global object (context), a response (response), and a policy (policy):
This directive’s initialization algorithm is as
follows:
- Given a Document or global object (context), a response (response), and a policy (policy):
+ Given a Document or global object (context), a response (response), and a policy (policy):
This directive’s initialization algorithm is
responsible for adjusting a Document's forced sandboxing flag set according to the sandbox values present in its policies, as
follows:
- Given a Document or global object (context), a response (response), and a policy (policy):
+ Given a Document or global object (context), a response (response), and a policy (policy):
Document or global object (context), a response (response), and a policy (policy):Document or global object (context), a response (response), and a policy (policy):This directive’s initialization algorithm is as follows:
-Given a Document or global object (context), a response (response), and a policy (policy):
Given a Document or global object (context), a response (response), and a policy (policy):