spec:dom; type:interface; text:Document
@@ -471,7 +471,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
Parse a serialized CSP
- To parse a serialized CSP, given a [=string=] |serialized|, a
+ To parse a serialized CSP, given a [=string=] |serialized|, a
[=policy/source=] |source|, and a [=policy/disposition=] |disposition|, execute the
following steps.
@@ -520,7 +520,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
Parse a serialized CSP list
- To parse a serialized CSP list, given a [=byte sequence=] or [=string=]
+ To parse a serialized CSP list, given a [=byte sequence=] or [=string=]
|list|, a [=policy/source=] |source|, and a [=policy/disposition=] |disposition|, execute
the following steps.
@@ -535,9 +535,8 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
3. [=list/For each=] |token| returned by splitting |list| on commas:
- 1. Let |policy| be the result of parsing
- |token|, with a [=policy/source=] of |source|, and [=policy/disposition=] of
- |disposition|.
+ 1. Let |policy| be the result of [=parsing a serialized CSP=] given
+ |token|, |source|, and |disposition|.
2. If |policy|'s [=policy/directive set=] is empty, [=iteration/continue=].
@@ -546,26 +545,27 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
4. Return |policies|.
-
+
Parse |response|'s Content Security Policies
- To parse a response's Content Security Policies given a response
- |response|:
+ To parse response's Content Security Policies given a
+ response |response|:
- 1. Let |policies| be the result of parsing
- the result of [=extracting header list values=] given `Content-Security-Policy` and
- |response|'s [=response/header list=], with a [=policy/source=] of "`header`", and a
- [=policy/disposition=] of "`enforce`".
+ 1. Let |headers| be the result of [=extracting header list values=], given
+ `Content-Security-Policy` and |response|'s [=response/header list=].
- 2. Append to |policies| the result of
- parsing the result of
- [=extracting header list values=] given `Content-Security-Policy-Report-Only` and
- |response|'s [=response/header list=], with a [=policy/source=] of "`header`", and a
- [=policy/disposition=] of "`report`".
+ 2. Let |policies| be the result of [=parsing a serialized CSP list=], given
+ |headers|, "`header`", and "`enforce`".
- 3. For each |policy| of |policies|:
+ 3. Let |report only headers| be the result of [=extracting header list values=], given
+ `Content-Security-Policy-Report-Only` and |response|'s [=response/header list=].
+
+ 4. Append to |policies| the result of [=parsing a serialized CSP list=], given
+ |report only headers|, "`header`", and "`report`".
+
+ 4. For each |policy| of |policies|:
1. Set |policy|'s [=policy/self-origin=] to |response|'s [=response/url=]'s
[=url/origin=].
@@ -573,10 +573,10 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
4. Return |policies|.
- Note: When parsing a response's
- Content Security Policies, if the resulting |policies| end up containing at least one item,
- user agents can hold a flag on |policies| and use it to optimize away the [=/contains a
- header-delivered Content Security Policy=] algorithm.
+ Note: When [=parsing response's Content Security Policies=], if the resulting
+ |policies| end up containing at least one item, user agents can hold a flag on
+ |policies| and use it to optimize away the [=/contains a header-delivered
+ Content Security Policy=] algorithm.
Directives
@@ -608,42 +608,49 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
1. A pre-request check, which takes a
request and a policy as an argument, and is executed
- during [[#should-block-request]]. This algorithm returns "`Allowed`" unless
+ to [=determine whether a request is blocked by Content Security
+ Policy=]. This algorithm returns "`Allowed`" unless
otherwise specified.
2. A post-request check, which takes a
request, a response, and a policy as arguments,
- and is executed during [[#should-block-response]]. This algorithm returns
+ and is executed to [=determine whether a response is blocked by Content Security
+ Policy=]. This algorithm returns "`Allowed`" unless otherwise specified.
+
+ 3. An inline check, which takes an
+ {{Element}}, a type string, a policy, and a source string
+ as arguments, and is executed when [=determining whether element's inline
+ type behavior is blocked by Content Security Policy=] and when
+ [=determining whether a navigation request is blocked by Content
+ Security Policy=] for `javascript:` requests. This algorithm returns
"`Allowed`" unless otherwise specified.
- 3. An inline check, which takes an {{Element}}, a
- type string, a policy, and a source string as arguments,
- and is executed during [[#should-block-inline]] and during
- [[#should-block-navigation-request]] for `javascript:` requests. This
- algorithm returns "`Allowed`" unless otherwise specified.
-
- 4. An initialization, which takes a {{Document}}
- or global object and a policy as arguments. This
- algorithm is executed during [[#run-document-csp-initialization]] and
- [[#run-global-object-csp-initialization]]. Unless otherwise specified, it has no
- effect and it returns "`Allowed`".
-
- 5. A pre-navigation check, which takes a
- request, a navigation type string ("`form-submission`"
- or "`other`"), and a policy as arguments, and
- is executed during [[#should-block-navigation-request]]. It returns
- "`Allowed`" unless otherwise specified.
-
- 6. A navigation response check, which takes a
- request, a navigation type string ("`form-submission`" or "`other`"),
- a response, a navigable, a check type string ("`source`"
- or "`response`"), and a policy as arguments, and is executed during
- [[#should-block-navigation-response]]. It returns "`Allowed`" unless otherwise specified.
+ 4. An initialization, which takes a
+ {{Document}} or global object and a policy
+ as arguments. This algorithm is executed when [=running CSP initialization
+ for a Document=] and when [=running CSP initialization for a global
+ object=]. Unless otherwise specified, it has no effect and it returns
+ "`Allowed`".
- 8. A webrtc pre-connect check, which takes a [=/policy=], and
- is executed during [[#should-block-rtc-connection]]. It returns "`Allowed`" unless
+ 5. A pre-navigation check, which takes a request, a navigation type string ("`form-submission`" or
+ "`other`"), and a policy as arguments, and is executed when
+ [=determining whether a navigation request is blocked by Content
+ Security Policy=]. It returns "`Allowed`" unless otherwise specified.
+
+ 6. A navigation response check, which takes
+ a request, a navigation type string ("`form-submission`" or
+ "`other`"), a response, a navigable, a check type string
+ ("`source`" or "`response`"), and a policy as arguments,
+ and is executed when [=determining whether a navigation response is
+ blocked by Content Security Policy=]. It returns "`Allowed`" unless
otherwise specified.
+ 8. A webrtc pre-connect check, which takes
+ a [=/policy=], and is executed when [=determining whether RTC connections
+ are blocked by Content Security policy=]. It returns "`Allowed`"
+ unless otherwise specified.
+
Source Lists
Many directives' [=directive/value=] consist of source lists: sets
@@ -754,11 +761,10 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
either null, "`inline`", "`eval`", "`wasm-eval`", or a {{URL}}. It represents the resource
which violated the policy.
- Note: The value null for a violation's resource is only allowed while the violation is
- being populated. By the time the violation is reported and its resource is used for
- [[#obtain-violation-blocked-uri|obtaining the blocked URI]], the
+ Note: The value null for a violation's resource
+ is only allowed while the violation is being populated. By the time the
+ violation is reported and its resource is used
+ for [=obtaining the blocked URI of a violation's resource=], the
violation's resource should be populated with a
{{URL}} or one of the allowed strings.
@@ -807,9 +813,10 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
Create a violation object for |global|, |policy|, and |directive|
- Given a global object |global|, a policy |policy|, and a
- string |directive|, the following algorithm creates a new violation
- object, and populates it with an initial set of data:
+ To create a violation object for a global, given a global object |global|, a policy |policy|, and a
+ string |directive|, execute the following steps, which create a new
+ violation object, and populate it with an initial set of data.
1. Let |violation| be a new violation whose global
object is |global|, policy is |policy|,
@@ -845,17 +852,18 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
Create a violation object for |request|, and |policy|.
- Given a request |request|, a policy |policy|,
- the following algorithm creates a new violation object,
- and populates it with an initial set of data:
+ To create a violation object for a request, given a request |request|, a policy |policy|, execute the
+ following steps, which create a new violation object, and populate it
+ with an initial set of data.
- 1. Let |directive| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |directive| be the result of [=getting the effective directive for
+ request=] given |request|.
- 2. Let |violation| be the result of executing
- [[#create-violation-for-global]] on |request|'s
- client's global object,
- |policy|, and |directive|.
+ 2. Let |violation| be the result of [=creating a violation object for a
+ global=], given |request|'s client's global object, |policy|, and
+ |directive|.
3. Set |violation|'s resource to |request|'s
url.
@@ -913,7 +921,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
representation.
When the user agent receives a `Content-Security-Policy` header field, it
- MUST parse and enforce each
+ MUST parse and enforce each
serialized CSP it contains as described in [[#fetch-integration]],
[[#html-integration]].
@@ -954,7 +962,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
representation.
When the user agent receives a `Content-Security-Policy-Report-Only` header
- field, it MUST parse and monitor
+ field, it MUST parse and monitor
each serialized CSP it contains as described in
[[#fetch-integration]] and [[#html-integration]].
@@ -1016,27 +1024,31 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
A number of directives control resource loading in one way or
another. This specification provides algorithms which allow Fetch to make
- decisions about whether or not a particular request should be blocked
- or allowed, and about whether a particular response should be replaced
+ decisions about whether or not a particular request is blocked
+ or allowed, and about whether a particular response is replaced
with a network error.
- 1. [[#should-block-request]] is called as part of step 2.4 of the Main
+ 1. [=Determine whether a request is blocked by Content Security Policy=]
+ is called as part of step 2.4 of the Main
Fetch algorithm. This allows directives' pre-request checks
to be executed against each request before it hits the network,
and against each redirect that a request might go through on its
way to reaching a resource.
- 2. [[#should-block-response]] is called as part of step 11 of the Main
+ 2. [=Determine whether a response is blocked by Content Security Policy=]
+ is called as part of step 11 of the Main
Fetch algorithm. This allows directives' post-request checks
to be executed on the response delivered from the network
or from a Service Worker.
-
+
Report Content Security Policy violations for |request|
- Given a request |request|, this algorithm reports violations based
- on [=request/policy container=]'s [=policy container/CSP list=] "report only" policies.
+ To report Content Security Policy violations, given a request |request|, execute the following steps, which report
+ violations based on [=request/policy container=]'s [=policy container/CSP
+ list=] "report only" policies.
1. Let |CSP list| be |request|'s [=request/policy container=]'s [=policy container/CSP list=].
@@ -1045,53 +1057,59 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
1. If |policy|'s disposition is "`enforce`",
then skip to the next |policy|.
- 2. Let |violates| be the result of executing
- [[#does-request-violate-policy]] on |request| and |policy|.
+ 2. Let |violates| be the result of [=determining whether a request violates
+ a policy=], given |request| and |policy|.
- 3. If |violates| is not "`Does Not Violate`", then execute
- [[#report-violation]] on the result of executing
- [[#create-violation-for-request]] on |request|, and |policy|.
+ 3. If |violates| is not "`Does Not Violate`", then [=report a
+ violation=], given the result of [=creating a violation object for a
+ request=] given |request|, and |policy|.
-
- Should |request| be blocked by Content Security Policy?
+
+ Is |request| blocked by Content Security Policy?
- Given a request |request|, this algorithm returns `Blocked` or `Allowed` and
- reports violations based on |request|'s [=request/policy container=]'s
- [=policy container/CSP list=].
+ To determine whether a request is blocked by Content
+ Security Policy, given a request |request|, execute the
+ following steps, which return a [=boolean=] and report violations
+ based on |request|'s [=request/policy container=]'s [=policy container/CSP
+ list=].
1. Let |CSP list| be |request|'s [=request/policy container=]'s [=policy container/CSP list=].
- 2. Let |result| be "`Allowed`".
+ 2. Let |blocked| be false.
3. For each |policy| of |CSP list|:
1. If |policy|'s disposition is "`report`",
then skip to the next |policy|.
- 2. Let |violates| be the result of executing
- [[#does-request-violate-policy]] on |request| and |policy|.
+ 2. Let |violates| be the result of [=determining whether a request violates
+ a policy=], given |request| and |policy|.
3. If |violates| is not "`Does Not Violate`", then:
- 1. Execute [[#report-violation]] on the result of executing
- [[#create-violation-for-request]] on |request|, and |policy|.
+ 1. Let |violation| be the result of [=creating a violation
+ object for a request=], given |request|, and |policy|.
+
+ 2. [=Report a violation=], given |violation|.
- 2. Set |result| to "`Blocked`".
+ 3. Set |blocked| to true.
- 4. Return |result|.
+ 4. Return |blocked|.
-
- Should |response| to |request| be blocked by Content Security Policy?
+
+ Is |response| to |request| blocked by Content Security Policy?
- Given a response |response| and a request |request|, this algorithm
- returns `Blocked` or `Allowed`, and reports violations based on |request|'s
+ To determine whether a response is blocked by Content
+ Security Policy, given a response |response| and a request |request|, execute the following steps, which return
+ a [=boolean=] and report violations based on |request|'s
[=request/policy container=]'s [=policy container/CSP list=].
1. Let |CSP list| be |request|'s [=request/policy container=]'s [=policy container/CSP list=].
- 2. Let |result| be "`Allowed`".
+ 2. Let |blocked| be false.
3. For each |policy| of |CSP list|:
@@ -1100,17 +1118,19 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
1. If the result of executing |directive|'s
post-request check is "`Blocked`", then:
- 1. Execute [[#report-violation]] on the result of executing
- [[#create-violation-for-request]] on |request|, and |policy|.
+ 1. Let |violation| be the result of [=creating a violation
+ object for a request=], given |request|, and |policy|.
- 2. If |policy|'s disposition is "`enforce`",
- then set |result| to "`Blocked`".
+ 2. [=Report a violation=], given |violation|.
+
+ 3. If |policy|'s disposition is "`enforce`",
+ then set |blocked| to true.
Note: This portion of the check verifies that the page can load the
response. That is, that a Service Worker hasn't substituted a file which
would violate the page's CSP.
- 4. Return |result|.
+ 4. Return |blocked|.
@@ -1118,27 +1138,29 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
1. The [=/policy container=] has a [=policy container/CSP list=], which holds
- all the policy objects which are active for a given context. This
- list is empty unless otherwise specified, and is populated from the response by parsing response's
- Content Security Policies or inherited following the rules of the [=/policy container=].
+ all the policy objects which are active for a given
+ context. This list is empty unless otherwise specified, and is populated
+ from the response by [=parsing response's Content Security
+ Policies=] or inherited following the rules of the [=/policy container=].
2. A global object's CSP list
- is the result of executing [[#get-csp-of-object]] with the global object
- as the `object`.
+ is the result of [=retrieving object's CSP list=] given global object.
3. A policy is enforced or monitored for a
global object by inserting it into the global object's
CSP list.
- 4. [[#run-document-csp-initialization]] is called during the create and initialize a
- new `Document` object algorithm.
+ 4. Run `CSP` initialization for a document is called during the
+ create and initialize a new `Document` object algorithm.
- 5. [[#should-block-inline]] is called during the prepare the script element and
- update a `style` block algorithms in order to determine whether or
- not an inline script or style block is allowed to execute/render.
+ 5. [=Determine whether element's inline type behavior is blocked by
+ Content Security Policy=] is called during the prepare the script
+ element and update a `style` block algorithms in order to
+ determine whether or not an inline script or style block is allowed to
+ execute/render.
- 6. [[#should-block-inline]] is called during handling of inline event
+ 6. [=Determine whether element's inline type behavior is blocked by
+ Content Security Policy=] is called during handling of inline event
handlers (like `onclick`) and inline `style` attributes in order to
determine whether or not they ought to be allowed to execute/render.
@@ -1152,28 +1174,30 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
ISSUE(whatwg/html#968): Stylesheet loading is not yet integrated with
Fetch in WHATWG's HTML.
- 9. [[#allow-base-for-document]] is called during <{base}>'s set the frozen
- base URL algorithm to ensure that the <{base/href}> attribute's value
- is valid.
+ 9. [=Determine whether base is allowed for document=] is called during
+ <{base}>'s set the frozen base URL algorithm to ensure that the
+ <{base/href}> attribute's value is valid.
- 10. [[#should-block-navigation-request]] is called during the create
- navigation params by fetching algorithm, and [[#should-block-navigation-response]]
- is called during the attempt to populate the history entry's document
- algorithm to apply directive's navigation checks, as well as inline checks for
- navigations to `javascript:` URLs.
+ 10. [=Determine whether a navigation request is blocked by Content
+ Security Policy=] is called during the create navigation
+ params by fetching algorithm, and [=determine whether a navigation
+ response is blocked by Content Security Policy=] is called during
+ the attempt to populate the history entry's document
+ algorithm to apply directive's navigation checks, as well as inline checks
+ for navigations to `javascript:` URLs.
- 11. [[#run-global-object-csp-initialization]] is called during the run a worker
- algorithm.
+ 11. Run `CSP` initialization for a global object is called during the
+ run a worker algorithm.
12. The sandbox directive is used to populate the CSP-derived
sandboxing flags.
-
+
Run `CSP` initialization for a `Document`
- Given a {{Document}} |document|, the user agent performs the following
- steps in order to initialize CSP for |document|:
+ To run `CSP` initialization for a document, given a
+ {{Document}} |document|, execute the following steps.
1. For each |policy| of |document|'s [=Document/policy container=]'s
[=policy container/CSP list=]:
@@ -1188,7 +1212,8 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
Retrieve the CSP list of an |object|
- To obtain |object|'s CSP list:
+ To retrieve object's CSP list,
+ given a {{Document}} or [=/global object=] |object|, execute the following steps.
1. If |object| is a {{Document}} return |object|'s [=Document/policy container=]'s
[=policy container/CSP list=].
@@ -1199,14 +1224,16 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
3. Return null.
-
- Should |element|'s inline |type| behavior be blocked by Content Security Policy?
+
+ Is |element|'s inline |type| behavior blocked by Content Security Policy?
- Given an {{Element}} |element|, a string |type|, and a string |source|
- this algorithm returns "`Allowed`" if the element is allowed to have inline
- definition of a particular type of behavior (script execution, style
- application, event handlers, etc.), and "`Blocked`" otherwise:
+ To determine whether element's inline type behavior is
+ blocked by Content Security Policy, given an {{Element}} |element|, a
+ string |type|, and a string |source|, execute the following steps, which
+ return false if the element is allowed to have inline definition of a
+ particular type of behavior (script execution, style application, event
+ handlers, etc.), and true otherwise.
Note: The valid values for |type| are "`script`", "`script attribute`",
"`style`", and "`style attribute`".
@@ -1214,7 +1241,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
1. Assert: |element| is not null.
- 2. Let |result| be "`Allowed`".
+ 2. Let |blocked| be false.
3. For each |policy| of |element|'s {{Document}}'s global object's
CSP list:
@@ -1225,11 +1252,11 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
"`Allowed`" when executed upon |element|, |type|, |policy| and |source|,
skip to the next |directive|.
- 2. Let |directive-name| be the result of executing
- [[#effective-directive-for-inline-check]] on |type|.
+ 2. Let |directive-name| be the result of [=getting the effective directive
+ for inline checks=], given |type|.
- 3. Otherwise, let |violation| be the result of executing
- [[#create-violation-for-global]] on the current settings
+ 3. Otherwise, let |violation| be the result of [=creating a violation
+ object for a global=] given the current settings
object's global object, |policy|,
and |directive-name|.
@@ -1242,25 +1269,26 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
sample to the substring of |source| containing its first 40
characters.
- 7. Execute [[#report-violation]] on |violation|.
+ 7. [=Report a violation=], given |violation|.
8. If |policy|'s disposition is "`enforce`", then
- set |result| to "`Blocked`".
+ set |blocked| to true.
- 4. Return |result|.
+ 4. Return |blocked|.
-
- Should |navigation request| of |type| be blocked
- by Content Security Policy?
+
+ Is |navigation request| of |type| blocked by Content Security Policy?
- Given a request |navigation request| and a string |type| (either
- "`form-submission`" or "`other`"), this algorithm return "`Blocked`" if the active policy blocks
- the navigation, and "`Allowed`" otherwise:
+ To determine whether a navigation request is blocked by
+ Content Security Policy, given a request |navigation
+ request| and a string |type| (either "`form-submission`" or "`other`"),
+ execute the following steps, which return true if the active policy
+ blocks the navigation, and false otherwise.
- 1. Let |result| be "`Allowed`".
+ 1. Let |blocked| be false.
2. For each |policy| of |navigation request|'s policy container's
CSP list:
@@ -1271,20 +1299,20 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
returns "`Allowed`" when executed upon |navigation request|,
|type|, and |policy| skip to the next |directive|.
- 2. Otherwise, let |violation| be the result of executing
- [[#create-violation-for-global]] on |navigation request|'s
+ 2. Otherwise, let |violation| be the result of [=creating a violation
+ object for a global=] given |navigation request|'s
client's global object,
|policy|, and |directive|'s name.
3. Set |violation|'s resource to |navigation
request|'s URL.
- 4. Execute [[#report-violation]] on |violation|.
+ 4. [=Report a violation=], given |violation|.
5. If |policy|'s disposition is "`enforce`", then
- set |result| to "`Blocked`".
+ set |blocked| to true.
- 3. If |result| is "`Allowed`", and if |navigation request|'s
+ 3. If |blocked| is false, and if |navigation request|'s
current URL's scheme is `javascript`:
1. For each |policy| of |navigation request|'s client's
@@ -1293,43 +1321,45 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
1. For each |directive| of |policy|:
- 1. Let |directive-name| be the result of executing
- [[#effective-directive-for-inline-check]] on |type|.
+ 1. Let |directive-name| be the result of [=getting the effective
+ directive for inline checks=], given |type|.
2. If |directive|'s inline check
returns "`Allowed`" when executed upon null,
"`navigation`" and |navigation request|'s current URL,
skip to the next |directive|.
- 3. Otherwise, let |violation| be the result of executing
- [[#create-violation-for-global]] on |navigation request|'s
+ 3. Otherwise, let |violation| be the result of [=creating a violation
+ object for a global=] given |navigation request|'s
client's global object,
|policy|, and |directive-name|.
4. Set |violation|'s resource to |navigation
request|'s URL.
- 5. Execute [[#report-violation]] on |violation|.
+ 5. [=Report a violation=], given |violation|.
6. If |policy|'s disposition is "`enforce`", then
- set |result| to "`Blocked`".
+ set |blocked| to true.
- 4. Return |result|.
+ 4. Return |blocked|.
-
- Should |navigation response| to |navigation request| of |type|
- in |target| be blocked by Content Security Policy?
+
+ Is |navigation response| to |navigation request| of |type|
+ in |target| blocked by Content Security Policy?
- Given a request |navigation request|, a response |navigation
- response|, a [=/CSP list=] |response CSP list|, a string |type| (either
- "`form-submission`" or "`other`"), and a navigable |target|, this algorithm
- returns "`Blocked`" if the active policy blocks the navigation, and "`Allowed`"
- otherwise:
+ To determine whether a navigation response is blocked by
+ Content Security Policy, given a request |navigation
+ request|, a response |navigation response|, a [=/CSP list=] |response
+ CSP list|, a string |type| (either "`form-submission`" or "`other`"), and a
+ navigable |target|, execute the following steps, which return
+ true if the active policy blocks the navigation, and false
+ otherwise.
- 1. Let |result| be "`Allowed`".
+ 1. Let |blocked| be false.
2. For each |policy| of |response CSP list|:
@@ -1343,8 +1373,8 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
|navigation response|, |target|, "`response`", and |policy|
skip to the next |directive|.
- 2. Otherwise, let |violation| be the result of executing
- [[#create-violation-for-global]] on null, |policy|, and
+ 2. Otherwise, let |violation| be the result of [=creating a violation
+ object for a global=] given null, |policy|, and
|directive|'s name.
Note: We use null for the global object, as no global exists:
@@ -1353,10 +1383,10 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
3. Set |violation|'s resource to |navigation
response|'s URL.
- 4. Execute [[#report-violation]] on |violation|.
+ 4. [=Report a violation=], given |violation|.
5. If |policy|'s disposition is "`enforce`", then
- set |result| to "`Blocked`".
+ set |blocked| to true.
3. For each |policy| of |navigation request|'s policy container's
CSP list:
@@ -1371,29 +1401,29 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
|navigation response|, |target|, "`source`", and |policy|
skip to the next |directive|.
- 2. Otherwise, let |violation| be the result of executing
- [[#create-violation-for-global]] on |navigation request|'s
+ 2. Otherwise, let |violation| be the result of [=creating a violation
+ object for a global=] given |navigation request|'s
client's global object,
|policy|, and |directive|'s name.
3. Set |violation|'s resource to |navigation
request|'s URL.
- 4. Execute [[#report-violation]] on |violation|.
+ 4. [=Report a violation=], given |violation|.
5. If |policy|'s disposition is "`enforce`", then
- set |result| to "`Blocked`".
+ set |blocked| to true.
- 4. Return |result|.
+ 4. Return |blocked|.
-
+
Run `CSP` initialization for a global object
- Given a global object |global|, the user agent performs the
- following steps in order to initialize CSP for |global|. This algorithm
- returns "`Allowed`" if |global| is allowed, and "`Blocked`" otherwise:
+ To run `CSP` initialization for a global object, given a global object |global|, execute the following steps, which return
+ "`Allowed`" if |global| is allowed, and "`Blocked`" otherwise.
1. Let |result| be "`Allowed`".
@@ -1411,15 +1441,18 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
Integration with WebRTC
- The [=administratively-prohibited=] algorithm calls [[#should-block-rtc-connection]]
- when invoked, and prohibits all candidates if it returns "`Blocked`".
+ The [=administratively-prohibited=] algorithm calls [=determine whether RTC
+ connections are blocked by Content Security Policy=] when invoked, and
+ prohibits all candidates if it returns "`Blocked`".
-
- Should RTC connections be blocked for |global|?
+
+ Are RTC connections blocked for |global|?
- Given a [=/global object=] |global|, this algorithm returns "`Blocked`"
- if the active policy for |global| blocks RTC connections, and "`Allowed`" otherwise:
+ To determine whether RTC connections are blocked by Content
+ Security Policy, given a [=/global object=] |global|, execute the
+ following steps, which return "`Blocked`" if the active policy for |global|
+ blocks RTC connections, and "`Allowed`" otherwise.
1. Let |result| be "`Allowed`".
@@ -1429,13 +1462,13 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
1. If |directive|'s webrtc pre-connect check
returns "`Allowed`", [=iteration/continue=].
- 2. Otherwise, let |violation| be the result of executing
- [[#create-violation-for-global]] on |global|, |policy|, and
+ 2. Otherwise, let |violation| be the result of [=creating a violation
+ object for a global=] given |global|, |policy|, and
|directive|'s name.
3. Set |violation|'s resource to null.
- 4. Execute [[#report-violation]] on |violation|.
+ 4. [=Report a violation=], given |violation|.
5. If |policy|'s disposition is "`enforce`", then
set |result| to "`Blocked`".
@@ -1455,9 +1488,10 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
EnsureCSPDoesNotBlockStringCompilation(|realm|, |source|)
- Given a realm |realm| and a string |source|, this algorithm
- returns normally if string compilation is allowed, and throws an "`EvalError`"
- if not:
+ To determine whether string compilation is allowed by CSP,
+ given a realm |realm| and a string |source|, execute the following
+ steps, which return normally if string compilation is allowed, and throw an
+ "`EvalError`" if not.
1. Let |result| be "`Allowed`".
@@ -1477,8 +1511,8 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
an [=ASCII case-insensitive=] match for the string "`'unsafe-eval'`",
then:
- 1. Let |violation| be the result of executing [[#create-violation-for-global]] on
- |global|, |policy|, and "`script-src`".
+ 1. Let |violation| be the result of [=creating a violation object for
+ a global=] given |global|, |policy|, and "`script-src`".
2. Set |violation|'s [=violation/resource=] to "`eval`".
@@ -1486,7 +1520,7 @@ spec: WebRTC; urlPrefix: https://www.w3.org/TR/webrtc/
"`'report-sample'`", then set |violation|'s [=violation/sample=] to
the substring of |source| containing its first 40 characters.
- 4. Execute [[#report-violation]] on |violation|.
+ 4. [=Report a violation=], given |violation|.
5. If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to
"`Blocked`".
@@ -1505,13 +1539,14 @@ sources into executable code. This document defines an implementation of this
abstract operation which examines the relevant CSP
list to determine whether such compilation ought to be blocked.
-
+
EnsureCSPDoesNotBlockWasmByteCompilation|realm|
-Given a realm |realm|,
-this algorithm returns normally if compilation is allowed, and throws a
-{{WebAssembly.CompileError}} if not:
+To determine whether WebAssembly byte compilation is allowed by
+CSP, given a realm |realm|, execute the following steps, which
+return normally if compilation is allowed, and throws a
+{{WebAssembly.CompileError}} if not.
1. Let |global| be |realm|'s [=realm/global object=].
@@ -1533,12 +1568,12 @@ this algorithm returns normally if compilation is allowed, and throws a
[=source expression=] which is an [=ASCII case-insensitive=] match
for the string "`'wasm-unsafe-eval'`", then:
- 1. Let |violation| be the result of executing [[#create-violation-for-global]] on
- |global|, |policy|, and "`script-src`".
+ 1. Let |violation| be the result of [=creating a violation object for a global=]
+ given |global|, |policy|, and "`script-src`".
2. Set |violation|'s [=violation/resource=] to "`wasm-eval`".
- 3. Execute [[#report-violation]] on |violation|.
+ 3. [=Report a violation=], given |violation|.
4. If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to
"`Blocked`".
@@ -1627,13 +1662,15 @@ this algorithm returns normally if compilation is allowed, and throws a
Obtain the {{SecurityPolicyViolationEvent/blockedURI}} of a violation's |resource|
- Given a violation's resource |resource|, this algorithm returns a
- [=string=], to be used as the blocked URI field for violation reports.
+ To obtain the blocked URI of a violation's resource, given a
+ violation's resource |resource|, execute the following
+ steps, which return a [=string=] to be used as the blocked URI field for
+ violation reports.
1. Assert: |resource| is a [=/URL=] or a [=string=].
- 2. If |resource| is a [=/URL=], return the result of executing [[#strip-url-for-use-in-reports]] on
- |resource|.
+ 2. If |resource| is a [=/URL=], return the result of [=stripping URL for use
+ in reports=] given |resource|.
3. Return |resource|.
@@ -1641,21 +1678,23 @@ this algorithm returns normally if compilation is allowed, and throws a
Obtain the deprecated serialization of |violation|
- Given a violation |violation|, this algorithm returns a JSON text
- string representation of the violation, suitable for submission to a reporting
- endpoint associated with the deprecated `report-uri` directive.
+ To obtain the deprecated serialization of a violation, given a
+ violation |violation|, execute the following steps, which return a JSON
+ text string representation of the violation, suitable for submission to a
+ reporting endpoint associated with the deprecated `report-uri`
+ directive.
1. Let |body| be a map with its keys initialized as
follows:
: "`document-uri`"
- :: The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
+ :: The result of [=stripping URL for use in reports=], given |violation|'s
url.
: "`referrer`"
- :: The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
+ :: The result of [=stripping URL for use in reports=], given |violation|'s
referrer.
: "`blocked-uri`"
- :: The result of executing [[#obtain-violation-blocked-uri]] on |violation|'s
+ :: The result of [=stripping URL for use in reports=], given |violation|'s
resource.
: "`effective-directive`"
:: |violation|'s effective directive
@@ -1681,8 +1720,8 @@ this algorithm returns normally if compilation is allowed, and throws a
2. If |violation|'s source file is not null:
- 1. Set |body|["`source-file`'] to the result of executing [[#strip-url-for-use-in-reports]]
- on |violation|'s source file.
+ 1. Set |body|["`source-file`'] to the result of [=stripping URL for use
+ in reports=], given |violation|'s source file.
2. Set |body|["`line-number`"] to |violation|'s
line number.
@@ -1696,9 +1735,10 @@ this algorithm returns normally if compilation is allowed, and throws a
4. Return the result of serialize an infra value to JSON bytes given
«[ "csp-report" → body ]».
- Strip URL for use in reports
- Given a [=/URL=] |url|, this algorithm returns a string representing the URL for use in violation
- reports:
+ Strip URL for use in reports
+
+ To strip URL for use in reports, given a [=/URL=] |url|, execute
+ the following steps.
1. If |url|'s scheme is not an HTTP(S) scheme,
then return |url|'s scheme.
@@ -1715,10 +1755,11 @@ this algorithm returns normally if compilation is allowed, and throws a
Report a |violation|
- Given a violation |violation|, this algorithm reports it to the endpoint specified in
- |violation|'s policy, and fires a {{SecurityPolicyViolationEvent}} at
- |violation|'s [=violation/element=], or at |violation|'s global object
- as described below:
+ To report a violation, given a violation |violation|,
+ execute the following steps, which report it to the endpoint specified in
+ |violation|'s policy, and fire a
+ {{SecurityPolicyViolationEvent}} at |violation|'s [=violation/element=], or at
+ |violation|'s global object.
1. Let |global| be |violation|'s global object.
@@ -1753,13 +1794,13 @@ this algorithm returns normally if compilation is allowed, and throws a
interface at |target| with its attributes initialized as follows:
: {{SecurityPolicyViolationEvent/documentURI}}
- :: The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
+ :: The result of [=stripping URL for use in reports=], given |violation|'s
url.
: {{SecurityPolicyViolationEvent/referrer}}
- :: The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
+ :: The result of [=stripping URL for use in reports=], given |violation|'s
referrer.
: {{SecurityPolicyViolationEvent/blockedURI}}
- :: The result of executing [[#obtain-violation-blocked-uri]] on |violation|'s
+ :: The result of [=stripping URL for use in reports=], given |violation|'s
resource.
: {{SecurityPolicyViolationEvent/effectiveDirective}}
:: |violation|'s effective directive
@@ -1771,7 +1812,7 @@ this algorithm returns normally if compilation is allowed, and throws a
: {{SecurityPolicyViolationEvent/disposition}}
:: |violation|'s disposition
: {{SecurityPolicyViolationEvent/sourceFile}}
- :: The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
+ :: The result of [=stripping URL for use in reports=], given |violation|'s
source file, if |violation|'s
source file is not null, or null otherwise.
: {{SecurityPolicyViolationEvent/statusCode}}
@@ -1838,9 +1879,8 @@ this algorithm returns normally if compilation is allowed, and throws a
: header list
:: A header list containing a single header whose name is
"`Content-Type`", and value is "`application/csp-report`"
- : body
- :: The result of executing [[#deprecated-serialize-violation]] on
- |violation|
+ : body :: The result of [=obtaining the
+ deprecated serialization of a violation=], given |violation|
: redirect mode
:: "`error`"
@@ -1864,15 +1904,15 @@ this algorithm returns normally if compilation is allowed, and throws a
follows:
: {{CSPViolationReportBody/documentURL}}
- :: The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
+ :: The result of [=stripping URL for use in reports=}, given |violation|'s
url.
: {{CSPViolationReportBody/referrer}}
- :: The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
+ :: The result of [=stripping URL for use in reports=}, given |violation|'s
referrer.
: {{CSPViolationReportBody/blockedURL}}
- :: The result of executing [[#obtain-violation-blocked-uri]] on |violation|'s
+ :: The result of [=stripping URL for use in reports=}, given |violation|'s
resource.
: {{CSPViolationReportBody/effectiveDirective}}
@@ -1883,7 +1923,7 @@ this algorithm returns normally if compilation is allowed, and throws a
policy.
: {{CSPViolationReportBody/sourceFile}}
- :: The result of executing [[#strip-url-for-use-in-reports]] on |violation|'s
+ :: The result of [=stripping URL for use in reports=}, given |violation|'s
source file, if |violation|'s
source file is not null, or null otherwise.
@@ -2007,11 +2047,11 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing
- [[#effective-directive-for-a-request]] on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `child-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `child-src` and |policy| is "`No`", return "`Allowed`".
3. Return the result of executing the pre-request
check for the directive whose name
@@ -2027,11 +2067,11 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing
- [[#effective-directive-for-a-request]] on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `child-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `child-src` and |policy| is "`No`", return "`Allowed`".
3. Return the result of executing the post-request
check for the directive whose name
@@ -2102,14 +2142,14 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing
- [[#effective-directive-for-a-request]] on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `connect-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `connect-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-request-to-source-list]] on
- |request|, this directive's value, and
+ 3. If the result of [=determining whether a request matches a source list=],
+ given |request|, this directive's value, and
|policy|, is "`Does Not Match`", return "`Blocked`".
4. Return "`Allowed`".
@@ -2123,15 +2163,16 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing
- [[#effective-directive-for-a-request]] on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `connect-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `connect-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-response-to-source-list]] on
- |response|, |request|, this directive's value,
- and |policy|, is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a response matches a source list=],
+ given |response|, |request|, this directive's value, and |policy|, is "`Does Not Match`", return
+ "`Blocked`".
4. Return "`Allowed`".
@@ -2150,8 +2191,10 @@ this algorithm returns normally if compilation is allowed, and throws a
used as the policy's default source list. That is, given `default-src 'none';
script-src 'self'`, script requests will use `'self'` as the source
list to match against. Other requests will use `'none'`. This is spelled
- out in more detail in the [[#should-block-request]] and
- [[#should-block-response]] algorithms.
+ out in more detail in the algorithms to determine whether a request or
+ a response is blocked by Content Security Policy.
Resource hints such as <{link/rel/prefetch}> and <{link/rel/preconnect}> generate requests that
@@ -2228,11 +2271,11 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing
- [[#effective-directive-for-a-request]] on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `default-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `default-src` and |policy| is "`No`", return "`Allowed`".
3. Return the result of executing the
pre-request check for the directive whose
@@ -2248,11 +2291,11 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing
- [[#effective-directive-for-a-request]] on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `default-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `default-src` and |policy| is "`No`", return "`Allowed`".
3. Return the result of executing the
post-request check for the directive whose
@@ -2269,11 +2312,11 @@ this algorithm returns normally if compilation is allowed, and throws a
Given an {{Element}} |element|, a string |type|, a policy
|policy| and a string |source|:
- 1. Let |name| be the result of executing [[#effective-directive-for-inline-check]]
- on |type|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ inline checks=], given |type|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `default-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `default-src` and |policy| is "`No`", return "`Allowed`".
3. Otherwise, return the result of executing the
inline check for the directive whose
@@ -2322,14 +2365,14 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `font-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `font-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-request-to-source-list]] on
- |request|, this directive's value, and
+ 3. If the result of [=determining whether a request matches a source list=],
+ given |request|, this directive's value, and
|policy|, is "`Does Not Match`", return "`Blocked`".
4. Return "`Allowed`".
@@ -2343,15 +2386,16 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `font-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `font-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-response-to-source-list]] on
- |response|, |request|, this directive's value,
- and |policy|, is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a response matches a source list=],
+ given |response|, |request|, this directive's value, and |policy|, is "`Does Not Match`", return
+ "`Blocked`".
4. Return "`Allowed`".
@@ -2390,14 +2434,14 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `frame-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `frame-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-request-to-source-list]] on
- |request|, this directive's value, and
+ 3. If the result of [=determining whether a request matches a source list=],
+ given |request|, this directive's value, and
|policy|, is "`Does Not Match`", return "`Blocked`".
4. Return "`Allowed`".
@@ -2411,15 +2455,16 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `frame-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `frame-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-response-to-source-list]] on
- |response|, |request|, this directive's value,
- and |policy|, is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a response matches a source list=],
+ given |response|, |request|, this directive's value, and |policy|, is "`Does Not Match`", return
+ "`Blocked`".
4. Return "`Allowed`".
@@ -2461,15 +2506,15 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `img-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `img-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-request-to-source-list]] on
- |request|, this directive's value, and |policy|,
- is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a request matches a source list=],
+ given |request|, this directive's value, and
+ |policy|, is "`Does Not Match`", return "`Blocked`".
4. Return "`Allowed`".
@@ -2482,15 +2527,16 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `img-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `img-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-response-to-source-list]] on
- |response|, |request|, this directive's value,
- and |policy|, is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a response matches a source list=],
+ given |response|, |request|, this directive's value, and |policy|, is "`Does Not Match`", return
+ "`Blocked`".
4. Return "`Allowed`".
@@ -2528,15 +2574,15 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `manifest-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `manifest-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-request-to-source-list]] on
- |request|, this directive's value, and |policy|,
- is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a request matches a source list=],
+ given |request|, this directive's value, and
+ |policy|, is "`Does Not Match`", return "`Blocked`".
4. Return "`Allowed`".
@@ -2549,15 +2595,16 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `manifest-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `manifest-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-response-to-source-list]] on
- |response|, |request|, this directive's value,
- and |policy|, is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a response matches a source list=],
+ given |response|, |request|, this directive's value, and |policy|, is "`Does Not Match`", return
+ "`Blocked`".
4. Return "`Allowed`".
@@ -2598,15 +2645,15 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `media-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `media-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-request-to-source-list]] on
- |request|, this directive's value, and |policy|,
- is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a request matches a source list=],
+ given |request|, this directive's value, and
+ |policy|, is "`Does Not Match`", return "`Blocked`".
4. Return "`Allowed`".
@@ -2619,15 +2666,16 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `media-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `media-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-response-to-source-list]] on
- |response|, |request|, this directive's value,
- and |policy|, is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a response matches a source list=],
+ given |response|, |request|, this directive's value, and |policy|, is "`Does Not Match`", return
+ "`Blocked`".
4. Return "`Allowed`".
@@ -2689,15 +2737,15 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `object-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `object-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-request-to-source-list]] on
- |request|, this directive's value, and |policy|,
- is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a request matches a source list=],
+ given |request|, this directive's value, and
+ |policy|, is "`Does Not Match`", return "`Blocked`".
4. Return "`Allowed`".
@@ -2710,15 +2758,16 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `object-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `object-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-response-to-source-list]] on
- |response|, |request|, this directive's value,
- and |policy|, is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a response matches a source list=],
+ given |response|, |request|, this directive's value, and |policy|, is "`Does Not Match`", return
+ "`Blocked`".
4. Return "`Allowed`".
@@ -2744,15 +2793,18 @@ this algorithm returns normally if compilation is allowed, and throws a
The `script-src` directive governs six things:
- 1. Script requests MUST pass through [[#should-block-request]].
+ 1. Script requests MUST be allowed when [=determining whether
+ a request is blocked by Content Security Policy=].
- 2. Script responses MUST pass through [[#should-block-response]].
+ 2. Script responses MUST be allowed when [=determining whether a response
+ is blocked by Content Security Policy=].
- 3. Inline <{script}> blocks MUST pass through [[#should-block-inline]]. Their
- behavior will be blocked unless every policy allows inline script, either
- implicitly by not specifying a `script-src` (or `default-src`) directive,
- or explicitly, by specifying "`unsafe-inline`", a
- nonce-source or a hash-source that matches
+ 3. Inline <{script}> blocks MUST be allowed when [=determining whether
+ element's inline type behavior is blocked by Content Security
+ Policy=]. Their behavior will be blocked unless every policy allows inline
+ script, either implicitly by not specifying a `script-src` (or
+ `default-src`) directive, or explicitly, by specifying "`unsafe-inline`",
+ a nonce-source or a hash-source that matches
the inline block.
4. The following JavaScript execution sinks are gated on the "`unsafe-eval`"
@@ -2784,8 +2836,10 @@ this algorithm returns normally if compilation is allowed, and throws a
JavaScript. The "`wasm-unsafe-eval`" source expression only permits
WebAssembly and does not affect JavaScript.
- 6. Navigation to `javascript:` URLs MUST pass through [[#should-block-inline]]. Such navigations
- will only execute script if every policy allows inline script, as per #3 above.
+ 6. Navigation to `javascript:` URLs MUST be allowed when [=determining
+ whether element's inline type behavior is blocked by Content
+ Security Policy=]. Such navigations will only execute script if every
+ policy allows inline script, as per #3 above.
`script-src` Pre-request check
@@ -2795,14 +2849,14 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `script-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `script-src` and |policy| is "`No`", return "`Allowed`".
- 3. Return the result of executing [[#script-pre-request]] on |request|,
- this directive, and |policy|.
+ 3. Return the result of [=running script directives pre-request check=],
+ given |request|, this directive, and |policy|.
`script-src` Post-request check
@@ -2813,14 +2867,14 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `script-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `script-src` and |policy| is "`No`", return "`Allowed`".
- 3. Return the result of executing [[#script-post-request]] on |request|,
- |response|, this directive, and |policy|.
+ 3. Return the result of [=running script directives post-request check=],
+ given |request|, |response|, this directive, and |policy|.
`script-src` Inline Check
@@ -2833,14 +2887,14 @@ this algorithm returns normally if compilation is allowed, and throws a
1. Assert: |element| is not null or |type| is "`navigation`".
- 2. Let |name| be the result of executing [[#effective-directive-for-inline-check]]
- on |type|.
+ 2. Let |name| be the result of [=getting the effective directive for
+ inline checks=], given |type|.
- 3. If the result of executing [[#should-directive-execute]] on |name|,
- `script-src` and |policy| is "`No`", return "`Allowed`".
+ 3. If the result of [=determining whether a directive executes=], given
+ |name|, `script-src` and |policy| is "`No`", return "`Allowed`".
- 4. If the result of executing [[#match-element-to-source-list]] on
- |element|, this directive's value, |type|,
+ 4. If the result of [=determining whether an element matches a source list=],
+ given |element|, this directive's value, |type|,
and |source|, is "`Does Not Match`", return "`Blocked`".
5. Return "`Allowed`".
@@ -2874,14 +2928,14 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `script-src-elem` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `script-src-elem` and |policy| is "`No`", return "`Allowed`".
- 3. Return the result of executing [[#script-pre-request]] on |request|,
- this directive, and |policy|.
+ 3. Return the result of [=running script directives pre-request check=],
+ given |request|, this directive, and |policy|.
`script-src-elem` Post-request check
@@ -2892,14 +2946,14 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `script-src-elem` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `script-src-elem` and |policy| is "`No`", return "`Allowed`".
- 3. Return the result of executing [[#script-post-request]] on |request|,
- |response|, this directive, and |policy|.
+ 3. Return the result of [=running script directives post-request check=],
+ given |request|, |response|, this directive, and |policy|.
`script-src-elem` Inline Check
@@ -2912,14 +2966,14 @@ this algorithm returns normally if compilation is allowed, and throws a
1. Assert: |element| is not null or |type| is "`navigation`".
- 2. Let |name| be the result of executing [[#effective-directive-for-inline-check]]
- on |type|.
+ 2. Let |name| be the result of [=getting the effective directive for
+ inline checks=], given |type|.
- 3. If the result of executing [[#should-directive-execute]] on |name|,
- `script-src-elem`, and |policy| is "`No`", return "`Allowed`".
+ 3. If the result of [=determining whether a directive executes=], given
+ |name|, `script-src-elem`, and |policy| is "`No`", return "`Allowed`".
- 4. If the result of executing [[#match-element-to-source-list]] on
- |element|, this directive's value, |type|,
+ 4. If the result of [=determining whether an element matches a source list=],
+ given |element|, this directive's value, |type|,
and |source| is "`Does Not Match`", return "`Blocked`".
5. Return "`Allowed`".
@@ -2947,14 +3001,14 @@ this algorithm returns normally if compilation is allowed, and throws a
1. Assert: |element| is not null or |type| is "`navigation`".
- 2. Let |name| be the result of executing [[#effective-directive-for-inline-check]]
- on |type|.
+ 2. Let |name| be the result of [=getting the effective directive for
+ inline checks=], given |type|.
- 3. If the result of executing [[#should-directive-execute]] on |name|,
- `script-src-attr` and |policy| is "`No`", return "`Allowed`".
+ 3. If the result of [=determining whether a directive executes=], given
+ |name|, `script-src-attr` and |policy| is "`No`", return "`Allowed`".
- 4. If the result of executing [[#match-element-to-source-list]] on
- |element|, this directive's value, |type|,
+ 4. If the result of [=determining whether an element matches a source list=],
+ given |element|, this directive's value, |type|,
and |source|, is "`Does Not Match`", return "`Blocked`".
5. Return "`Allowed`".
@@ -2972,7 +3026,8 @@ this algorithm returns normally if compilation is allowed, and throws a
The `style-src` directive governs several things:
- 1. Style requests MUST pass through [[#should-block-request]]. This
+ 1. Style requests MUST be allowed when [=determining
+ whether a request is blocked by Content Security Policy=]. This
includes:
1. Stylesheet requests originating from a <{link}> element.
@@ -2981,14 +3036,15 @@ this algorithm returns normally if compilation is allowed, and throws a
3. Stylesheet requests originating from a `Link` HTTP response header
field [[!RFC8288]].
- 2. Responses to style requests MUST pass through
- [[#should-block-response]].
+ 2. Responses to style requests MUST be allowed when [=determining
+ whether a response is blocked by Content Security Policy=].
- 3. Inline <{style}> blocks MUST pass through [[#should-block-inline]]. The
- styles will be blocked unless every policy allows inline style, either
- implicitly by not specifying a `style-src` (or `default-src`) directive,
- or explicitly, by specifying "`unsafe-inline`", a
- nonce-source or a hash-source that matches
+ 3. Inline <{style}> blocks MUST be allowed when [=determining whether
+ element's inline type behavior is blocked by Content Security
+ Policy=]. The styles will be blocked unless every policy allows inline
+ style, either implicitly by not specifying a `style-src` (or
+ `default-src`) directive, or explicitly, by specifying "`unsafe-inline`",
+ a nonce-source or a hash-source that matches
the inline block.
4. The following CSS algorithms are gated on the `unsafe-eval` source
@@ -3013,20 +3069,20 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `style-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `style-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-nonce-to-source-list]] on
+ 3. If the result of [=determining whether a nonce matches a source list=], given
|request|'s cryptographic nonce metadata and this
directive's value is "`Matches`", return
"`Allowed`".
- 4. If the result of executing [[#match-request-to-source-list]] on
- |request|, this directive's value, and |policy|,
- is "`Does Not Match`", return "`Blocked`".
+ 4. If the result of [=determining whether a request matches a source list=],
+ given |request|, this directive's value, and
+ |policy|, is "`Does Not Match`", return "`Blocked`".
5. Return "`Allowed`".
@@ -3039,20 +3095,21 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `style-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `style-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-nonce-to-source-list]] on
+ 3. If the result of [=determining whether a nonce matches a source list=], given
|request|'s cryptographic nonce metadata and this
directive's value is "`Matches`", return
"`Allowed`".
- 4. If the result of executing [[#match-response-to-source-list]] on
- |response|, |request|, this directive's value,
- and |policy|, is "`Does Not Match`", return "`Blocked`".
+ 4. If the result of [=determining whether a response matches a source list=],
+ given |response|, |request|, this directive's value, and |policy|, is "`Does Not Match`", return
+ "`Blocked`".
5. Return "`Allowed`".
@@ -3065,14 +3122,14 @@ this algorithm returns normally if compilation is allowed, and throws a
Given an {{Element}} |element|, a string |type|, a policy
|policy| and a string |source|:
- 1. Let |name| be the result of executing [[#effective-directive-for-inline-check]]
- on |type|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |type|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `style-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `style-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-element-to-source-list]] on
- |element|, this directive's value, |type|,
+ 3. If the result of [=determining whether an element matches a source list=],
+ given |element|, this directive's value, |type|,
and |source|, is "`Does Not Match`", return "`Blocked`".
4. Return "`Allowed`".
@@ -3103,20 +3160,20 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `style-src-elem` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `style-src-elem` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-nonce-to-source-list]] on
+ 3. If the result of [=determining whether a nonce matches a source list=], given
|request|'s cryptographic nonce metadata and this
directive's value is "`Matches`", return
"`Allowed`".
- 4. If the result of executing [[#match-request-to-source-list]] on
- |request|, this directive's value, and |policy|,
- is "`Does Not Match`", return "`Blocked`".
+ 4. If the result of [=determining whether a request matches a source list=],
+ given |request|, this directive's value, and
+ |policy|, is "`Does Not Match`", return "`Blocked`".
5. Return "`Allowed`".
@@ -3129,20 +3186,21 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `style-src-elem` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `style-src-elem` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-nonce-to-source-list]] on
+ 3. If the result of [=determining whether a nonce matches a source list=], given
|request|'s cryptographic nonce metadata and this
directive's value is "`Matches`", return
"`Allowed`".
- 4. If the result of executing [[#match-response-to-source-list]] on
- |response|, |request|, this directive's value,
- and |policy|, is "`Does Not Match`", return "`Blocked`".
+ 4. If the result of [=determining whether a response matches a source list=],
+ given |response|, |request|, this directive's value, and |policy|, is "`Does Not Match`", return
+ "`Blocked`".
5. Return "`Allowed`".
@@ -3155,14 +3213,14 @@ this algorithm returns normally if compilation is allowed, and throws a
Given an {{Element}} |element|, a string |type|, a policy
|policy| and a string |source|:
- 1. Let |name| be the result of executing [[#effective-directive-for-inline-check]]
- on |type|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ inline checks=], given |type|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `style-src-elem` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `style-src-elem` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-element-to-source-list]] on
- |element|, this directive's value, |type|,
+ 3. If the result of [=determining whether an element matches a source list=],
+ given |element|, this directive's value, |type|,
and |source|, is "`Does Not Match`", return "`Blocked`".
4. Return "`Allowed`".
@@ -3187,14 +3245,14 @@ this algorithm returns normally if compilation is allowed, and throws a
Given an {{Element}} |element|, a string |type|, a policy
|policy| and a string |source|:
- 1. Let |name| be the result of executing [[#effective-directive-for-inline-check]]
- on |type|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ inline checks=], given |type|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `style-src-attr` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `style-src-attr` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-element-to-source-list]] on
- |element|, this directive's value, |type|,
+ 3. If the result of [=determining whether an element matches a source list=],
+ given |element|, this directive's value, |type|,
and |source|, is "`Does Not Match`", return "`Blocked`".
4. Return "`Allowed`".
@@ -3300,15 +3358,15 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request| and a policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `worker-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `worker-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-request-to-source-list]] on
- |request|, this directive's value, and |policy|,
- is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a request matches a source list=],
+ given |request|, this directive's value, and
+ |policy|, is "`Does Not Match`", return "`Blocked`".
4. Return "`Allowed`".
@@ -3321,15 +3379,16 @@ this algorithm returns normally if compilation is allowed, and throws a
Given a request |request|, a response |response|, and a
policy |policy|:
- 1. Let |name| be the result of executing [[#effective-directive-for-a-request]]
- on |request|.
+ 1. Let |name| be the result of [=getting the effective directive for
+ request=], given |request|.
- 2. If the result of executing [[#should-directive-execute]] on |name|,
- `worker-src` and |policy| is "`No`", return "`Allowed`".
+ 2. If the result of [=determining whether a directive executes=], given
+ |name|, `worker-src` and |policy| is "`No`", return "`Allowed`".
- 3. If the result of executing [[#match-response-to-source-list]] on
- |response|, |request|, this directive's value,
- and |policy|, is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a response matches a source list=],
+ given |response|, |request|, this directive's value, and |policy|, is "`Does Not Match`", return
+ "`Blocked`".
4. Return "`Allowed`".
@@ -3354,13 +3413,14 @@ this algorithm returns normally if compilation is allowed, and throws a
The following algorithm is called during HTML's set the frozen base url
algorithm in order to monitor and enforce this directive:
-
+
Is |base| allowed for |document|?
- Given a {{URL}} |base|, and a {{Document}} |document|, this algorithm
- returns "`Allowed`" if |base| may be used as the value of a <{base}>
- element's <{base/href}> attribute, and "`Blocked`" otherwise:
+ To determine whether base is allowed for document, given a
+ {{URL}} |base|, and a {{Document}} |document|, execute the following steps,
+ which return false if |base| may be used as the value of a <{base}>
+ element's <{base/href}> attribute, and true otherwise.
1. For each |policy| of |document|'s global object's
csp list:
@@ -3374,24 +3434,25 @@ this algorithm returns normally if compilation is allowed, and throws a
3. If |source list| is null, skip to the next |policy|.
- 4. If the result of executing [[#match-url-to-source-list]] on |base|, |source list|,
- |policy|'s [=policy/self-origin=], and `0` is "`Does Not Match`":
+ 4. If the result of [=determining whether a url matches a source
+ expression=], given |base|, |source list|, |policy|'s
+ [=policy/self-origin=], and `0` is "`Does Not Match`":
- 1. Let |violation| be the result of executing
- [[#create-violation-for-global]] on |document|'s global
+ 1. Let |violation| be the result of [=creating a violation object for a global=]
+ given |document|'s global
object, |policy|, and "`base-uri`".
2. Set |violation|'s resource to "`inline`".
- 3. Execute [[#report-violation]] on |violation|.
+ 3. [=Report a violation=], given |violation|.
4. If |policy|'s disposition is "`enforce`",
- return "`Blocked`".
+ return true.
Note: We compare against the fallback base URL in order to deal correctly with things like
an iframe `srcdoc` `Document` which has been sandboxed into an opaque origin.
- 2. Return "`Allowed`".
+ 2. Return false.
`sandbox`
@@ -3474,7 +3535,7 @@ this algorithm returns normally if compilation is allowed, and throws a
2. If |navigation type| is "`form-submission`":
- 1. If the result of executing [[#match-request-to-source-list]] on
+ 1. If the result of [=determining whether a request matches a source list=], given
|request|, this directive's value, and a
|policy|, is "`Does Not Match`", return "`Blocked`".
@@ -3544,9 +3605,10 @@ this algorithm returns normally if compilation is allowed, and throws a
ASCII serialization
of |document|'s [=Document/origin=].
- 3. If [[#match-url-to-source-list]] returns `Does Not Match` when
- executed upon |origin|, this directive's value,
- |policy|'s [=policy/self-origin=], and `0`, return "`Blocked`".
+ 3. If the result of [=determining whether a url matches a source list=],
+ given |origin|, this directive's value,
+ |policy|'s [=policy/self-origin=], and `0` is `Does Not Match`,
+ return "`Blocked`".
4. Set |current| to |document|'s node navigable.
@@ -3574,9 +3636,9 @@ this algorithm returns normally if compilation is allowed, and throws a
Various algorithms in this document hook into the reporting process by
- constructing a violation object via [[#create-violation-for-request]]
- or [[#create-violation-for-global]], and passing that object to
- [[#report-violation]] to deliver the report.
+ [=creating a violation object for a request=] or [=creating a violation object
+ for a global=], and reporting the obtained
+ [=violation=].
`report-uri`
@@ -3646,15 +3708,16 @@ this algorithm returns normally if compilation is allowed, and throws a
Script directives pre-request check
- Given a request |request|, a directive |directive|,
- and a policy |policy|:
+ To run script directives pre-request check,
+ given a request |request|, a directive |directive|, and
+ a policy |policy|, execute the following steps.
1. If |request|'s destination is script-like:
- 1. If the result of executing [[#match-nonce-to-source-list]] on
- |request|'s cryptographic nonce metadata and this
- directive's value is "`Matches`", return
- "`Allowed`".
+ 1. If the result of [=determining whether a nonce matches a source list=],
+ given |request|'s cryptographic nonce metadata
+ and this directive's value is "`Matches`",
+ return "`Allowed`".
2. Let |integrity expressions| be the set of source expressions in
|directive|'s value that match the
@@ -3702,9 +3765,9 @@ this algorithm returns normally if compilation is allowed, and throws a
Note: "`'strict-dynamic'`" is explained in more detail
in [[#strict-dynamic-usage]].
- 4. If the result of executing [[#match-request-to-source-list]] on
- |request|, |directive|'s value, and |policy|,
- is "`Does Not Match`", return "`Blocked`".
+ 4. If the result of [=determining whether a request matches a source list=],
+ given |request|, |directive|'s value, and
+ |policy|, is "`Does Not Match`", return "`Blocked`".
2. Return "`Allowed`".
@@ -3712,26 +3775,26 @@ this algorithm returns normally if compilation is allowed, and throws a
Script directives post-request check
- This directive's post-request check is as follows:
-
- Given a request |request|, a response |response|,
- a directive |directive|, and a policy |policy|:
+ To run script directives post-request check, given a request |request|, a response |response|, a
+ directive |directive|, and a policy |policy|:
1. If |request|'s destination is script-like:
- 1. If the result of executing [[#match-nonce-to-source-list]] on
- |request|'s cryptographic nonce metadata and this
- directive's value is "`Matches`", return
- "`Allowed`".
+ 1. If the result of [=determining whether a nonce matches a source list=],
+ given |request|'s cryptographic nonce metadata
+ and this directive's value is "`Matches`",
+ return "`Allowed`".
2. If |directive|'s value contains
"`'strict-dynamic'`", and |request|'s
parser metadata is not "parser-inserted",
return "`Allowed`".
- 3. If the result of executing [[#match-response-to-source-list]] on
- |response|, |request|, |directive|'s value,
- and |policy|, is "`Does Not Match`", return "`Blocked`".
+ 3. If the result of [=determining whether a response matches a source list=],
+ given |response|, |request|, |directive|'s value, and |policy|, is "`Does Not Match`", return
+ "`Blocked`".
2. Return "`Allowed`".
@@ -3741,12 +3804,14 @@ this algorithm returns normally if compilation is allowed, and throws a
Does |request| violate |policy|?
- Given a request |request| and a policy |policy|, this
- algorithm returns the violated directive if the request violates the
- policy, and "`Does Not Violate`" otherwise.
+ To determine whether a request violates a policy, given a request |request| and a policy |policy|, execute
+ the following steps, which return the violated directive if the request
+ violates the policy, and "`Does Not Violate`" otherwise.
- 1. If |request|'s [=request/initiator=] is "`prefetch`", then return the result of executing
- [[#does-resource-hint-violate-policy]] on |request| and |policy|.
+ 1. If |request|'s [=request/initiator=] is "`prefetch`", then return the
+ result of [=determining whether a resource hint request violates a policy=],
+ given |request| and |policy|.
2. Let |violates| be "`Does Not Violate`".
@@ -3763,9 +3828,11 @@ this algorithm returns normally if compilation is allowed, and throws a
Does resource hint |request| violate |policy|?
- Given a request |request| and a policy |policy|, this
- algorithm returns the default directive if the resource-hint request violates all the
- policies, and "`Does Not Violate`" otherwise.
+ To determine whether a resource hint request violates a policy, given a
+ request |request| and a policy |policy|, execute
+ the following steps, which return the default directive if the
+ resource-hint request violates all the policies, and "`Does Not Violate`"
+ otherwise.
1. Let |defaultDirective| be |policy|'s first [=directive=] whose [=directive/name=] is
"`default-src`".
@@ -3785,10 +3852,11 @@ this algorithm returns normally if compilation is allowed, and throws a
Does |nonce| match |source list|?
- Given a request's cryptographic nonce metadata
- |nonce| and a source list |source list|, this algorithm returns
- "`Matches`" if the nonce matches one or more source expressions in the list,
- and "`Does Not Match`" otherwise:
+ To determine whether a nonce matches a source list, given a request's cryptographic nonce metadata
+ |nonce| and a source list |source list|, execute the following steps,
+ which return "`Matches`" if the nonce matches one or more source expressions
+ in the list, and "`Does Not Match`" otherwise.
1. Assert: |source list| is not null.
@@ -3806,11 +3874,12 @@ this algorithm returns normally if compilation is allowed, and throws a
Does |request| match |source list|?
- Given a request |request|, a source list |source list|,
- and a policy |policy|, this algorithm returns the result of executing
- [[#match-url-to-source-list]] on |request|'s current url,
- |source list|, |policy|'s [=policy/self-origin=], and |request|'s
- redirect count.
+ To determine whether a request matches a source list, given a request |request|, a source list |source list|, and a policy |policy|, return the result of [=determining whether a url
+ matches a source list=] given |request|'s current url,
+ |source list|, |policy|'s [=policy/self-origin=], and |request|'s redirect count.
Note: This is generally used in directives' pre-request check
algorithms to verify that a given request is reasonable.
@@ -3819,11 +3888,12 @@ this algorithm returns normally if compilation is allowed, and throws a
Does |response| to |request| match |source list|?
- Given a request |request|, and a source list |source list|,
- and a policy |policy|, this algorithm returns the result of executing
- [[#match-url-to-source-list]] on |response|'s url,
- |source list|, |policy|'s [=policy/self-origin=], and |request|'s
- redirect count.
+ To determine whether a response matches a source list, given a
+ [=/response=] |response|, a request |request|, a source
+ list |source list|, and a policy |policy|, return the
+ result of [=determining whether a url matches a source list=], given |response|'s
+ url, |source list|, |policy|'s [=policy/self-origin=],
+ and |request|'s redirect count.
Note: This is generally used in directives' post-request check
algorithms to verify that a given response is reasonable.
@@ -3832,10 +3902,11 @@ this algorithm returns normally if compilation is allowed, and throws a
Does |url| match |source list| in |origin| with |redirect count|?
- Given a {{URL}} |url|, a source list |source list|, an
- origin |origin|, and a number |redirect count|, this
- algorithm returns "`Matches`" if the URL matches one or more source
- expressions in |source list|, or "`Does Not Match`" otherwise:
+ To determine whether a url matches a source list, given a {{URL}}
+ |url|, a source list |source list|, an origin |origin|,
+ and a number |redirect count|, execute the following steps, which return
+ "`Matches`" if the URL matches one or more source expressions in |source
+ list|, or "`Does Not Match`" otherwise.
1. Assert: |source list| is not null.
@@ -3848,7 +3919,7 @@ this algorithm returns normally if compilation is allowed, and throws a
Note: An empty source list (that is, a directive without a value: `script-src`,
as opposed to `script-src host1`) is equivalent to a source list containing `'none'`,
and will not match any URL.
-
+
Note: The `'none'` keyword has no effect when other source expressions are
present. That is, the list « `'none'` » does not match any URL. A list consisting
of « `'none'`, `https://example.com` », on the other hand, would match
@@ -3856,20 +3927,21 @@ this algorithm returns normally if compilation is allowed, and throws a
4. For each |expression| of |source list|:
- 1. If [[#match-url-to-source-expression]] returns "`Matches`" when
- executed upon |url|, |expression|, |origin|, and |redirect count|, return
- "`Matches`".
+ 1. If the result of [=determining whether a url matches a source
+ expression=], given |url|, |expression|, |origin|, and |redirect
+ count|, is returns "`Matches`", return "`Matches`".
5. Return "`Does Not Match`".
-
+
Does |url| match |expression| in |origin| with |redirect count|?
- Given a {{URL}} |url|, a source expression |expression|, an
- origin |origin|, and a number |redirect count|, this algorithm
- returns "`Matches`" if |url| matches |expression|, and "`Does Not Match`"
- otherwise.
+ To determine whether a url matches a source expression, given a
+ {{URL}} |url|, a source expression |expression|, an origin |origin|, and a number |redirect count|, execute the
+ following steps, which return "`Matches`" if |url| matches |expression|, and
+ "`Does Not Match`" otherwise.
Note: |origin| is the origin of the resource relative to which the
|expression| should be resolved. "`'self'`", for instance, will have distinct
@@ -4000,7 +4072,7 @@ this algorithm returns normally if compilation is allowed, and throws a
Note: The matching relation is asymmetric. That is, |pattern| matching |host| does not
mean that |host| will match |pattern|. For example, `*.example.com` `host-part` matches
`www.example.com`, but `www.example.com` does not `host-part` match `*.example.com`.
-
+
Note: A future version of this specification may allow literal IPv6 and IPv4 addresses,
depending on usage and demand. Given the weak security properties of IP addresses in
relation to named hosts, however, authors are encouraged to prefer the latter whenever possible.
@@ -4036,7 +4108,7 @@ this algorithm returns normally if compilation is allowed, and throws a
2. If |input| is equal to "*", return "`Matches`".
3. Let |normalizedInput| be null if |input| is the empty string; otherwise |input| interpreted as decimal number.
-
+
4. If |normalizedInput| equals |url|'s [=url/port=], return "`Matches`".
5. If |url|'s [=url/port=] is null:
@@ -4106,9 +4178,10 @@ this algorithm returns normally if compilation is allowed, and throws a
Is |element| nonceable?
- Given an {{Element}} |element|, this algorithm returns "`Nonceable`" if
- a `nonce-source` expression can match the element (as discussed
- in [[#security-nonce-hijacking]]), and "`Not Nonceable`" if such expressions
+ To determine whether an element is nonceable, given an {{Element}}
+ |element|, execute the following steps, which return "`Nonceable`" if a `nonce-source` expression can match |element| (as discussed in
+ [[#security-nonce-hijacking]]), and "`Not Nonceable`" if such expressions
should not be applied.
1. If |element| does not have an attribute named "`nonce`", return "`Not
@@ -4146,15 +4219,12 @@ this algorithm returns normally if compilation is allowed, and throws a
Does a source list allow all inline behavior for |type|?
- A source list
- allows all inline behavior
- of a given |type| if it contains the `keyword-source`
- expression `'unsafe-inline'`, and does not override that
- expression as described in the following algorithm:
-
- Given a source list |list| and a string |type|, the following
- algorithm returns "`Allows`" if all inline content of a given |type| is
- allowed and "`Does Not Allow`" otherwise.
+ To determine whether a source list allows all inline behavior given
+ a [=source list=] |list| and a [=string=] |type|, execute the following steps,
+ which return "`Allows`" if |list| contains the `keyword-source`
+ expression `'unsafe-inline'` and does not override that
+ expression as described in the following algorithm, and "`Does Not Allow`"
+ otherwise.
1. Let |allow all inline| be `false`.
@@ -4211,18 +4281,19 @@ this algorithm returns normally if compilation is allowed, and throws a
Does |element| match source list for |type| and |source|?
- Given an {{Element}} |element|, a source list |list|, a string
- |type|, and a string |source|, this algorithm returns "`Matches`" or
+ To determine whether an element matches a source list, given an
+ {{Element}} |element|, a source list |list|, a string |type|, and a
+ string |source|, execute the following steps, which return "`Matches`" or
"`Does Not Match`".
Note: Regardless of the encoding of the document, |source| will be converted
to `UTF-8` before applying any hashing algorithms.
- 1. If [[#allow-all-inline]] returns "`Allows`" given |list| and |type|,
- return "`Matches`".
+ 1. If the result of [=determining whether a source list allows all inline
+ behavior=] given |list| and |type| is "`Allows`", then return "`Matches`".
- 2. If |type| is "`script`" or "`style`", and [[#is-element-nonceable]]
- returns "`Nonceable`" when executed upon |element|:
+ 2. If |type| is "`script`" or "`style`", and the result of [=determining
+ whether an element is nonceable=] given |element| is "`Nonceable`":
1. For each |expression| of |list|:
@@ -4298,10 +4369,11 @@ this algorithm returns normally if compilation is allowed, and throws a
Get the effective directive for |request|
- Each fetch directive controls a specific destination of request. Given
- a request |request|, the following algorithm returns either
- null or the name of the request's
- effective directive:
+ Each fetch directive controls a specific destination of request. To get the effective directive for request,
+ given a request |request|, execute the following steps, which
+ return either null or the name of the request's effective directive.
1. If |request|'s [=request/initiator=] is "`prefetch`" or "`prerender`",
return `default-src`.
@@ -4374,8 +4446,9 @@ this algorithm returns normally if compilation is allowed, and throws a
Get the effective directive for inline checks
- Given a string |type|, this algorithm returns the name
- of the effective directive.
+ To get the effective directive for inline checks, given a string
+ |type|, execute the following steps, which return the name of the effective directive.
Note: While the effective directive is only defined for
requests, in this algorithm it is used similarly to mean
@@ -4402,11 +4475,11 @@ this algorithm returns normally if compilation is allowed, and throws a
Get fetch directive fallback list
- Will return an ordered set of the fallback directives for a specific directive.
- The returned ordered set is sorted from most relevant to least relevant
- and it includes the effective directive itself.
-
- Given a string |directive name|:
+ To get the directive fallback list given a string |directive
+ name|, execute the following steps, which return an ordered set of the
+ fallback directives for a specific directive. The returned
+ ordered set is sorted from most relevant to least relevant and it
+ includes the effective directive itself.
1. Switch on |directive name|:
@@ -4461,20 +4534,21 @@ this algorithm returns normally if compilation is allowed, and throws a
2. Return `<< >>`.
- Should fetch directive execute
+ Does fetch directive execute
This algorithm is used for fetch directives to decide whether a directive
- should execute or defer to a different directive that is better suited.
+ executes or defer to a different directive that is better suited.
For example: if the |effective directive name| is `worker-src` (meaning that
we are currently checking a worker request), a `default-src` directive
- should not execute if a `worker-src` or `script-src` directive exists.
+ does not execute if a `worker-src` or `script-src` directive exists.
- Given a string |effective directive name|, a string |directive name| and
- a policy |policy|:
+ To determine whether a directive executes, given a string
+ |effective directive name|, a string |directive name| and a policy |policy|, execute the following steps.
- 1. Let |directive fallback list| be the result of executing [[#directive-fallback-list]]
- on |effective directive name|.
+ 1. Let |directive fallback list| be the result of [=getting the directive
+ fallback list=] given |effective directive name|.
2. For each |fallback directive| of |directive fallback list|:
@@ -4539,19 +4613,21 @@ this algorithm returns normally if compilation is allowed, and throws a
an attribute named "<script", a `nonce` attribute, and a
second `src` attribute which is helpfully discarded as duplicate by the parser.
- The [[#is-element-nonceable]] algorithm attempts to mitigate this specific
- attack by walking through <{script}> or <{style}> element attributes, looking for the
- string "<script" or "<style" in their names or values.
+ The [=determine whether an element is nonceable=] algorithm attempts to mitigate
+ this specific attack by walking through <{script}> or <{style}> element
+ attributes, looking for the string "<script" or
+ "<style" in their names or values.
User-agents must pay particular attention when implementing this algorithm to
not ignore duplicate attributes. If an element has a duplicate attribute any
instance of the attribute after the first one is ignored but in the
- [[#is-element-nonceable]] algorithm, all attributes including the
- duplicate ones need to be checked.
+ [=determine whether an element is nonceable=] algorithm, all attributes including
+ the duplicate ones need to be checked.
- ISSUE(whatwg/html#3257): Currently the HTML spec's parsing algorithm removes this information
- before the [[#is-element-nonceable]] algorithm can be run which makes it
- impossible to actually detect duplicate attributes.
+ ISSUE(whatwg/html#3257): Currently the HTML spec's parsing algorithm removes
+ this information before the [=determine whether an element is nonceable=]
+ algorithm can be run which makes it impossible to actually detect duplicate
+ attributes.
For the following example page:
@@ -4561,7 +4637,7 @@ this algorithm returns normally if compilation is allowed, and throws a
The following injected string will use a duplicate attribute to attempt to
- bypass the [[#is-element-nonceable]] algorithm check:
+ bypass the [=determine whether an element is nonceable=] algorithm check:
Hello, <script src='https://evil.com/evil.js' x="" x=
@@ -5010,7 +5086,7 @@ this algorithm returns normally if compilation is allowed, and throws a
Content-Security-Policy: img-src 'none'; script-src 'none'; font-src 'none'
-
+
Supplementing this policy with `default-src 'none'` would improve the page's robustness
against this kind of attack.