Correct headers syntax descriptions

wbamberg · Sep 30, 2024 · 271b933 · 271b933
1 parent 6935404
commit 271b933
Show file tree

Hide file tree

Showing 20 changed files with 25 additions and 87 deletions.
diff --git a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md
@@ -28,16 +28,21 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} **`base-uri`** directive rest
 
 ## Syntax
 
-One or more _sources_ can be allowed for the base-uri policy:
-
 ```http
-Content-Security-Policy: base-uri <source>;
-Content-Security-Policy: base-uri <source> <source>;
+Content-Security-Policy: base-uri 'none';
+Content-Security-Policy: base-uri <source-expression-list>;
 ```
 
-### Sources
+This directive may have either:
+
+- the single keyword value `'none'`, meaning that no base URI may be set using a `<base>` element
+- a list of _source expression_ values, meaning that a `<base>` element may set a base URI if it matches any of the given source expressions.
+
+The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources). However, only the following subset of those values apply to `base-uri`:
 
-This directive uses the same [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources) syntax for arguments as other CSP directives. However, only values that match URLs make sense for `base-uri`, including `<host-source>`, `<scheme-source>`, `'self'`, and `'none'`.
+- `<host-source>`
+- `<scheme-source>`
+- the keyword value `'self'`.
 
 ## Examples
 

diff --git a/files/en-us/web/http/headers/content-security-policy/child-src/index.md b/files/en-us/web/http/headers/content-security-policy/child-src/index.md
@@ -35,18 +35,17 @@ network errors by the user agent.
 
 ## Syntax
 
-One or more sources can be allowed for the `child-src` policy:
-
 ```http
-Content-Security-Policy: child-src <source>;
-Content-Security-Policy: child-src <source> <source>;
+Content-Security-Policy: child-src 'none';
+Content-Security-Policy: child-src <source-expression-list>;
 ```
 
-### Sources
+This directive may have either:
 
-`<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
+- the single keyword value `'none'`, meaning that no resources of this type may be loaded
+- a list of _source expression_ values, meaning that resources of this type may be loaded if they match any of the given source expressions.
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
+The syntax for each source expression is given in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources).
 
 ## Examples
 

diff --git a/files/en-us/web/http/headers/content-security-policy/connect-src/index.md b/files/en-us/web/http/headers/content-security-policy/connect-src/index.md
@@ -54,8 +54,6 @@ Content-Security-Policy: connect-src <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation cases

diff --git a/files/en-us/web/http/headers/content-security-policy/default-src/index.md b/files/en-us/web/http/headers/content-security-policy/default-src/index.md
@@ -52,8 +52,6 @@ Content-Security-Policy: default-src <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### No inheritance with default-src

diff --git a/files/en-us/web/http/headers/content-security-policy/font-src/index.md b/files/en-us/web/http/headers/content-security-policy/font-src/index.md
@@ -44,8 +44,6 @@ Content-Security-Policy: font-src <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation cases

diff --git a/files/en-us/web/http/headers/content-security-policy/form-action/index.md b/files/en-us/web/http/headers/content-security-policy/form-action/index.md
@@ -42,8 +42,6 @@ Content-Security-Policy: form-action <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Meta tag configuration

diff --git a/files/en-us/web/http/headers/content-security-policy/frame-src/index.md b/files/en-us/web/http/headers/content-security-policy/frame-src/index.md
@@ -49,8 +49,6 @@ Content-Security-Policy: frame-src <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation cases

diff --git a/files/en-us/web/http/headers/content-security-policy/img-src/index.md b/files/en-us/web/http/headers/content-security-policy/img-src/index.md
@@ -42,8 +42,6 @@ Content-Security-Policy: img-src <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation cases

diff --git a/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md b/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md
@@ -45,8 +45,6 @@ Content-Security-Policy: manifest-src <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation cases

diff --git a/files/en-us/web/http/headers/content-security-policy/media-src/index.md b/files/en-us/web/http/headers/content-security-policy/media-src/index.md
@@ -44,8 +44,6 @@ Content-Security-Policy: media-src <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation cases

diff --git a/files/en-us/web/http/headers/content-security-policy/object-src/index.md b/files/en-us/web/http/headers/content-security-policy/object-src/index.md
@@ -51,8 +51,6 @@ Content-Security-Policy: object-src <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation cases

diff --git a/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md b/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md
@@ -47,8 +47,6 @@ Content-Security-Policy: prefetch-src <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Example
 
 ### Prefetch resources do not match header

diff --git a/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md b/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md
@@ -53,8 +53,6 @@ Content-Security-Policy: script-src-attr <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation case

diff --git a/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md b/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md
@@ -53,8 +53,6 @@ Content-Security-Policy: script-src-elem <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation case

diff --git a/files/en-us/web/http/headers/content-security-policy/script-src/index.md b/files/en-us/web/http/headers/content-security-policy/script-src/index.md
@@ -42,8 +42,6 @@ Content-Security-Policy: script-src <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Allowlisting resources from trusted domains

diff --git a/files/en-us/web/http/headers/content-security-policy/sources/index.md b/files/en-us/web/http/headers/content-security-policy/sources/index.md
@@ -7,8 +7,13 @@ spec-urls: https://w3c.github.io/webappsec-csp/#framework-directive-source-list
 
 {{HTTPSidebar}}
 
-HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) header directives that specify a `<source>` from which resources may be loaded can use any one of the values listed below.
-Relevant directives include the {{Glossary("fetch directive", "fetch directives")}}, along with others [listed below](#relevant_directives).
+HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) [fetch directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives) may take as a value a space-separated list of _source expressions_. Each source expression can be any of the values listed below.
+
+As well as fetch directives, some other CSP directives may take as a value a space-separated list of source expressions, each of which may be a subset of the values listed below, namely: one of `<host-source>`, `<scheme-source>`, or the keyword `'self'`. These other directives are:
+
+- {{CSP("base-uri")}}
+- {{CSP("form-action")}}
+- {{CSP("frame-ancestors")}}
 
 ## Sources
 
@@ -64,12 +69,9 @@ Relevant directives include the {{Glossary("fetch directive", "fetch directives"
 - `'unsafe-inline'`
   - : Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, [`javascript:` URLs](/en-US/docs/Web/URI/Schemes/javascript), inline event handlers, and inline {{HTMLElement("style")}} elements.
     The single quotes are required.
-- `'none'`
-  - : Refers to the empty set; that is, no URLs match.
-    The single quotes are required.
 - `'nonce-<base64-value>'`
 
-  - : An allowlist for specific inline scripts using a cryptographic nonce (number used once).
+  - : An allowlist for specific scripts using a cryptographic nonce (number used once).
     The server must generate a unique nonce value each time it transmits a policy.
     It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial.
     See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example.
@@ -96,37 +98,3 @@ Relevant directives include the {{Glossary("fetch directive", "fetch directives"
 ## Specifications
 
 {{Specifications}}
-
-## Relevant directives
-
-Directives for which the above sources apply include:
-
-- {{Glossary("fetch directive", "Fetch directives")}}:
-
-  - {{CSP("default-src")}}
-  - {{CSP("child-src")}}
-  - {{CSP("connect-src")}}
-  - {{CSP("font-src")}}
-  - {{CSP("frame-src")}}
-  - {{CSP("img-src")}}
-  - {{CSP("manifest-src")}}
-  - {{CSP("media-src")}}
-  - {{CSP("object-src")}}
-  - {{CSP("prefetch-src")}}
-  - {{CSP("script-src")}}
-  - {{CSP("script-src-elem")}}
-  - {{CSP("script-src-attr")}}
-  - {{CSP("style-src")}}
-  - {{CSP("style-src-elem")}}
-  - {{CSP("style-src-attr")}}
-  - {{CSP("worker-src")}}
-
-- {{Glossary("Document directive", "Document directives")}}:
-
-  - {{CSP("base-uri")}}
-  - {{CSP("sandbox")}}
-
-- {{Glossary("Navigation directive", "Navigation directives")}}:
-
-  - {{CSP("form-action")}}
-  - {{CSP("frame-ancestors")}}
diff --git a/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md b/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md
@@ -54,8 +54,6 @@ Content-Security-Policy: style-src-attr <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation cases

diff --git a/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md b/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md
@@ -53,8 +53,6 @@ Content-Security-Policy: style-src-elem <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation cases

diff --git a/files/en-us/web/http/headers/content-security-policy/style-src/index.md b/files/en-us/web/http/headers/content-security-policy/style-src/index.md
@@ -42,8 +42,6 @@ Content-Security-Policy: style-src <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation cases

diff --git a/files/en-us/web/http/headers/content-security-policy/worker-src/index.md b/files/en-us/web/http/headers/content-security-policy/worker-src/index.md
@@ -50,8 +50,6 @@ Content-Security-Policy: worker-src <source> <source>;
 
 `<source>` can be any one of the values listed in [CSP Source Values](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#sources).
 
-Note that this same set of values can be used in all {{Glossary("fetch directive", "fetch directives")}} (and a [number of other directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#relevant_directives)).
-
 ## Examples
 
 ### Violation cases