From b6cb903f5bb306a5d588872f708533173ee1da28 Mon Sep 17 00:00:00 2001 From: Antonio Sartori Date: Fri, 22 Nov 2024 16:19:02 +0000 Subject: [PATCH] Fix wrong references to parse a serialized CSP list (#691) SHA: a2c014140accafaac1abf8dd7076203556a3c3d8 Reason: push, by antosart Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- index.html | 2498 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 1595 insertions(+), 903 deletions(-) diff --git a/index.html b/index.html index 747d3242c1..ac87c9dfd7 100644 --- a/index.html +++ b/index.html @@ -5,9 +5,11 @@ Content Security Policy Level 3 - + - + + + - + - + -

Content Security Policy Level 3

-

W3C Working Draft,

+

W3C Working Draft,

More details about this document
This version: -
https://www.w3.org/TR/2024/WD-CSP3-20241014/ +
https://www.w3.org/TR/2024/WD-CSP3-20241122/
Latest published version:
https://www.w3.org/TR/CSP3/
Editor's Draft: @@ -735,9 +804,8 @@

Content Security Policy Level 3

Abstract

This document defines a mechanism by which web developers can control the - - resources which a particular page can fetch or execute, as well as a number - of security-relevant policy decisions.

+resources which a particular page can fetch or execute, as well as a number +of security-relevant policy decisions.

Status of this document

@@ -1267,9 +1335,9 @@

serialized-policy = serialized-directive *( optional-ascii-whitespace ";" [ optional-ascii-whitespace serialized-directive ] ) -

A serialized CSP list is an ASCII string consisting of a comma-delimited +

A serialized CSP list is an ASCII string consisting of a comma-delimited series of serialized CSPs, adhering to the following ABNF grammar [RFC5234]:

-
serialized-policy-list = 1#serialized-policy
+
serialized-policy-list = 1#serialized-policy
                     ; The '#' rule is the one defined in section 5.6.1 of RFC 9110
                     ; but it incorporates the modifications specified
                     ; in section 2.1 of this document.
@@ -1322,7 +1390,7 @@ 
For each token returned by extracting header list values given Content-Security-Policy and response’s header list:

       
    
        
  1. 
-        
    Let policy be the result of parsing token, with a source of "header", and a disposition of "enforce".
    
+        
    Let policy be the result of parsing token, with a source of "header", and a disposition of "enforce".
    
        
  2. 
         
    If policy’s directive set is not empty, append policy to policies.
    
       

@@ -1330,7 +1398,7 @@ 
For each token returned by extracting header list values given Content-Security-Policy-Report-Only and response’s header list:

       
    
        
  1. 
-        
    Let policy be the result of parsing token, with a source of "header", and a disposition of "report".
    
+        
    Let policy be the result of parsing token, with a source of "header", and a disposition of "report".
    
        
  2. 
         
    If policy’s directive set is not empty, append policy to policies.
    
       

@@ -1425,7 +1493,7 @@ 
serialized source list is an ASCII string, consisting of a
+    
A serialized source list is an ASCII string, consisting of a
   whitespace-delimited series of source expressions, adhering to the following ABNF grammar [RFC5234]:

 
serialized-source-list = ( source-expression *( required-ascii-whitespace source-expression ) ) / "'none'"
 source-expression      = scheme-source / host-source / keyword-source
@@ -1447,7 +1515,7 @@ 
keyword-source = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"
                  / "'strict-dynamic'" / "'unsafe-hashes'" /
-                 / "'report-sample'" / "'unsafe-allow-redirects'"
+                 / "'report-sample'" / "'unsafe-allow-redirects'"
                  / "'wasm-unsafe-eval'"
 
 ISSUE: Bikeshed unsafe-allow-redirects.
@@ -1572,7 +1640,7 @@ 
A server MAY send different Content-Security-Policy header field
   values with different representations of the same resource.

     
When the user agent receives a Content-Security-Policy header field, it
-  MUST parse and enforce each serialized CSP it contains as described in § 4.1 Integration with Fetch, § 4.2 Integration with HTML.

+  MUST parse and enforce each serialized CSP it contains as described in § 4.1 Integration with Fetch, § 4.2 Integration with HTML.

     
3.2.  The Content-Security-Policy-Report-Only HTTP Response Header Field 

     
The Content-Security-Policy-Report-Only HTTP response header field allows web developers to experiment with policies by monitoring (but
   not enforcing) their effects. The header’s value is represented by the following ABNF [RFC5234]:

@@ -1594,7 +1662,7 @@ 
representations of the same
   resource.

     
When the user agent receives a Content-Security-Policy-Report-Only header
-  field, it MUST parse and monitor each serialized CSP it contains as described in § 4.1 Integration with Fetch and § 4.2 Integration with HTML.

+  field, it MUST parse and monitor each serialized CSP it contains as described in § 4.1 Integration with Fetch and § 4.2 Integration with HTML.

     
Note: The Content-Security-Policy-Report-Only header is not supported inside a meta element.

     
3.3.  The <meta> element 

     
A Document may deliver a policy via one or more HTML meta elements
@@ -2158,7 +2226,7 @@ 
5.
     
csp violation reports are visible to ReportingObservers. 

 
[Exposed=Window]
 interface CSPViolationReportBody : ReportBody {
-  [Default] object toJSON();
+  [Default] object toJSON();
   readonly attribute USVString documentURL;
   readonly attribute USVString? referrer;
   readonly attribute USVString? blockedURL;
@@ -2174,12 +2242,12 @@ 
5.
 

     
5.1.  Violation DOM Events 

 
enum SecurityPolicyViolationEventDisposition {
-  "enforce", "report"
+  "enforce", "report"
 };
 
 [Exposed=(Window,Worker)]
 interface SecurityPolicyViolationEvent : Event {
-    constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict = {});
+    constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict = {});
     readonly    attribute USVString      documentURI;
     readonly    attribute USVString      referrer;
     readonly    attribute USVString      blockedURI;
@@ -2195,18 +2263,18 @@ 
SecurityPolicyViolationEventInit : EventInit {
-    USVString      documentURI = "";
-    USVString      referrer = "";
-    USVString      blockedURI = "";
-    DOMString      violatedDirective = "";
-    DOMString      effectiveDirective = "";
-    DOMString      originalPolicy = "";
-    USVString      sourceFile = "";
-    DOMString      sample = "";
-    SecurityPolicyViolationEventDisposition disposition = "enforce";
-    unsigned short statusCode = 0;
-    unsigned long  lineNumber = 0;
-    unsigned long  columnNumber = 0;
+    USVString      documentURI = "";
+    USVString      referrer = "";
+    USVString      blockedURI = "";
+    DOMString      violatedDirective = "";
+    DOMString      effectiveDirective = "";
+    DOMString      originalPolicy = "";
+    USVString      sourceFile = "";
+    DOMString      sample = "";
+    SecurityPolicyViolationEventDisposition disposition = "enforce";
+    unsigned short statusCode = 0;
+    unsigned long  lineNumber = 0;
+    unsigned long  columnNumber = 0;
 };
 

     
5.2.  Obtain the blockedURI of a violation’s resource 

@@ -2323,7 +2391,7 @@ 
If target is a Window, set target to target’s associated Document.

         
        
  • 
-        
    If target implements EventTarget, fire an event named securitypolicyviolation that uses the SecurityPolicyViolationEvent interface at target with its attributes initialized as follows:
    
+        
    If target implements EventTarget, fire an event named securitypolicyviolation that uses the SecurityPolicyViolationEvent interface at target with its attributes initialized as follows:
    
         
    
          
    documentURI
          
    
@@ -3411,7 +3479,7 @@ 
    
 
    directive-name  = "webrtc"
-directive-value = "'allow'" / "'block'"
+directive-value = "'allow'" / "'block'"
 
    
     
    
       Given a page with the following Content Security Policy: 
@@ -5048,7 +5116,7 @@ 
    
    
   
    
-
+  
   
    Index
    
   
    Terms defined by this specification
    
   
    • 
@@ -5772,675 +5833,8 @@ 
    § 6.7.3.1 Is element nonceable? algorithm can be run which makes it
   impossible to actually detect duplicate attributes. [Issue #whatwg/html#3257]

    - - - + - + + \ No newline at end of file