From 9dd7cf143bf948b85ff0855214538cc89fece1ed Mon Sep 17 00:00:00 2001 From: Antonio Sartori Date: Fri, 11 Jul 2025 08:16:38 +0200 Subject: [PATCH 01/12] [Editorial] Reference the algorithm instead of the section for parse-metadata in SRI (#778) --- index.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index c0b3bfe5fd..aca382d6f7 100644 --- a/index.bs +++ b/index.bs @@ -3938,8 +3938,8 @@ Content-Type: application/reports+json 3. If |integrity expressions| is empty, return "`Does Not Match`". - 4. Let |integrity sources| be the result of executing the algorithm defined - in [[SRI#parse-metadata-section]] on |integrity metadata|. [[!SRI]] + 4. Let |integrity sources| be the result of parsing metadata given + |integrity metadata|. [[!SRI]] 5. If |integrity sources| is "`no metadata`" or an empty set, return "`Does Not Match`". From 13c7d8eba9caa5cd2e755ad4e4d69182bffd6f4b Mon Sep 17 00:00:00 2001 From: Mike West Date: Wed, 29 Oct 2025 13:23:37 +0100 Subject: [PATCH 02/12] Apply `strict-dynamic` to inline scripts. (#787) As noted in #426, the current "Does element match source list for type and source?" algorithm does not properly handle `strict-dynamic` checks for non-parser-inserted inline scripts. This patch adds a relevant step to the algorithm to match both browser behavior and our existing tests: https://wpt.fyi/results/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html?label=experimental&label=master&aligned Fixes #426. --- index.bs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index aca382d6f7..fdbb89ad71 100644 --- a/index.bs +++ b/index.bs @@ -4412,6 +4412,10 @@ Content-Type: application/reports+json 2. For each |expression| of |list|: + 1. If |expression| is the "`'strict-dynamic'`" keyword-source: + + 1. If |type| is "`script`", and |element| is not [=parser-inserted=], return "`Matches`". + 1. If |expression| matches the `hash-source` grammar: 1. Let |algorithm| be null. @@ -4448,8 +4452,6 @@ Content-Type: application/reports+json they will also apply to event handlers, style attributes and `javascript:` navigations. - ISSUE(w3c/webappsec-csp#426): This should handle `'strict-dynamic'` for dynamically inserted inline scripts. - 6. Return "`Does Not Match`".

Directive Algorithms

From a131bcbbf6b99a819214a4f40f33d04dc89eb091 Mon Sep 17 00:00:00 2001 From: Antonio Sartori Date: Thu, 6 Nov 2025 14:56:48 +0100 Subject: [PATCH 03/12] [Editorial] Fix broken references to Trusted Types spec (#790) --- index.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index fdbb89ad71..748280acce 100644 --- a/index.bs +++ b/index.bs @@ -1516,7 +1516,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity whose [=TrustedScript/data=] is set to |codeString| if |isTrusted| is `true`, and |codeString| otherwise. - 1. Let |sourceString| be the result of executing the [$Get Trusted Type compliant string$] algorithm, with + 1. Let |sourceString| be the result of executing the [=get trusted type compliant string=] algorithm, with {{TrustedScript}}, |realm|, |sourceToValidate|, |compilationSink|, and `'script'`. 1. If the algorithm throws an error, throw an {{EvalError}}. @@ -1539,7 +1539,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 1. If |source-list| is not null: - 1. Let |trustedTypesRequired| be the result of executing [$Does sink type require trusted types?$], with + 1. Let |trustedTypesRequired| be the result of executing [=does sink type require trusted types?=], with |realm|, `'script'`, and `false`. 1. If |trustedTypesRequired| is `true` and |source-list| contains a [=source expression=] which is an From 5bc6639a3056fe3e6a9c02156bbb0ae6aa1560af Mon Sep 17 00:00:00 2001 From: Julian Descottes Date: Fri, 6 Feb 2026 12:06:23 +0100 Subject: [PATCH 04/12] Add missing closing tag for section (#800) --- index.bs | 1 + 1 file changed, 1 insertion(+) diff --git a/index.bs b/index.bs index 748280acce..bbb689f464 100644 --- a/index.bs +++ b/index.bs @@ -5196,6 +5196,7 @@ Content-Type: application/reports+json Content-Security-Policy: default-src 'none'; img-src * + From 1b8a543dd9cfab15088f52d7bc73a9b891efc34f Mon Sep 17 00:00:00 2001 From: Jan-Ivar Bruaroey Date: Wed, 11 Feb 2026 08:15:32 -0500 Subject: [PATCH 05/12] Add 'unsafe-webtransport-hashes' keyword to connect-src (#791) --- index.bs | 46 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/index.bs b/index.bs index bbb689f464..3a902dcff1 100644 --- a/index.bs +++ b/index.bs @@ -696,7 +696,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity / "'report-sample'" / "'unsafe-allow-redirects'" / "'wasm-unsafe-eval'" / "'trusted-types-eval'" / "'report-sha256'" / "'report-sha384'" - / "'report-sha512'" + / "'report-sha512'" / "'unsafe-webtransport-hashes'" ISSUE: Bikeshed `unsafe-allow-redirects`. @@ -2215,14 +2215,26 @@ Content-Type: application/reports+json 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. - 2. If the result of executing [[#should-directive-execute]] on |name|, + 1. If the result of executing [[#should-directive-execute]] on |name|, `connect-src` and |policy| is "`No`", return "`Allowed`". - 3. If the result of executing [[#match-request-to-source-list]] on - |request|, this directive's value, and - |policy|, is "`Does Not Match`", return "`Blocked`". + 1. Let |source list| be directive's value. - 4. Return "`Allowed`". + 1. If |request|'s [=request/mode=] is "`webtransport`" and |request|'s + WebTransport-hash list [=list/is not empty=]: + + 1. If |source list| [=list/contains=] a source expression + which is an ASCII case-insensitive match for the + `keyword-source` + "`'unsafe-webtransport-hashes'`", return "`Allowed`". + + 1. Return "`Blocked`". + + 1. If the result of executing [[#match-request-to-source-list]] on + |request|, |source list|, and |policy|, is "`Matches`", return + "`Allowed`". + + 1. Return "`Blocked`".
`connect-src` Post-request check @@ -2236,14 +2248,26 @@ Content-Type: application/reports+json 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. - 2. If the result of executing [[#should-directive-execute]] on |name|, + 1. If the result of executing [[#should-directive-execute]] on |name|, `connect-src` and |policy| is "`No`", return "`Allowed`". - 3. If the result of executing [[#match-response-to-source-list]] on - |response|, |request|, this directive's value, - and |policy|, is "`Does Not Match`", return "`Blocked`". + 1. Let |source list| be directive's value. - 4. Return "`Allowed`". + 1. If |request|'s [=request/mode=] is "`webtransport`" and |request|'s + WebTransport-hash list [=list/is not empty=]: + + 1. If |source list| [=list/contains=] a source expression + which is an ASCII case-insensitive match for the + `keyword-source` + "`'unsafe-webtransport-hashes'`", return "`Allowed`". + + 1. Return "`Blocked`". + + 1. If the result of executing [[#match-response-to-source-list]] on + |response|, |request|, |source list|, and |policy|, is "`Matches`", + return "`Allowed`". + + 1. Return "`Blocked`".

`default-src`

From 8df1f5d3f8bca3fa29f573e07819a732c37ed6c9 Mon Sep 17 00:00:00 2001 From: Timo Tijhof Date: Fri, 6 Mar 2026 07:03:08 +0000 Subject: [PATCH 06/12] [Editorial] Avoid nested parenthetical (#804) --- index.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 3a902dcff1..f019676895 100644 --- a/index.bs +++ b/index.bs @@ -659,8 +659,8 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 4. Hosts such as `example.com` (which matches any resource on the host, regardless of scheme) or `*.example.com` (which - matches any resource on the host's subdomains (and any of - its subdomains' subdomains, and so on)) + matches any resource on the host's subdomains, and any of + its subdomains' subdomains, and so on) 5. Nonces such as `'nonce-ch4hvvbHDpv7xCSvXCs3BrNggHdTzxUA'` (which can match specific elements on a page) From a20d8fb31e8ebab24bb1a9ab7fae80736138cefb Mon Sep 17 00:00:00 2001 From: Antonio Sartori Date: Mon, 9 Mar 2026 16:47:27 +0100 Subject: [PATCH 07/12] Fix algorithms called with missing parameters (#806) --- index.bs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/index.bs b/index.bs index f019676895..66a86d17b4 100644 --- a/index.bs +++ b/index.bs @@ -1207,8 +1207,8 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 1. For each |directive| of |policy|: 1. Execute |directive|'s initialization - algorithm on |document|, and assert: its returned value is - "`Allowed`". + algorithm on |document| and |policy|, and assert: its returned + value is "`Allowed`".

Retrieve the CSP list of an |object| @@ -1324,7 +1324,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 2. If |directive|'s inline check returns "`Allowed`" when executed upon null, - "`navigation`" and |navigation request|'s current URL, + "`navigation`", |policy|, and |navigation request|'s current URL, skip to the next |directive|. 3. Otherwise, let |violation| be the result of executing @@ -1428,7 +1428,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 1. For each |directive| of |policy|: 1. Execute |directive|'s initialization algorithm on - |global|. If its returned value is "`Blocked`", then set |result| to + |global| and |policy|. If its returned value is "`Blocked`", then set |result| to "`Blocked`". 3. Return |result|. @@ -1452,7 +1452,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 2. For each |policy| of |global|'s [=global object/CSP list=]: 1. For each |directive| of |policy|: 1. If |directive|'s webrtc pre-connect check - returns "`Allowed`", [=iteration/continue=]. + returns "`Allowed`" when executed upon |policy|, [=iteration/continue=]. 2. Otherwise, let |violation| be the result of executing [[#create-violation-for-global]] on |global|, |policy|, and From 3a5e59598ad2853a5f4f2337066481b2cdf24c17 Mon Sep 17 00:00:00 2001 From: Antonio Sartori Date: Wed, 11 Mar 2026 13:46:06 +0100 Subject: [PATCH 08/12] Attach self-origin to CSP list (#805) --- index.bs | 427 ++++++++++++++++++++++++++++++------------------------- 1 file changed, 233 insertions(+), 194 deletions(-) diff --git a/index.bs b/index.bs index 66a86d17b4..9ddb3603da 100644 --- a/index.bs +++ b/index.bs @@ -445,19 +445,20 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity Each policy has an associated source, which is either "`header`" or "`meta`". - Each policy has an associated self-origin, which - is an origin that is used when matching the `'self'` keyword. + Multiple [=/policies=] can be applied to a single resource. A CSP + list is a [=struct=] consisting of policies (a [=list=] of [=/policies=]) and a self-origin (an origin which is used when matching the `'self'` keyword). Note: This is needed to facilitate the `'self'` checks of local scheme documents/workers that have inherited their policy but have an opaque origin. Most of the time this will simply be the environment settings object's [=environment settings object/origin=]. - Multiple [=/policies=] can be applied to a single resource, and are collected into a [=list=] of - [=/policies=] known as a CSP list. - - A [=/CSP list=] contains a header-delivered Content Security Policy if it - [=list/contains=] a [=/policy=] whose [=policy/source=] is "`header`". + A [=/CSP list=] contains a header-delivered Content Security + Policy if its [=CSP list/policies=] [=list/contain=] a [=/policy=] whose + [=policy/source=] is "`header`". A serialized CSP is an ASCII string consisting of a semicolon-delimited series of serialized directives, adhering to the following ABNF grammar [[!RFC5234]]: @@ -536,8 +537,8 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity To parse a response's Content Security Policies given a response |response|, execute the following steps. - This algorithm returns a [=list=] of [=Content Security Policy objects=]. If the policies cannot - be parsed, the returned list will be empty. + This algorithm returns a [=/CSP list=]. If the policies cannot be parsed, the + returned list will have empty [=CSP list/policies=].
    1. Let |policies| be an empty [=list=]. @@ -560,12 +561,8 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 2. If |policy|'s [=policy/directive set=] is not empty, append |policy| to |policies|. - 4. For each |policy| of |policies|: - - 1. Set |policy|'s [=policy/self-origin=] to |response|'s [=response/url=]'s - [=url/origin=]. - - 5. Return |policies|. + 4. Return a [=/CSP list=] whose [=CSP list/policies=] is |policies| and + [=CSP list/self-origin=] is |response|'s [=response/url=]'s [=url/origin=].
Note: When parsing a response's @@ -601,15 +598,16 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity Directives have a number of associated algorithms: - 1. A pre-request check, which takes a - request and a policy as an argument, and is executed - during [[#should-block-request]]. This algorithm returns "`Allowed`" unless - otherwise specified. + 1. A pre-request check, which takes a request, a policy, and an origin as an + argument, and is executed during [[#should-block-request]]. This algorithm + returns "`Allowed`" unless otherwise specified. - 2. A post-request check, which takes a - request, a response, and a policy as arguments, - and is executed during [[#should-block-response]]. This algorithm returns - "`Allowed`" unless otherwise specified. + 2. A post-request check, which takes a request, a response, a policy and an + origin as arguments, and is executed during + [[#should-block-response]]. This algorithm returns "`Allowed`" unless + otherwise specified. 3. An inline check, which takes an {{Element}}, a type string, a policy, and a source string as arguments, @@ -623,17 +621,19 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity [[#run-global-object-csp-initialization]]. Unless otherwise specified, it has no effect and it returns "`Allowed`". - 5. A pre-navigation check, which takes a - request, a navigation type string ("`form-submission`" - or "`other`"), and a policy as arguments, and + 5. A pre-navigation check, which takes a request, a navigation type string ("`form-submission`" or + "`other`"), a policy and an origin as arguments, and is executed during [[#should-block-navigation-request]]. It returns "`Allowed`" unless otherwise specified. - 6. A navigation response check, which takes a - request, a navigation type string ("`form-submission`" or "`other`"), - a response, a navigable, a check type string ("`source`" - or "`response`"), and a policy as arguments, and is executed during - [[#should-block-navigation-response]]. It returns "`Allowed`" unless otherwise specified. + 6. A navigation response check, which takes + a request, a navigation type string ("`form-submission`" or + "`other`"), a response, a navigable, a check type string + ("`source`" or "`response`"), a policy, and an + origin as arguments, and is executed during + [[#should-block-navigation-response]]. It returns "`Allowed`" unless + otherwise specified. 8. A webrtc pre-connect check, which takes a [=/policy=], and is executed during [[#should-block-rtc-connection]]. It returns "`Allowed`" unless @@ -1029,13 +1029,14 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 1. Let |CSP list| be |request|'s [=request/policy container=]'s [=policy container/CSP list=]. - 2. For each |policy| of |CSP list|: + 2. For each |policy| of |CSP list|'s [=CSP list/policies=]: 1. If |policy|'s disposition is "`enforce`", then skip to the next |policy|. 2. Let |violates| be the result of executing - [[#does-request-violate-policy]] on |request| and |policy|. + [[#does-request-violate-policy]] on |request|, |policy|, and |CSP + list|'s [=CSP list/self-origin=]. 3. If |violates| is not "`Does Not Violate`", then execute [[#report-violation]] on the result of executing @@ -1053,13 +1054,14 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 2. Let |result| be "`Allowed`". - 3. For each |policy| of |CSP list|: + 3. For each |policy| of |CSP list|'s [=CSP list/policies=]: 1. If |policy|'s disposition is "`report`", then skip to the next |policy|. 2. Let |violates| be the result of executing - [[#does-request-violate-policy]] on |request| and |policy|. + [[#does-request-violate-policy]] on |request|, |policy|, and |CSP + list|'s [=CSP list/self-origin=]. 3. If |violates| is not "`Does Not Violate`", then: @@ -1082,12 +1084,14 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 2. Let |result| be "`Allowed`". - 3. For each |policy| of |CSP list|: + 3. For each |policy| of |CSP list|'s [=CSP list/policies=]: 1. For each |directive| of |policy|: - 1. If the result of executing |directive|'s - post-request check is "`Blocked`", then: + 1. If the result of executing |directive|'s post-request check on |request|, |response|, + |policy|, and |CSP list|'s [=CSP list/self-origin=] is + "`Blocked`", then: 1. Execute [[#report-violation]] on the result of executing [[#create-violation-for-request]] on |request|, and |policy|. @@ -1243,7 +1247,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 2. Let |result| be "`Allowed`". 3. For each |policy| of |element|'s {{Document}}'s global object's - CSP list: + CSP list's [=CSP list/policies=]: 1. For each |directive| of |policy|'s directive set: @@ -1288,14 +1292,18 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
    1. Let |result| be "`Allowed`". - 2. For each |policy| of |navigation request|'s policy container's - CSP list: + 1. Let |CSP list| be |navigation request|'s policy + container's CSP list's [=CSP + list/policies=]. + + 2. For each |policy| of |CSP list|'s [=CSP list/policies=]: 1. For each |directive| of |policy|: 1. If |directive|'s pre-navigation check returns "`Allowed`" when executed upon |navigation request|, - |type|, and |policy| skip to the next |directive|. + |type|, |policy|, and |CSP list|'s [=CSP list/self-origin=] skip + to the next |directive|. 2. Otherwise, let |violation| be the result of executing [[#create-violation-for-global]] on |navigation request|'s @@ -1315,7 +1323,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 1. For each |policy| of |navigation request|'s policy container's - CSP list: + CSP list's [=CSP list/policies=]: 1. For each |directive| of |policy|: @@ -1356,7 +1364,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
      1. Let |result| be "`Allowed`". - 2. For each |policy| of |response CSP list|: + 2. For each |policy| of |response CSP list|'s [=CSP list/policies=]: Note: Some directives (like frame-ancestors) allow a |response|'s Content Security Policy to act on the navigation. @@ -1365,7 +1373,8 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 1. If |directive|'s navigation response check returns "`Allowed`" when executed upon |navigation request|, |type|, - |navigation response|, |target|, "`response`", and |policy| + |navigation response|, |target|, "`response`", |policy|, and + |response CSP list|'s [=CSP list/self-origin=], skip to the next |directive|. 2. Otherwise, let |violation| be the result of executing @@ -1384,7 +1393,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity set |result| to "`Blocked`". 3. For each |policy| of |navigation request|'s policy container's - CSP list: + CSP list's [=CSP list/policies=]: Note: Some directives in the |navigation request|'s context (like frame-ancestors) need the |response| before acting on the navigation. @@ -1393,7 +1402,8 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 1. If |directive|'s navigation response check returns "`Allowed`" when executed upon |navigation request|, |type|, - |navigation response|, |target|, "`source`", and |policy| + |navigation response|, |target|, "`source`", |policy|, and + |response CSP list|'s [=CSP list/self-origin=], skip to the next |directive|. 2. Otherwise, let |violation| be the result of executing @@ -1423,7 +1433,8 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
        1. Let |result| be "`Allowed`". - 2. For each |policy| of |global|'s [=global object/CSP list=]: + 2. For each |policy| of |global|'s [=global object/CSP + list=]'s [=CSP list/policies=]: 1. For each |directive| of |policy|: @@ -1449,7 +1460,8 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
          1. Let |result| be "`Allowed`". - 2. For each |policy| of |global|'s [=global object/CSP list=]: + 2. For each |policy| of |global|'s [=global object/CSP + list=]'s [=CSP list/policies=]: 1. For each |directive| of |policy|: 1. If |directive|'s webrtc pre-connect check returns "`Allowed`" when executed upon |policy|, [=iteration/continue=]. @@ -1527,7 +1539,8 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity 2. Let |global| be |realm|'s [=realm/global object=]. - 3. For each |policy| of |global|'s [=global object/CSP list=]: + 3. For each |policy| of |global|'s [=global object/CSP + list=]'s [=CSP list/policies=]: 1. Let |source-list| be null. @@ -1585,7 +1598,8 @@ this algorithm returns normally if compilation is allowed, and throws a 2. Let |result| be "`Allowed`". -3. For each |policy| of |global|'s [=global object/CSP list=]: +3. For each |policy| of |global|'s [=global object/CSP list=]'s + [=CSP list/policies=]: 1. Let |source-list| be null. @@ -2115,7 +2129,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2124,9 +2139,9 @@ Content-Type: application/reports+json `child-src` and |policy| is "`No`", return "`Allowed`". 3. Return the result of executing the pre-request - check for the directive whose name - is |name| on |request| and |policy|, using this directive's - value for the comparison. + check for the directive whose name is + |name| on |request|, |policy|, and |self-origin| using this directive's value for the comparison.
          `child-src` Post-request check @@ -2134,8 +2149,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy| and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2144,9 +2159,9 @@ Content-Type: application/reports+json `child-src` and |policy| is "`No`", return "`Allowed`". 3. Return the result of executing the post-request - check for the directive whose name - is |name| on |request|, |response|, and |policy|, using this directive's - value for the comparison. + check for the directive whose name is + |name| on |request|, |response|, |policy|, and |self-origin|, using this + directive's value for the comparison.

          `connect-src`

          @@ -2210,7 +2225,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2230,8 +2246,8 @@ Content-Type: application/reports+json 1. Return "`Blocked`". - 1. If the result of executing [[#match-request-to-source-list]] on - |request|, |source list|, and |policy|, is "`Matches`", return + 1. If the result of executing [[#match-request-to-source-list]] on |request|, + |source list|, and |self-origin|, is "`Matches`", return "`Allowed`". 1. Return "`Blocked`". @@ -2242,8 +2258,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy| and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2264,8 +2280,8 @@ Content-Type: application/reports+json 1. Return "`Blocked`". 1. If the result of executing [[#match-response-to-source-list]] on - |response|, |request|, |source list|, and |policy|, is "`Matches`", - return "`Allowed`". + |response|, |request|, |source list|, and |self-origin|, is + "`Matches`", return "`Allowed`". 1. Return "`Blocked`". @@ -2360,7 +2376,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2368,10 +2385,10 @@ Content-Type: application/reports+json 2. If the result of executing [[#should-directive-execute]] on |name|, `default-src` and |policy| is "`No`", return "`Allowed`". - 3. Return the result of executing the - pre-request check for the directive whose - name is |name| on |request| and |policy|, using - this directive's value for the comparison. + 3. Return the result of executing the pre-request + check for the directive whose name is + |name| on |request|, |policy|, and |self-origin|, using this directive's + value for the comparison.
          `default-src` Post-request check @@ -2379,8 +2396,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy| and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2388,11 +2405,10 @@ Content-Type: application/reports+json 2. If the result of executing [[#should-directive-execute]] on |name|, `default-src` and |policy| is "`No`", return "`Allowed`". - 3. Return the result of executing the - post-request check for the directive whose - name is |name| on |request|, |response|, and - |policy|, using this directive's value for the - comparison. + 3. Return the result of executing the post-request + check for the directive whose name is + |name| on |request|, |response|, |policy|, and |self-origin|, using this + directive's value for the comparison.
          `default-src` Inline Check @@ -2454,7 +2470,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2462,9 +2479,9 @@ Content-Type: application/reports+json 2. If the result of executing [[#should-directive-execute]] on |name|, `font-src` and |policy| is "`No`", return "`Allowed`". - 3. If the result of executing [[#match-request-to-source-list]] on - |request|, this directive's value, and - |policy|, is "`Does Not Match`", return "`Blocked`". + 3. If the result of executing [[#match-request-to-source-list]] on |request|, + this directive's value, and |self-origin|, is + "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -2474,8 +2491,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy| and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2485,7 +2502,7 @@ Content-Type: application/reports+json 3. If the result of executing [[#match-response-to-source-list]] on |response|, |request|, this directive's value, - and |policy|, is "`Does Not Match`", return "`Blocked`". + and |self-origin|, is "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -2522,7 +2539,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2530,9 +2548,9 @@ Content-Type: application/reports+json 2. If the result of executing [[#should-directive-execute]] on |name|, `frame-src` and |policy| is "`No`", return "`Allowed`". - 3. If the result of executing [[#match-request-to-source-list]] on - |request|, this directive's value, and - |policy|, is "`Does Not Match`", return "`Blocked`". + 3. If the result of executing [[#match-request-to-source-list]] on |request|, + this directive's value, and |self-origin|, is + "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -2542,8 +2560,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy| and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2553,7 +2571,7 @@ Content-Type: application/reports+json 3. If the result of executing [[#match-response-to-source-list]] on |response|, |request|, this directive's value, - and |policy|, is "`Does Not Match`", return "`Blocked`". + and |self-origin|, is "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -2593,7 +2611,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2601,9 +2620,9 @@ Content-Type: application/reports+json 2. If the result of executing [[#should-directive-execute]] on |name|, `img-src` and |policy| is "`No`", return "`Allowed`". - 3. If the result of executing [[#match-request-to-source-list]] on - |request|, this directive's value, and |policy|, - is "`Does Not Match`", return "`Blocked`". + 3. If the result of executing [[#match-request-to-source-list]] on |request|, + this directive's value, and |self-origin|, is + "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -2613,8 +2632,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy| and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2624,7 +2643,7 @@ Content-Type: application/reports+json 3. If the result of executing [[#match-response-to-source-list]] on |response|, |request|, this directive's value, - and |policy|, is "`Does Not Match`", return "`Blocked`". + and |self-origin|, is "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -2660,7 +2679,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2668,9 +2688,9 @@ Content-Type: application/reports+json 2. If the result of executing [[#should-directive-execute]] on |name|, `manifest-src` and |policy| is "`No`", return "`Allowed`". - 3. If the result of executing [[#match-request-to-source-list]] on - |request|, this directive's value, and |policy|, - is "`Does Not Match`", return "`Blocked`". + 3. If the result of executing [[#match-request-to-source-list]] on |request|, + this directive's value, and |self-origin|, is + "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -2680,8 +2700,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy| and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2691,7 +2711,7 @@ Content-Type: application/reports+json 3. If the result of executing [[#match-response-to-source-list]] on |response|, |request|, this directive's value, - and |policy|, is "`Does Not Match`", return "`Blocked`". + and |self-origin|, is "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -2730,7 +2750,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2738,9 +2759,9 @@ Content-Type: application/reports+json 2. If the result of executing [[#should-directive-execute]] on |name|, `media-src` and |policy| is "`No`", return "`Allowed`". - 3. If the result of executing [[#match-request-to-source-list]] on - |request|, this directive's value, and |policy|, - is "`Does Not Match`", return "`Blocked`". + 3. If the result of executing [[#match-request-to-source-list]] on |request|, + this directive's value, and |self-origin|, is + "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -2750,8 +2771,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy| and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2761,7 +2782,7 @@ Content-Type: application/reports+json 3. If the result of executing [[#match-response-to-source-list]] on |response|, |request|, this directive's value, - and |policy|, is "`Does Not Match`", return "`Blocked`". + and |self-origin|, is "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -2821,7 +2842,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2829,9 +2851,9 @@ Content-Type: application/reports+json 2. If the result of executing [[#should-directive-execute]] on |name|, `object-src` and |policy| is "`No`", return "`Allowed`". - 3. If the result of executing [[#match-request-to-source-list]] on - |request|, this directive's value, and |policy|, - is "`Does Not Match`", return "`Blocked`". + 3. If the result of executing [[#match-request-to-source-list]] on |request|, + this directive's value, and |self-origin|, is + "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -2841,8 +2863,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy| and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2852,7 +2874,7 @@ Content-Type: application/reports+json 3. If the result of executing [[#match-response-to-source-list]] on |response|, |request|, this directive's value, - and |policy|, is "`Does Not Match`", return "`Blocked`". + and |self-origin|, is "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -2927,7 +2949,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2936,7 +2959,7 @@ Content-Type: application/reports+json `script-src` and |policy| is "`No`", return "`Allowed`". 3. Return the result of executing [[#script-pre-request]] on |request|, - this directive, and |policy|. + this directive, |policy|, and |self-origin|.
          `script-src` Post-request check @@ -2944,8 +2967,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy| and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -2954,7 +2977,7 @@ Content-Type: application/reports+json `script-src` and |policy| is "`No`", return "`Allowed`". 3. Return the result of executing [[#script-post-request]] on |request|, - |response|, this directive, and |policy|. + |response|, this directive, |policy|, and |self-origin|.
          `script-src` Inline Check @@ -3006,7 +3029,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -3015,7 +3039,7 @@ Content-Type: application/reports+json `script-src-elem` and |policy| is "`No`", return "`Allowed`". 3. Return the result of executing [[#script-pre-request]] on |request|, - this directive, and |policy|. + this directive, |policy|, and |self-origin|.
          `script-src-elem` Post-request check @@ -3023,8 +3047,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy| and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -3033,7 +3057,7 @@ Content-Type: application/reports+json `script-src-elem` and |policy| is "`No`", return "`Allowed`". 3. Return the result of executing [[#script-post-request]] on |request|, - |response|, this directive, and |policy|. + |response|, this directive, |policy|, and |self-origin|.
          `script-src-elem` Inline Check @@ -3145,7 +3169,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -3158,9 +3183,9 @@ Content-Type: application/reports+json directive's value is "`Matches`", return "`Allowed`". - 4. If the result of executing [[#match-request-to-source-list]] on - |request|, this directive's value, and |policy|, - is "`Does Not Match`", return "`Blocked`". + 4. If the result of executing [[#match-request-to-source-list]] on |request|, + this directive's value, and |self-origin|, is + "`Does Not Match`", return "`Blocked`". 5. Return "`Allowed`". @@ -3170,8 +3195,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy|, and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -3186,7 +3211,7 @@ Content-Type: application/reports+json 4. If the result of executing [[#match-response-to-source-list]] on |response|, |request|, this directive's value, - and |policy|, is "`Does Not Match`", return "`Blocked`". + and |self-origin|, is "`Does Not Match`", return "`Blocked`". 5. Return "`Allowed`". @@ -3235,7 +3260,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -3248,9 +3274,9 @@ Content-Type: application/reports+json directive's value is "`Matches`", return "`Allowed`". - 4. If the result of executing [[#match-request-to-source-list]] on - |request|, this directive's value, and |policy|, - is "`Does Not Match`", return "`Blocked`". + 4. If the result of executing [[#match-request-to-source-list]] on |request|, + this directive's value, and |self-origin|, is + "`Does Not Match`", return "`Blocked`". 5. Return "`Allowed`". @@ -3260,8 +3286,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy|, and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -3276,7 +3302,7 @@ Content-Type: application/reports+json 4. If the result of executing [[#match-response-to-source-list]] on |response|, |request|, this directive's value, - and |policy|, is "`Does Not Match`", return "`Blocked`". + and |self-origin|, is "`Does Not Match`", return "`Blocked`". 5. Return "`Allowed`". @@ -3432,7 +3458,8 @@ Content-Type: application/reports+json This directive's pre-request check is as follows: - Given a request |request| and a policy |policy|: + Given a request |request|, a policy |policy|, + and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -3440,9 +3467,9 @@ Content-Type: application/reports+json 2. If the result of executing [[#should-directive-execute]] on |name|, `worker-src` and |policy| is "`No`", return "`Allowed`". - 3. If the result of executing [[#match-request-to-source-list]] on - |request|, this directive's value, and |policy|, - is "`Does Not Match`", return "`Blocked`". + 3. If the result of executing [[#match-request-to-source-list]] on |request|, + this directive's value, and |self-origin|, is + "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -3452,8 +3479,8 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, and a - policy |policy|: + Given a request |request|, a response |response|, a + policy |policy|, and an origin |self-origin|: 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. @@ -3463,7 +3490,7 @@ Content-Type: application/reports+json 3. If the result of executing [[#match-response-to-source-list]] on |response|, |request|, this directive's value, - and |policy|, is "`Does Not Match`", return "`Blocked`". + and |self-origin|, is "`Does Not Match`", return "`Blocked`". 4. Return "`Allowed`". @@ -3496,8 +3523,10 @@ Content-Type: application/reports+json returns "`Allowed`" if |base| may be used as the value of a <{base}> element's <{base/href}> attribute, and "`Blocked`" otherwise: - 1. For each |policy| of |document|'s global object's - csp list: + 1. Let |CSP list| be |document|'s global object's csp list + + 1. For each |policy| of |CSP list|'s [=CSP list/policies=]: 1. Let |source list| be null. @@ -3508,8 +3537,9 @@ Content-Type: application/reports+json 3. If |source list| is null, skip to the next |policy|. - 4. If the result of executing [[#match-url-to-source-list]] on |base|, |source list|, - |policy|'s [=policy/self-origin=], and `0` is "`Does Not Match`": + 4. If the result of executing [[#match-url-to-source-list]] on |base|, + |source list|, |CSP list|'s [=CSP list/self-origin=], and `0` is + "`Does Not Match`": 1. Let |violation| be the result of executing [[#create-violation-for-global]] on |document|'s global @@ -3598,10 +3628,12 @@ Content-Type: application/reports+json `form-action` Pre-Navigation Check
          - Given a request |request|, a string |navigation type| ("`form-submission`" or - "`other`"), and a policy |policy| this algorithm returns "`Blocked`" if a form + Given a request |request|, a string |navigation type| + ("`form-submission`" or "`other`"), a policy |policy|, and an + origin |self-origin|, this algorithm returns "`Blocked`" if a form submission violates the `form-action` directive's constraints, and "`Allowed`" - otherwise. This constitutes the `form-action` directive's pre-navigation check: + otherwise. This constitutes the `form-action` directive's pre-navigation + check:
            1. Assert: |policy| is unused in this algorithm. @@ -3609,8 +3641,8 @@ Content-Type: application/reports+json 2. If |navigation type| is "`form-submission`": 1. If the result of executing [[#match-request-to-source-list]] on - |request|, this directive's value, and a - |policy|, is "`Does Not Match`", return "`Blocked`". + |request|, this directive's value, + and |self-origin|, is "`Does Not Match`", return "`Blocked`". 3. Return "`Allowed`".
          @@ -3645,12 +3677,12 @@ Content-Type: application/reports+json

Given a request |request|, a string |navigation type| - ("`form-submission`" or "`other`"), a - response |navigation response|, a navigable |target|, - a string |check type| ("`source`" or "`response`"), and a - policy |policy| this algorithm returns "`Blocked`" if one or - more of the ancestors of |target| violate the `frame-ancestors` directive - delivered with the response, and "`Allowed`" otherwise. This constitutes the + ("`form-submission`" or "`other`"), a response |navigation response|, a + navigable |target|, a string |check type| ("`source`" or "`response`"), + a policy policy, and an [=origin=] + |self-origin|, this algorithm returns "`Blocked`" if one or more of the + ancestors of |target| violate the `frame-ancestors` directive delivered with + the response, and "`Allowed`" otherwise. This constitutes the `frame-ancestors` directive's navigation response check:
    @@ -3680,7 +3712,7 @@ Content-Type: application/reports+json 3. If [[#match-url-to-source-list]] returns `Does Not Match` when executed upon |origin|, this directive's value, - |policy|'s [=policy/self-origin=], and `0`, return "`Blocked`". + |self-origin|, and `0`, return "`Blocked`". 4. Set |current| to |document|'s node navigable. @@ -3780,8 +3812,9 @@ Content-Type: application/reports+json Script directives pre-request check - Given a request |request|, a directive |directive|, - and a policy |policy|: + Given a request |request|, a directive |directive|, a policy policy, and an origin + |self-origin|: 1. If |request|'s destination is script-like: @@ -3808,8 +3841,8 @@ Content-Type: application/reports+json in [[#strict-dynamic-usage]]. 4. If the result of executing [[#match-request-to-source-list]] on - |request|, |directive|'s value, and |policy|, - is "`Does Not Match`", return "`Blocked`". + |request|, |directive|'s value, and + |self-origin|, is "`Does Not Match`", return "`Blocked`". 2. Return "`Allowed`". @@ -3819,8 +3852,9 @@ Content-Type: application/reports+json This directive's post-request check is as follows: - Given a request |request|, a response |response|, - a directive |directive|, and a policy |policy|: + Given a request |request|, a response |response|, a + directive |directive|, a policy |policy|, and an + origin |self-origin|: Note: This check needs both |request| and |response| as input parameters since if |request|'s cryptographic nonce metadata @@ -3855,7 +3889,8 @@ Content-Type: application/reports+json 1. If the result of executing [[#match-response-to-source-list]] on |response|, |request|, |directive|'s value, - and |policy|, is "`Does Not Match`", return "`Blocked`". + and |self-origin|, is "`Does Not Match`", return + "`Blocked`". 2. Return "`Allowed`". @@ -3865,19 +3900,22 @@ Content-Type: application/reports+json Does |request| violate |policy|? - Given a request |request| and a policy |policy|, this - algorithm returns the violated directive if the request violates the - policy, and "`Does Not Violate`" otherwise. + Given a request |request|, a policy |policy|, + and an origin |self-origin|, this algorithm returns the violated + directive if the request violates the policy, and "`Does Not Violate`" + otherwise. - 1. If |request|'s [=request/initiator=] is "`prefetch`", then return the result of executing - [[#does-resource-hint-violate-policy]] on |request| and |policy|. + 1. If |request|'s [=request/initiator=] is "`prefetch`", then return the + result of executing [[#does-resource-hint-violate-policy]] on |request|, + |policy|, and |self-origin|. 2. Let |violates| be "`Does Not Violate`". 3. For each |directive| of |policy|: - 1. Let |result| be the result of executing |directive|'s - pre-request check on |request| and |policy|. + 1. Let |result| be the result of executing |directive|'s pre-request check on |request|, |policy|, and + |self-origin|. 2. If |result| is "`Blocked`", then let |violates| be |directive|. @@ -3887,9 +3925,10 @@ Content-Type: application/reports+json Does resource hint |request| violate |policy|? - Given a request |request| and a policy |policy|, this - algorithm returns the default directive if the resource-hint request violates all the - policies, and "`Does Not Violate`" otherwise. + Given a request |request|,a policy |policy|, and + an origin |self-origin|, this algorithm returns the default + directive if the resource-hint request violates all the policies, and + "`Does Not Violate`" otherwise. 1. Let |defaultDirective| be |policy|'s first [=directive=] whose [=directive/name=] is "`default-src`". @@ -3917,9 +3956,9 @@ Content-Type: application/reports+json 1. Assert: |directive|'s value is a source list. - 1. Let |result| be the result of executing [[#match-request-to-source-list]] on - |request|, |directive|'s value, and - |policy|. + 1. Let |result| be the result of executing + [[#match-request-to-source-list]] on |request|, |directive|'s value, and |self-origin|. 1. If |result| is "`Allowed`", then return "`Does Not Violate`". @@ -3989,9 +4028,9 @@ Content-Type: application/reports+json Given a request |request|, a source list |source list|, - and a policy |policy|, this algorithm returns the result of executing - [[#match-url-to-source-list]] on |request|'s current url, - |source list|, |policy|'s [=policy/self-origin=], and |request|'s + and an origin |self-origin|, this algorithm returns the result of + executing [[#match-url-to-source-list]] on |request|'s current url, |source list|, |self-origin|, and |request|'s redirect count. Note: This is generally used in directives' pre-request check @@ -4002,10 +4041,10 @@ Content-Type: application/reports+json Given a response |response|, a request |request|, a - source list |source list|, and a policy |policy|, this + source list |source list|, and an origin |self-origin|, this algorithm returns the result of executing [[#match-url-to-source-list]] on - |response|'s url, |source list|, |policy|'s - [=policy/self-origin=], and |request|'s redirect count. + |response|'s url, |source list|, |self-origin|, and + |request|'s redirect count. Note: This is generally used in directives' post-request check algorithms to verify that a given response is reasonable. From 7845c09ef1e0f3ef149f262f0509e8db0e040f77 Mon Sep 17 00:00:00 2001 From: Eemeli Aro Date: Wed, 1 Apr 2026 16:51:59 +0300 Subject: [PATCH 09/12] Add "text" destination type, for JavaScript text imports See https://github.com/whatwg/html/pull/11933 for context. --- index.bs | 1 + 1 file changed, 1 insertion(+) diff --git a/index.bs b/index.bs index 9ddb3603da..8877e9eea5 100644 --- a/index.bs +++ b/index.bs @@ -4582,6 +4582,7 @@ Content-Type: application/reports+json 1. Return `worker-src`. : "`json`" + : "`text`" : "`webidentity`" :: 1. Return `connect-src`. From 6b1e81b8dcefe048b330c213d4577f08749b4c76 Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Thu, 10 Jul 2025 14:30:17 +0900 Subject: [PATCH 10/12] Integrate with speculation rules This upstreams the monkeypatches from https://wicg.github.io/nav-speculation/speculation-rules.html#content-security-policy. At a high level, the additions are: - A new directive, `inline-speculation-rules`, which can be used if developers want to block inline JavaScript `