diff --git a/index.html b/index.html index bd7c042fa4..e23a2b0e33 100644 --- a/index.html +++ b/index.html @@ -1870,9 +1870,19 @@

  • -

    The frame-src directive, which was deprecated in CSP Level - 2, has been undeprecated, and a worker-src directive has been added. - Both continue to defer to child-src if not present (which defers to default-src in turn), but child-src is now deprecated.

    +

    The child-src model has been substantially altered:

    +
      +
    1. +

      The frame-src directive, which was deprecated in CSP Level + 2, has been undeprecated, but continues to defer to child-src if + not present (which defers to default-src in turn).

      +
    2. +

      A worker-src directive has been added, deferring to script-src if not present (which likewise defers to default-src in turn).

      +
    3. +

      child-src is now deprecated.

      +
    4. +

      Dedicated workers now always inherit their creator’s policy.

      +

    This still might not be the right model. <https://github.com/w3c/webappsec-csp/issues/146>

  • The URL matching algorithm now treats insecure schemes and ports as @@ -2492,7 +2502,7 @@

    CSP list:

    1. -

      If response’s url’s scheme is a local scheme:

      +

      If response’s url’s scheme is a local scheme, or if global is a DedicatedWorkerGlobalScope:

      1. Let documents be an empty list.

        @@ -2513,7 +2523,11 @@

        Note: local scheme includes about:, and this algorithm will therefore alias the embedding document’s policies for an iframe srcdoc Document.

      2. -

        For each policy in response’s CSP list, insert policy into global’s CSP list.

        +

        If global is a SharedWorkerGlobalScope or ServiceWorkerGlobalScope:

        +
          +
        1. +

          For each policy in response’s CSP list, insert policy into global’s CSP list.

          +

      4.2.3. Should element’s inline type behavior be blocked by Content Security Policy?

      Given an Element (element), a string (type), and a string (source) @@ -3054,7 +3068,7 @@

      Let name be the result of executing §6.6.1.11 Get the effective directive for request on request.

    2. -

      If name is not frame-src or worker-src, return "Allowed".

      +

      If name is not frame-src, return "Allowed".

    3. If policy contains a directive whose name is name, return "Allowed"

    4. @@ -3068,7 +3082,7 @@

      Let name be the result of executing §6.6.1.11 Get the effective directive for request on request.

    5. -

      If name is not frame-src or worker-src, return "Allowed".

      +

      If name is not frame-src, return "Allowed".

    6. If policy contains a directive whose name is name, return "Allowed"

    7. @@ -3213,13 +3227,11 @@

      If policy contains a directive whose name is name, return "Allowed".

    8. -

      If name is "frame-src" or "worker-src", and policy contains a directive whose name is "child-src", - return "Allowed".

      -

      Note: It would be lovely to remove this special case. Perhaps "effective - directive" could return "child-src" and that could delegate out in the - same way this algorithm does?

      +

      If name is "frame-src", and policy contains a directive whose name is "child-src", return "Allowed".

      +
    9. +

      If name is "worker-src", and policy contains a directive whose name is "script-src", return "Allowed".

    10. -

      Otherwise, return the result of executing the pre-request check for the directive whose name is name on request and policy, using +

      Otherwise, return the result of executing the pre-request check for the directive whose name is name on request and policy, using this directive’s value for the comparison.

    6.1.3.2. default-src Post-request check
    @@ -3231,15 +3243,13 @@

    If name is null, return "Allowed".

  • -

    If policy contains a directive whose name is name, return "Allowed".

    +

    If policy contains a directive whose name is name, return "Allowed".

  • -

    If name is "frame-src" or "worker-src", and policy contains a directive whose name is "child-src", - return "Allowed".

    -

    Note: It would be lovely to remove this special case. Perhaps "effective - directive" could return "child-src" and that could delegate out in the - same way this algorithm does?

    +

    If name is "frame-src", and policy contains a directive whose name is "child-src", return "Allowed".

  • -

    Otherwise, return the result of executing the post-request check for the directive whose name is name on request, response, and policy, using this directive’s value for the +

    If name is "worker-src", and policy contains a directive whose name is "script-src", return "Allowed".

    +
  • +

    Otherwise, return the result of executing the post-request check for the directive whose name is name on request, response, and policy, using this directive’s value for the comparison.

    6.1.4. font-src

    @@ -3598,7 +3608,8 @@
    request (request) and a policy (policy):

    1. -

      Assert: policy is unused.

      +

      If the result of executing §6.6.1.11 Get the effective directive for request on request is "worker-src", and policy contains a directive whose name is "worker-src", return "Allowed".

      +

      Note: If worker-src is present, we’ll defer to it when handling worker requests.

    2. If request’s type is "script", and its destination is "subresource":

        @@ -3660,7 +3671,8 @@
        request (request), a response (response), and a policy (policy):

        1. -

          Assert: policy is unused.

          +

          If the result of executing §6.6.1.11 Get the effective directive for request on request is "worker-src", and policy contains a directive whose name is "worker-src", return "Allowed".

          +

          Note: If worker-src is present, we’ll defer to it when handling worker requests.

        2. If request’s type is "script", and its destination is "subresource":

            @@ -3895,9 +3907,9 @@

            Let source list be null.

          1. -

            If a directive whose name is +

            If a directive whose name is "base-uri" is present in policy’s directive - set, set source list to that directive’s value.

            + set, set source list to that directive’s value.

          2. If source list is null, skip to the next policy.

          3. @@ -3994,7 +4006,7 @@
            node document’s CSP list:

            1. -

              If policy contains a directive (directive) whose name is plugin-types:

              +

              If policy contains a directive (directive) whose name is plugin-types:

              1. Let type be "application/x-java-applet" if plugin element is an applet element, or plugin element’s type attribute’s @@ -4247,7 +4259,7 @@

                6.6.1. URL Matching

                6.6.1.1. Does request violate policy?

                Given a request (request) and a policy (policy), this - algorithm returns the violated directive if the request violates the + algorithm returns the violated directive if the request violates the policy, and "Does Not Violate" otherwise.

                1. @@ -4286,12 +4298,12 @@
                  request (request), and a source list (source list), this algorithm returns the result of executing §6.6.1.5 Does url match source list in origin with redirect count? on request’s current url, source list, request’s origin, and request’s redirect count.

                  -

                  Note: This is generally used in directives' pre-request check algorithms to verify that a given request is reasonable.

                  +

                  Note: This is generally used in directives' pre-request check algorithms to verify that a given request is reasonable.

                  6.6.1.4. Does response to request match source list?

                  Given a request (request), and a source list (source list), this algorithm returns the result of executing §6.6.1.5 Does url match source list in origin with redirect count? on response’s url, source list, request’s origin, and request’s redirect count.

                  -

                  Note: This is generally used in directives' post-request check algorithms to verify that a given response is reasonable.

                  +

                  Note: This is generally used in directives' post-request check algorithms to verify that a given response is reasonable.

                  6.6.1.5. Does url match source list in origin with redirect count?

                  Given a URL (url), a source list (source list), an origin (origin), and a number (redirect count), this algorithm returns "Matches" if the URL matches one or more source @@ -4524,7 +4536,7 @@

                  6.6.1.11. Get the effective directive for request

                  Each fetch directive controls a specific type of request. Given - a request (request), the following algorithm returns either null or the name of the request’s effective directive:

                  + a request (request), the following algorithm returns either null or the name of the request’s effective directive:

                  1. Switch on request’s type, and execute @@ -5400,7 +5412,9 @@

                    [HTML] defines the following terms: @@ -5951,12 +5970,16 @@

                    6.1.1.2. child-src Post-request check (2)
                  2. 6.1.3.1. - default-src Pre-request check (2) (3) -
                  3. 6.1.3.2. - default-src Post-request check (2) (3) -
                  4. 6.2.1.1. + default-src Pre-request check (2) (3) (4) +
                  5. 6.1.3.2. + default-src Post-request check (2) (3) (4) +
                  6. 6.1.10.1. + script-src Pre-request check +
                  7. 6.1.10.2. + script-src Post-request check +
                  8. 6.2.1.1. Is base allowed for document? -
                  9. 6.6.1.11. +
                  10. 6.6.1.11. Get the effective directive for request diff --git a/index.src.html b/index.src.html index 99f14016bf..1824dcd3d7 100644 --- a/index.src.html +++ b/index.src.html @@ -281,10 +281,18 @@

                    Changes from Level 2

                    requirements and restrictions with other specifications (and with Service Workers in particular). - 2. The `frame-src` directive, which was deprecated in CSP Level - 2, has been undeprecated, and a `worker-src` directive has been added. - Both continue to defer to `child-src` if not present (which defers to - `default-src` in turn), but `child-src` is now deprecated. + 2. The `child-src` model has been substantially altered: + + 1. The `frame-src` directive, which was deprecated in CSP Level + 2, has been undeprecated, but continues to defer to `child-src` if + not present (which defers to `default-src` in turn). + + 2. A `worker-src` directive has been added, deferring to `script-src` + if not present (which likewise defers to `default-src` in turn). + + 3. `child-src` is now deprecated. + + 4. Dedicated workers now always inherit their creator's policy. ISSUE(w3c/webappsec-csp#146): This still might not be the right model. @@ -1120,7 +1128,7 @@

                    to initialize |global|'s CSP list: 1. If |response|'s url's scheme is a - local scheme: + local scheme, or if |global| is a {{DedicatedWorkerGlobalScope}}: 1. Let |documents| be an empty list. @@ -1139,9 +1147,11 @@

                    therefore alias the embedding document's policies for an iframe `srcdoc` `Document`. - 2. For each |policy| in |response|'s - CSP list, insert |policy| into - |global|'s CSP list. + 2. If |global| is a {{SharedWorkerGlobalScope}} or {{ServiceWorkerGlobalScope}}: + + 1. For each |policy| in |response|'s + CSP list, insert |policy| into + |global|'s CSP list.

                    Should |element|'s inline |type| behavior be blocked by Content Security Policy? @@ -1678,7 +1688,7 @@

                    1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. - 2. If |name| is not `frame-src` or `worker-src`, return "`Allowed`". + 2. If |name| is not `frame-src`, return "`Allowed`". 3. If |policy| contains a directive whose name is |name|, return "`Allowed`" @@ -1700,7 +1710,7 @@
                    1. Let |name| be the result of executing [[#effective-directive-for-a-request]] on |request|. - 2. If |name| is not `frame-src` or `worker-src`, return "`Allowed`". + 2. If |name| is not `frame-src`, return "`Allowed`". 3. If |policy| contains a directive whose name is |name|, return "`Allowed`" @@ -1897,15 +1907,13 @@
                    3. If |policy| contains a directive whose name is |name|, return "`Allowed`". - 4. If |name| is "`frame-src`" or "`worker-src`", and |policy| contains a - directive whose name is "`child-src`", - return "`Allowed`". + 4. If |name| is "`frame-src`", and |policy| contains a directive whose + name is "`child-src`", return "`Allowed`". - Note: It would be lovely to remove this special case. Perhaps "effective - directive" could return "`child-src`" and that could delegate out in the - same way this algorithm does? + 5. If |name| is "`worker-src`", and |policy| contains a directive whose + name is "`script-src`", return "`Allowed`". - 5. Otherwise, return the result of executing the + 6. Otherwise, return the result of executing the pre-request check for the directive whose name is |name| on |request| and |policy|, using this directive's value for the comparison. @@ -1927,15 +1935,13 @@
                    3. If |policy| contains a directive whose name is |name|, return "`Allowed`". - 4. If |name| is "`frame-src`" or "`worker-src`", and |policy| contains a - directive whose name is "`child-src`", - return "`Allowed`". + 4. If |name| is "`frame-src`", and |policy| contains a directive whose + name is "`child-src`", return "`Allowed`". - Note: It would be lovely to remove this special case. Perhaps "effective - directive" could return "`child-src`" and that could delegate out in the - same way this algorithm does? + 5. If |name| is "`worker-src`", and |policy| contains a directive whose + name is "`script-src`", return "`Allowed`". - 5. Otherwise, return the result of executing the + 6. Otherwise, return the result of executing the post-request check for the directive whose name is |name| on |request|, |response|, and |policy|, using this directive's value for the @@ -2410,7 +2416,11 @@
                    Given a request (|request|) and a policy (|policy|): - 1. Assert: |policy| is unused. + 1. If the result of executing [[#effective-directive-for-a-request]] on |request| + is "`worker-src`", and |policy| contains a directive whose + name is "`worker-src`", return "`Allowed`". + + Note: If `worker-src` is present, we'll defer to it when handling worker requests. 2. If |request|'s type is "`script`", and its destination is "`subresource`": @@ -2481,7 +2491,11 @@
                    Given a request (|request|), a response (|response|), and a policy (|policy|): - 1. Assert: |policy| is unused. + 1. If the result of executing [[#effective-directive-for-a-request]] on |request| + is "`worker-src`", and |policy| contains a directive whose + name is "`worker-src`", return "`Allowed`". + + Note: If `worker-src` is present, we'll defer to it when handling worker requests. 2. If |request|'s type is "`script`", and its destination is "`subresource`":