From 6638ad4a69933fe824575edf96348c6ec6eb7251 Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Mon, 9 Oct 2017 10:36:46 +0200 Subject: [PATCH] Replace Request.type based logic with Request.destination (#231) * Replace Request.type based logic to Request.destination * Fixed based on comments by annevk * Added "a " --- index.html | 371 ++++++++++++++++++++++++------------------------- index.src.html | 99 ++++++------- 2 files changed, 224 insertions(+), 246 deletions(-) diff --git a/index.html b/index.html index c0c1e89b28..4fcab4db21 100644 --- a/index.html +++ b/index.html @@ -470,7 +470,7 @@ font-style: normal; } dt dfn code, code.idl { - font-size: medium; + font-size: normal; } dfn var { font-style: normal; @@ -1176,7 +1176,7 @@ } } - + + .highlight:not(.idl) { background: hsl(24, 20%, 95%); } + code.highlight { padding: .1em; border-radius: .3em; } + pre.highlight, pre > code.highlight { display: block; padding: 1em; margin: .5em 0; overflow: auto; border-radius: 0; } + .highlight .c { color: #708090 } /* Comment */ + .highlight .k { color: #990055 } /* Keyword */ + .highlight .l { color: #000000 } /* Literal */ + .highlight .n { color: #0077aa } /* Name */ + .highlight .o { color: #999999 } /* Operator */ + .highlight .p { color: #999999 } /* Punctuation */ + .highlight .cm { color: #708090 } /* Comment.Multiline */ + .highlight .cp { color: #708090 } /* Comment.Preproc */ + .highlight .c1 { color: #708090 } /* Comment.Single */ + .highlight .cs { color: #708090 } /* Comment.Special */ + .highlight .kc { color: #990055 } /* Keyword.Constant */ + .highlight .kd { color: #990055 } /* Keyword.Declaration */ + .highlight .kn { color: #990055 } /* Keyword.Namespace */ + .highlight .kp { color: #990055 } /* Keyword.Pseudo */ + .highlight .kr { color: #990055 } /* Keyword.Reserved */ + .highlight .kt { color: #990055 } /* Keyword.Type */ + .highlight .ld { color: #000000 } /* Literal.Date */ + .highlight .m { color: #000000 } /* Literal.Number */ + .highlight .s { color: #a67f59 } /* Literal.String */ + .highlight .na { color: #0077aa } /* Name.Attribute */ + .highlight .nc { color: #0077aa } /* Name.Class */ + .highlight .no { color: #0077aa } /* Name.Constant */ + .highlight .nd { color: #0077aa } /* Name.Decorator */ + .highlight .ni { color: #0077aa } /* Name.Entity */ + .highlight .ne { color: #0077aa } /* Name.Exception */ + .highlight .nf { color: #0077aa } /* Name.Function */ + .highlight .nl { color: #0077aa } /* Name.Label */ + .highlight .nn { color: #0077aa } /* Name.Namespace */ + .highlight .py { color: #0077aa } /* Name.Property */ + .highlight .nt { color: #669900 } /* Name.Tag */ + .highlight .nv { color: #222222 } /* Name.Variable */ + .highlight .ow { color: #999999 } /* Operator.Word */ + .highlight .mb { color: #000000 } /* Literal.Number.Bin */ + .highlight .mf { color: #000000 } /* Literal.Number.Float */ + .highlight .mh { color: #000000 } /* Literal.Number.Hex */ + .highlight .mi { color: #000000 } /* Literal.Number.Integer */ + .highlight .mo { color: #000000 } /* Literal.Number.Oct */ + .highlight .sb { color: #a67f59 } /* Literal.String.Backtick */ + .highlight .sc { color: #a67f59 } /* Literal.String.Char */ + .highlight .sd { color: #a67f59 } /* Literal.String.Doc */ + .highlight .s2 { color: #a67f59 } /* Literal.String.Double */ + .highlight .se { color: #a67f59 } /* Literal.String.Escape */ + .highlight .sh { color: #a67f59 } /* Literal.String.Heredoc */ + .highlight .si { color: #a67f59 } /* Literal.String.Interpol */ + .highlight .sx { color: #a67f59 } /* Literal.String.Other */ + .highlight .sr { color: #a67f59 } /* Literal.String.Regex */ + .highlight .s1 { color: #a67f59 } /* Literal.String.Single */ + .highlight .ss { color: #a67f59 } /* Literal.String.Symbol */ + .highlight .vc { color: #0077aa } /* Name.Variable.Class */ + .highlight .vg { color: #0077aa } /* Name.Variable.Global */ + .highlight .vi { color: #0077aa } /* Name.Variable.Instance */ + .highlight .il { color: #000000 } /* Literal.Number.Integer.Long */ +

Content Security Policy Level 3

-

Editor’s Draft,

+

Editor’s Draft,

This version: @@ -2974,9 +2974,6 @@

"report"

initiator -
-

""

-
type

""

credentials mode @@ -3093,9 +3090,9 @@

Fetches for the following code will all return network errors, as the URLs provided do not match child-src's source list:

-
<iframe src="https://not-example.com"></iframe>
-<script>
-  var blockedWorker = new Worker("data:application/javascript,...");
+
<iframe src="https://not-example.com"></iframe>
+<script>
+  var blockedWorker = new Worker("data:application/javascript,...");
 </script>

@@ -3154,16 +3151,16 @@

Fetches for the following code will all return network errors, as the URLs provided do not match connect-src's source list:

<a ping="https://not-example.com">...
-<script>
-  var xhr = new XMLHttpRequest();
-  xhr.open('GET', 'https://not-example.com/');
-  xhr.send();
+<script>
+  var xhr = new XMLHttpRequest();
+  xhr.open('GET', 'https://not-example.com/');
+  xhr.send();
 
-  var ws = new WebSocket("https://not-example.com/");
+  var ws = new WebSocket("https://not-example.com/");
 
-  var es = new EventSource("https://not-example.com/");
+  var es = new EventSource("https://not-example.com/");
 
-  navigator.sendBeacon("https://not-example.com/", { ... });
+  navigator.sendBeacon("https://not-example.com/", { ... });
 </script>

@@ -3174,8 +3171,7 @@

Assert: policy is unused.

  • -

    If request’s initiator is "fetch", or its type is "" and destination is - "":

    +

    If request’s initiator is "fetch" or its destination is "":

    1. If the result of executing §6.6.1.3 Does request match source list? on request and this directive’s value is @@ -3191,8 +3187,7 @@

      Assert: policy is unused.

    2. -

      If request’s initiator is "fetch", or its type is "" and destination is - "subresource":

      +

      If request’s initiator is "fetch" or its destination is "":

      1. If the result of executing §6.6.1.4 Does response to request match source list? on response, request, and this directive’s value is "Does Not Match", return @@ -3303,10 +3298,10 @@

        Fetches for the following code will return a network errors, as the URL provided do not match font-src's source list:

        -
        <style>
+
        <style>
   @font-face {
     font-family: "Example Font";
-    src: url("https://not-example.com/font");
+    src: url("https://not-example.com/font");
   }
   body {
     font-family: "Example Font";
@@ -3321,7 +3316,7 @@ 
        
       
        Assert: policy is unused.
        
      
      2. 
-      
        If request’s type is "font":
        
+      
        If request’s destination is "font":
        
       
          
        
        1. 
         
          If the result of executing §6.6.1.3 Does request match source list? on request and this directive’s value is
@@ -3337,7 +3332,7 @@ 
          
       
          Assert: policy is unused.
          
      
        2. 
-      
          If request’s type is "font":
          
+      
          If request’s destination is "font":
          
       
            
        
          1. 
         
            If the result of executing §6.6.1.4 Does response to request match source list? on response, request, and this directive’s value is "Does Not Match", return
@@ -3369,7 +3364,7 @@ 
            
       
            Assert: policy is unused.
            
      
          2. 
-      
            If request’s type is "document" and target browsing context is a nested browsing
+      
            If request’s destination is "document" and target browsing context is a nested browsing
   context:
            
       
              
        
            1. 
@@ -3386,7 +3381,7 @@ 
              
       
              Assert: policy is unused.
              
      
            2. 
-      
              If request’s type is "document" and target browsing context is a nested browsing
+      
              If request’s destination is "document" and target browsing context is a nested browsing
   context:
              
       
                
        
              1. 
@@ -3404,7 +3399,7 @@ 
                serialized-source-list
 
        3. 
     
        This directive controls requests which load images. More formally, this
-  includes requests whose type is "image" [FETCH].
        
+  includes requests whose destination is "image" [FETCH].
        
     
        
       Given a page with the following Content Security Policy: 
 
        Content-Security-Policy: img-src https://example.com/
@@ -3421,7 +3416,7 @@ 
        
       
        Assert: policy is unused.
        
      
      3. 
-      
        If request’s type is "image":
        
+      
        If request’s destination is "image":
        
       
          
        
        1. 
         
          If the result of executing §6.6.1.3 Does request match source list? on request and this directive’s value is
@@ -3437,7 +3432,7 @@ 
          
       
          Assert: policy is unused.
          
      
        2. 
-      
          If request’s type is "image":
          
+      
          If request’s destination is "image":
          
       
            
        
          1. 
         
            If the result of executing §6.6.1.4 Does response to request match source list? on response, request, and this directive’s value is "Does Not Match", return
@@ -3469,7 +3464,7 @@ 
            
       
            Assert: policy is unused.
            
      
          2. 
-      
            If request’s type is "", and its initiator is "manifest":
            
+      
            If request’s destination is "manifest":
            
       
              
        
            1. 
         
              If the result of executing §6.6.1.3 Does request match source list? on request and this directive’s value is
@@ -3485,7 +3480,7 @@ 
              
       
              Assert: policy is unused.
              
      
            2. 
-      
              If request’s type is "", and its initiator is "manifest":
              
+      
              If request’s destination is "manifest":
              
       
                
        
              1. 
         
                If the result of executing §6.6.1.4 Does response to request match source list? on response, request, and this directive’s value is "Does Not Match", return
@@ -3507,7 +3502,7 @@ 
                
      
                Fetches for the following code will return a network errors, as the URL
     provided do not match media-src's source list:
                
-
                <audio src="https://not-example.com/audio"></audio>
+
                <audio src="https://not-example.com/audio"></audio>
 <video src="https://not-example.com/video">
     <track kind="subtitles" src="https://not-example.com/subtitles">
 </video>
@@ -3520,7 +3515,7 @@ 
                
       
                Assert: policy is unused.
                
      
              2. 
-      
                If request’s type is one of "audio", "video",
+      
                If request’s destination is one of "audio", "video",
   or "track":
                
       
                  
        
                1. 
@@ -3537,7 +3532,7 @@ 
                  
       
                  Assert: policy is unused.
                  
      
                2. 
-      
                  If request’s type is one of "audio", "video",
+      
                  If request’s destination is one of "audio", "video",
   or "track":
                  
       
                    
        
                  1. 
@@ -3560,9 +3555,9 @@ 
                    
      
                    Fetches for the following code will return a network errors, as the URL
     provided do not match object-src's source list:
                    
-
                    <embed src="https://not-example.com/flash"></embed>
-<object data="https://not-example.com/flash"></object>
-<applet archive="https://not-example.com/flash"></applet>
+
                    <embed src="https://not-example.com/flash"></embed>
+<object data="https://not-example.com/flash"></object>
+<applet archive="https://not-example.com/flash"></applet>
 
                    
     
        4. 
     
        If plugin content is loaded without an associated URL (perhaps an object element lacks a data attribute, but loads some default plugin based
@@ -3588,7 +3583,7 @@ 
        
       
        Assert: policy is unused.
        
      
      4. 
-      
        If request’s type is "", and its destination is "unknown":
        
+      
        If request’s destination is "object" or "embed":
        
       
          
        
        1. 
         
          If the result of executing §6.6.1.3 Does request match source list? on request and this directive’s value is
@@ -3604,7 +3599,7 @@ 
          
       
          Assert: policy is unused.
          
      
        2. 
-      
          If request’s type is "", and its destination is "unknown":
          
+      
          If request’s destination is "object" or "embed":
          
       
            
        
          1. 
         
            If the result of executing §6.6.1.4 Does response to request match source list? on response, request, and this directive’s value is "Does Not Match", return
@@ -3656,7 +3651,7 @@ 
            §6.6.1.11 Get the effective directive for request on request is "worker-src", and policy contains a directive whose name is "worker-src", return "Allowed".
            
       
            Note: If worker-src is present, we’ll defer to it when handling worker requests.
            
      
          2. 
-      
            If request’s type is "script":
            
+      
            If request’s destination is a script-like destination:
            
       
              
        
            1. 
         
              If the result of executing §6.6.1.2 Does nonce match source list? on request’s cryptographic nonce metadata and this
@@ -3719,7 +3714,7 @@ 
              §6.6.1.11 Get the effective directive for request on request is "worker-src", and policy contains a directive whose name is "worker-src", return "Allowed".
              
       
              Note: If worker-src is present, we’ll defer to it when handling worker requests.
              
      
            2. 
-      
              If request’s type is "script":
              
+      
              If request’s destination is a script-like destination:
              
       
                
        
              1. 
         
                If the result of executing §6.6.1.2 Does nonce match source list? on request’s cryptographic nonce metadata and this
@@ -3826,7 +3821,7 @@ 
                
       
                Assert: policy is unused.
                
      
              2. 
-      
                If request’s type is "style":
                
+      
                If request’s destination is "style":
                
       
                  
        
                1. 
         
                  If the result of executing §6.6.1.2 Does nonce match source list? on request’s cryptographic nonce metadata and this
@@ -3846,7 +3841,7 @@ 
                  
       
                  Assert: policy is unused.
                  
      
                2. 
-      
                  If request’s type is "style":
                  
+      
                  If request’s destination is "style":
                  
       
                    
        
                  1. 
         
                    If the result of executing §6.6.1.2 Does nonce match source list? on request’s cryptographic nonce metadata and this
@@ -3890,10 +3885,10 @@ 
                    
      
                    Fetches for the following code will return a network errors, as the URL
     provided do not match worker-src's source list:
                    
-
                    <script>
-  var blockedWorker = new Worker("data:application/javascript,...");
-  blockedWorker = new SharedWorker("https://not-example.com/");
-  navigator.serviceWorker.register('https://not-example.com/sw.js');
+
                    <script>
+  var blockedWorker = new Worker("data:application/javascript,...");
+  blockedWorker = new SharedWorker("https://not-example.com/");
+  navigator.serviceWorker.register('https://not-example.com/sw.js');
 </script>
 
                    
     
@@ -4002,21 +3997,21 @@ 
                    Content-Security-Policy: plugin-types application/pdf
 
                    
      
                    Fetches for the following code will all return network errors:
                    
-
                    <!-- No 'type' declaration -->
-<object data="https://example.com/flash"></object>
+
                    <!-- No 'type' declaration -->
+<object data="https://example.com/flash"></object>
 
-<!-- Non-matching 'type' declaration -->
-<object data="https://example.com/flash" type="application/x-shockwave-flash"></object>
+<!-- Non-matching 'type' declaration -->
+<object data="https://example.com/flash" type="application/x-shockwave-flash"></object>
 
-<!-- Non-matching resource -->
-<object data="https://example.com/flash" type="application/pdf"></object>
+<!-- Non-matching resource -->
+<object data="https://example.com/flash" type="application/pdf"></object>
 
                    
      
                    If the page allowed Flash content by sending the following header:
                    
 
                    Content-Security-Policy: plugin-types application/x-shockwave-flash
 
                    
      
                    Then the second item above would load successfully:
                    
-
                    <!-- Matching 'type' declaration and resource -->
-<object data="https://example.com/flash" type="application/x-shockwave-flash"></object>
+
                    <!-- Matching 'type' declaration and resource -->
+<object data="https://example.com/flash" type="application/x-shockwave-flash"></object>
 
                    
     
     
                    6.2.2.1.  plugin-types Post-Request Check 
                    
@@ -4600,31 +4595,38 @@ 
                    Return "Matches".
                    
     
                  
     
                  6.6.1.11.  Get the effective directive for request 
                  
-    
                  Each fetch directive controls a specific type of request. Given
+    
                  Each fetch directive controls a specific destination of request. Given
   a request (request), the following algorithm returns either null or the name of the request’s effective directive:
                  
     
                    
      
                  1. 
-      
                    Switch on request’s type, and execute
+      
                    Switch on request’s destination, and execute
   the associated steps:
                    
       
                    
        
                    ""
        
                    
         
                      
-         
                    1. 
-          
                      If the request’s initiator and destination are both the empty string, return connect-src.
                      
          
                    2. 
           
                      If the request’s initiator is
-  "manifest", return manifest-src.
                      
+  the empty string, return connect-src.
                      
+        
                    
+       
                    "manifest"
+       
                    
+        
                      
          
                    1. 
-          
                      If the request’s destination is
-  "subresource", return connect-src.
                      
+          
                      Return manifest-src.
                      
+        
                    
+       
                    "object"
+       
                    "embed"
+       
                    
+        
                      
          
                    1. 
-          
                      If the request’s destination is
-  "unknown", return object-src.
                      
+          
                      Return object-src.
                      
+        
                    
+       
                    "document"
+       
                    
+        
                      
          
                    1. 
-          
                      If the request’s destination is
-  "document" and the request’s target browsing context is a nested browsing
-  context, return frame-src.
                      
+          
                      If the request’s target browsing context is a nested browsing context, return frame-src.
                      
         
                    
        
                    "audio"
        
                    "track"
@@ -4653,28 +4655,18 @@ 
                    "script"
+       
                    "xslt"
        
                    
         
                      
          
                    1. 
-          
                      Switch on request’s destination, and
-  execute the associated steps:
                      
-          
                      
-           
                      "script"
-           
                      "subresource"
-           
                      
-            
                        
-             
                      1. 
-              
                        Return script-src.
                        
-            
                      
-           
                      "serviceworker"
-           
                      "sharedworker"
-           
                      "worker"
-           
                      
-            
                        
-             
                      1. 
-              
                        Return worker-src.
                        
-            
                      
-          
                      
+          
                      Return script-src.
                      
+        
                    
+       
                    "sharedworker"
+       
                    "worker"
+       
                    
+        
                      
+         
                    1. 
+          
                      Return worker-src.
                      
         
                    
       
                    
      
                  2. 
@@ -4854,12 +4846,12 @@ 
                    7.2. Nonce Stealing
                    
     
                    Dangling markup attacks such as those discussed in [FILEDESCRIPTOR-2015] can be used to repurpose a page’s legitimate nonces for injections. For
   example, given an injection point before a script element:
                    
-
                    <p>Hello, [INJECTION POINT]</p>
-<script nonce=abc src=/good.js></script>
+
                    <p>Hello, [INJECTION POINT]</p>
+<script nonce=abc src=/good.js></script>
 
                    
     
                    If an attacker injects the string "<script src='https://evil.com/evil.js' ",
   then the browser will receive the following:
                    
-
                    <p>Hello, <script src='https://evil.com/evil.js' </p>
+
                    <p>Hello, <script src='https://evil.com/evil.js' </p>
 <script nonce=abc src=/good.js></script>
 
                    
     
                    It will then parse that code, ending up with a script element with a src attribute pointing to a malicious payload, an attribute named </p>,
@@ -4873,11 +4865,11 @@ 
                    base element, then an otherwise safe page can be subverted when relative
   URLs are resolved. That is, on https://example.com/ the following code will load https://example.com/good.js:
                    
-
                    <script nonce=abc src=/good.js></script>
+
                    <script nonce=abc src=/good.js></script>
 
                    
     
                    However, the following will load https://evil.com/good.js:
                    
 
                    <base href="https://evil.com">
-<script nonce=abc src=/good.js></script>
+<script nonce=abc src=/good.js></script>
 
                    
     
                    To mitigate this risk, it is advisable to set an explicit base element on every page, or to
   limit the ability of an attacker to inject their own base element by setting a base-uri directive in your page’s policy. For example, base-uri 'none'.
                    
@@ -4992,17 +4984,17 @@ 
                    
      
                    And serves the following HTML with that policy active:
                    
 
                    ...
-<script src="https://cdn.example.com/script.js" nonce="DhcnhD3khTMePgXwdayK9BsMqXjhguVV" ></script>
+<script src="https://cdn.example.com/script.js" nonce="DhcnhD3khTMePgXwdayK9BsMqXjhguVV" ></script>
 ...
 
                    
      
                    This will generate a request for https://cdn.example.com/script.js, which
     will not be blocked because of the matching nonce attribute.
                    
      
                    If script.js contains the following code:
                    
-
                    var s = document.createElement('script');
+
                    var s = document.createElement('script');
 s.src = 'https://othercdn.not-example.net/dependency.js';
-document.head.appendChild('s');
+document.head.appendChild('s');
 
-document.write('<scr' + 'ipt src='/sadness.js'></scr' + 'ipt>');
+document.write('<scr' + 'ipt src='/sadness.js'></scr' + 'ipt>');
 
                    
      
                    dependency.js will load, as the script element created by createElement() is not "parser-inserted".
                    
      
                    sadness.js will not load, however, as document.write() produces script elements which are "parser-inserted".
                    
@@ -5052,16 +5044,16 @@ 
                    script elements would be
       allowed to execute because they contain only integrity metadata that matches
       the policy:
                    
-
                    <script integrity="sha256-abc123" ...></script>
-<script integrity="sha512-321cba" ...></script>
-<script integrity="sha256-abc123 sha512-321cba" ...></script>
+
                    <script integrity="sha256-abc123" ...></script>
+<script integrity="sha512-321cba" ...></script>
+<script integrity="sha256-abc123 sha512-321cba" ...></script>
 
                    
       
                    While the following script elements would not execute because they
       contain valid metadata that does not match the policy (even though other
       metadata does match):
                    
-
                    <script integrity="sha384-xyz789" ...></script>
-<script integrity="sha384-xyz789 sha512-321cba" ...></script>
-<script integrity="sha256-abc123 sha384-xyz789 sha512-321cba" ...></script>
+
                    <script integrity="sha384-xyz789" ...></script>
+<script integrity="sha384-xyz789 sha512-321cba" ...></script>
+<script integrity="sha256-abc123 sha384-xyz789 sha512-321cba" ...></script>
 
                    
       
                    Metadata that is not recognized (either because it’s entirely invalid, or
       because it specifies a not-yet-supported hashing algorithm) does not affect
@@ -5069,9 +5061,9 @@ 
                    <script integrity="sha256-abc123 sha1024-abcd" ...></script>
-<script integrity="sha512-321cba entirely-invalid" ...></script>
-<script integrity="sha256-abc123 not-a-hash-at-all sha512-321cba" ...></script>
+
                    <script integrity="sha256-abc123 sha1024-abcd" ...></script>
+<script integrity="sha512-321cba entirely-invalid" ...></script>
+<script integrity="sha256-abc123 not-a-hash-at-all sha512-321cba" ...></script>
 
                    
      
     
@@ -5516,7 +5508,6 @@ 
                    request
      
                  3. response
      
                  4. target browsing context
-     
                  5. type
      
                  6. url (for request)
      
                  7. url (for response)
      
                  8. window
@@ -5800,39 +5791,39 @@ 
                    James Clark. XSL Transformations (XSLT) Version 1.0. 16 November 1999. REC. URL: https://www.w3.org/TR/xslt
   
   
                    IDL Index
                    
-
                    enum SecurityPolicyViolationEventDisposition {
-  "enforce", "report"
+
                    enum SecurityPolicyViolationEventDisposition {
+  "enforce", "report"
 };
 
-[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
-interface SecurityPolicyViolationEvent : Event {
-    readonly    attribute DOMString      documentURI;
-    readonly    attribute DOMString      referrer;
-    readonly    attribute DOMString      blockedURI;
-    readonly    attribute DOMString      violatedDirective;
-    readonly    attribute DOMString      effectiveDirective;
-    readonly    attribute DOMString      originalPolicy;
-    readonly    attribute DOMString      sourceFile;
-    readonly    attribute DOMString      sample;
-    readonly    attribute SecurityPolicyViolationEventDisposition      disposition;
-    readonly    attribute unsigned short statusCode;
-    readonly    attribute long           lineNumber;
-    readonly    attribute long           columnNumber;
+[Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
+interface SecurityPolicyViolationEvent : Event {
+    readonly    attribute DOMString      documentURI;
+    readonly    attribute DOMString      referrer;
+    readonly    attribute DOMString      blockedURI;
+    readonly    attribute DOMString      violatedDirective;
+    readonly    attribute DOMString      effectiveDirective;
+    readonly    attribute DOMString      originalPolicy;
+    readonly    attribute DOMString      sourceFile;
+    readonly    attribute DOMString      sample;
+    readonly    attribute SecurityPolicyViolationEventDisposition      disposition;
+    readonly    attribute unsigned short statusCode;
+    readonly    attribute long           lineNumber;
+    readonly    attribute long           columnNumber;
 };
 
-dictionary SecurityPolicyViolationEventInit : EventInit {
-    DOMString      documentURI;
-    DOMString      referrer;
-    DOMString      blockedURI;
-    DOMString      violatedDirective;
-    DOMString      effectiveDirective;
-    DOMString      originalPolicy;
-    DOMString      sourceFile;
-    DOMString      sample;
-    SecurityPolicyViolationEventDisposition      disposition;
-    unsigned short statusCode;
-    long           lineNumber;
-    long           columnNumber;
+dictionary SecurityPolicyViolationEventInit : EventInit {
+    DOMString      documentURI;
+    DOMString      referrer;
+    DOMString      blockedURI;
+    DOMString      violatedDirective;
+    DOMString      effectiveDirective;
+    DOMString      originalPolicy;
+    DOMString      sourceFile;
+    DOMString      sample;
+    SecurityPolicyViolationEventDisposition      disposition;
+    unsigned short statusCode;
+    long           lineNumber;
+    long           columnNumber;
 };
 
 
                    
diff --git a/index.src.html b/index.src.html
index ff8903302e..6efeee805c 100644
--- a/index.src.html
+++ b/index.src.html
@@ -1656,8 +1656,6 @@ 
                    
               ::  "`report`"
               :   initiator
               ::  ""
-              :   type
-              ::  ""
               :   credentials mode
               ::  "`same-origin`"
               :   keepalive flag
@@ -1900,9 +1898,8 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s initiator is "`fetch`", or its
-      type is "" and destination is
-      "":
+  2.  If |request|'s initiator is "`fetch`" or its
+      destination is "":
 
       1.  If the result of executing [[#match-request-to-source-list]] on
           |request| and this directive's value is
@@ -1921,9 +1918,8 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s initiator is "`fetch`", or its
-      type is "" and destination is
-      "`subresource`":
+  2.  If |request|'s initiator is "`fetch`" or its
+      destination is "":
 
       1.  If the result of executing [[#match-response-to-source-list]] on
           |response|, |request|, and this directive's
@@ -2104,7 +2100,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is "`font`":
+  2.  If |request|'s destination is "`font`":
 
       1.  If the result of executing [[#match-request-to-source-list]] on
           |request| and this directive's value is
@@ -2123,7 +2119,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is "`font`":
+  2.  If |request|'s destination is "`font`":
 
       1.  If the result of executing [[#match-response-to-source-list]] on
           |response|, |request|, and this directive's
@@ -2169,7 +2165,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is "`document`" and
+  2.  If |request|'s destination is "`document`" and
       target browsing context is a nested browsing
       context:
 
@@ -2190,7 +2186,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is "`document`" and
+  2.  If |request|'s destination is "`document`" and
       target browsing context is a nested browsing
       context:
 
@@ -2213,7 +2209,7 @@ 
                    `img-src`
                    
   
                    
 
   This directive controls requests which load images. More formally, this
-  includes requests whose type is "`image`"
+  includes requests whose destination is "`image`"
   [[FETCH]].
 
   
                    
@@ -2241,7 +2237,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is "`image`":
+  2.  If |request|'s destination is "`image`":
 
       1.  If the result of executing [[#match-request-to-source-list]] on
           |request| and this directive's value is
@@ -2260,7 +2256,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is "`image`":
+  2.  If |request|'s destination is "`image`":
 
       1.  If the result of executing [[#match-response-to-source-list]] on
           |response|, |request|, and this directive's
@@ -2305,8 +2301,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is "", and its
-      initiator is "`manifest`":
+  2.  If |request|'s destination is "`manifest`":
 
       1.  If the result of executing [[#match-request-to-source-list]] on
           |request| and this directive's value is
@@ -2325,8 +2320,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is "", and its
-      initiator is "`manifest`":
+  2.  If |request|'s destination is "`manifest`":
 
       1.  If the result of executing [[#match-response-to-source-list]] on
           |response|, |request|, and this directive's
@@ -2374,7 +2368,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is one of "`audio`", "`video`",
+  2.  If |request|'s destination is one of "`audio`", "`video`",
       or "`track`":
 
       1.  If the result of executing [[#match-request-to-source-list]] on
@@ -2394,7 +2388,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is one of "`audio`", "`video`",
+  2.  If |request|'s destination is one of "`audio`", "`video`",
       or "`track`":
 
       1.  If the result of executing [[#match-response-to-source-list]] on
@@ -2465,8 +2459,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is "", and its
-      destination is "`unknown`":
+  2.  If |request|'s destination is "`object`" or "`embed`":
 
       1.  If the result of executing [[#match-request-to-source-list]] on
           |request| and this directive's value is
@@ -2485,8 +2478,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is "", and its
-      destination is "`unknown`":
+  2.  If |request|'s destination is "`object`" or "`embed`":
 
       1.  If the result of executing [[#match-response-to-source-list]] on
           |response|, |request|, and this directive's
@@ -2546,7 +2538,7 @@ 
                    
 
       Note: If `worker-src` is present, we'll defer to it when handling worker requests.
 
-  2.  If |request|'s type is "`script`":
+  2.  If |request|'s destination is a script-like destination:
 
       1.  If the result of executing [[#match-nonce-to-source-list]] on
           |request|'s cryptographic nonce metadata and this
@@ -2620,7 +2612,7 @@ 
                    
 
       Note: If `worker-src` is present, we'll defer to it when handling worker requests.
 
-  2.  If |request|'s type is "`script`":
+  2.  If |request|'s destination is a script-like destination:
 
       1.  If the result of executing [[#match-nonce-to-source-list]] on
           |request|'s cryptographic nonce metadata and this
@@ -2735,7 +2727,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is "`style`":
+  2.  If |request|'s destination is "`style`":
 
       1.  If the result of executing [[#match-nonce-to-source-list]] on
           |request|'s cryptographic nonce metadata and this
@@ -2759,7 +2751,7 @@ 
                    
 
   1.  Assert: |policy| is unused.
 
-  2.  If |request|'s type is "`style`":
+  2.  If |request|'s destination is "`style`":
 
       1.  If the result of executing [[#match-nonce-to-source-list]] on
           |request|'s cryptographic nonce metadata and this
@@ -3736,28 +3728,29 @@ 
                    
     Get the effective directive for |request|
   
                    
 
-  Each fetch directive controls a specific type of request. Given
+  Each fetch directive controls a specific destination of request. Given
   a request (|request|), the following algorithm returns either
   `null` or the name of the request's
   effective directive:
 
-  1.  Switch on |request|'s type, and execute
+  1.  Switch on |request|'s destination, and execute
       the associated steps:
 
       : ""
       ::
-        1.  If the |request|'s initiator and destination
-            are both the empty string, return `connect-src`.
-        2.  If the |request|'s initiator is
-            "`manifest`", return `manifest-src`.
-        3.  If the |request|'s destination is
-            "`subresource`", return `connect-src`.
-        4.  If the |request|'s destination is
-            "`unknown`", return `object-src`.
-        5.  If the |request|'s destination is
-            "`document`" and the |request|'s
-            target browsing context is a nested browsing
-            context, return `frame-src`.
+        1.  If the |request|'s initiator is
+            the empty string, return `connect-src`.
+      : "`manifest`"
+      ::
+        1.  Return `manifest-src`.
+      : "`object`"
+      : "`embed`"
+      ::
+        1.  Return `object-src`.
+      : "`document`"
+      ::
+        1.  If the |request|'s target browsing context
+            is a nested browsing context, return `frame-src`.
 
       : "`audio`"
       : "`track`"
@@ -3778,20 +3771,14 @@ 
                    
         1.  Return `style-src`.
 
       : "`script`"
+      : "`xslt`"
+      ::
+        1. Return `script-src`.
+
+      : "`sharedworker`"
+      : "`worker`"
       ::
-        1.  Switch on |request|'s destination, and
-            execute the associated steps:
-
-            : "`script`"
-            : "`subresource`"
-            ::
-              1.  Return `script-src`.
-
-            : "`serviceworker`"
-            : "`sharedworker`"
-            : "`worker`"
-            ::
-              1.  Return `worker-src`.
+        1. Return `worker-src`.
 
   2.  Return `null`.