Skip to content
Permalink
Browse files

Clarify navigation behavior for 'script-src'.

  • Loading branch information...
mikewest committed Dec 21, 2017
1 parent 98bea96 commit 7a4577c7975c8afdac0c0fc5a5493059b5660742
Showing with 9 additions and 3 deletions.
  1. +5 −2 index.html
  2. +4 −1 index.src.html
@@ -1178,7 +1178,7 @@
</style>
<meta content="Bikeshed version fbf1456a756299b3ff6d248d0857ec87f2e68cd7" name="generator">
<link href="https://www.w3.org/TR/CSP3/" rel="canonical">
<meta content="82aebd3dcd00492ce718e92ada3ebf1e4133cf36" name="document-revision">
<meta content="98bea96e4d55fcd98d8648cef16416a462516cc1" name="document-revision">
<style>
ul.toc ul ul ul {
margin: 0 0 0 2em;
@@ -3647,7 +3647,7 @@ <h4 class="heading settled" data-level="6.1.10" id="directive-script-src"><span
<pre>directive-name = "script-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list⑨">serialized-source-list</a>
</pre>
<p>The <code>script-src</code> directive governs four things:</p>
<p>The <code>script-src</code> directive governs five things:</p>
<ol>
<li data-md="">
<p>Script <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request③⑨">requests</a> MUST pass through <a href="#should-block-request">§4.1.3 Should request be blocked by Content Security Policy?</a>.</p>
@@ -3674,6 +3674,9 @@ <h4 class="heading settled" data-level="6.1.10" id="directive-script-src"><span
<p><code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval" id="ref-for-dom-setinterval">setInterval()</a></code> with an initial argument which is not callable.</p>
</ul>
<p class="note" role="note"><span>Note:</span> If a user agent implements non-standard sinks like <code>setImmediate()</code> or <code>execScript()</code>, they SHOULD also be gated on "<code>unsafe-eval</code>".</p>
<li data-md="">
<p>Navigation to <code>javascript:</code> URLs MUST pass through <a href="#should-block-inline">§4.2.4 Should element’s inline type behavior be blocked by Content Security Policy?</a>. These navigations
will only execute script if every policy allows inline script, as per #3 above.</p>
</ol>
<h5 class="heading settled algorithm" data-algorithm="script-src Pre-request check" data-level="6.1.10.1" id="script-src-pre-request"><span class="secno">6.1.10.1. </span><span class="content"> <code>script-src</code> Pre-request check </span><a class="self-link" href="#script-src-pre-request"></a></h5>
<p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check①②">pre-request check</a> is as follows:</p>
@@ -2540,7 +2540,7 @@ <h4 id="directive-script-src">`script-src`</h4>
directive-value = <a grammar>serialized-source-list</a>
</pre>

The `script-src` directive governs four things:
The `script-src` directive governs five things:

1. Script <a for="/">requests</a> MUST pass through [[#should-block-request]].

@@ -2564,6 +2564,9 @@ <h4 id="directive-script-src">`script-src`</h4>
Note: If a user agent implements non-standard sinks like `setImmediate()`
or `execScript()`, they SHOULD also be gated on "`unsafe-eval`".

5. Navigation to `javascript:` URLs MUST pass through [[#should-block-inline]]. These navigations
will only execute script if every policy allows inline script, as per #3 above.

<h5 algorithm id="script-src-pre-request">
`script-src` Pre-request check
</h5>

0 comments on commit 7a4577c

Please sign in to comment.
You can’t perform that action at this time.