Skip to content

Commit

Permalink
Rename 'sample' to 'script-sample' for 'report-uri'.
Browse files Browse the repository at this point in the history 
This addresses the feedback received in w3c/webappsec#119, aligning the spec
with the naming Firefox chose way back when.
  • Loading branch information
@mikewest
mikewest committed Mar 23, 2017
1 parent 3b44fed commit edd5f29
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 52 deletions.
51 changes: 29 additions & 22 deletions index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1453,7 +1453,7 @@
<div class="head">
<p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
<h1>Content Security Policy Level 3</h1>
<h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2017-03-17">17 March 2017</time></span></h2>
<h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2017-03-23">23 March 2017</time></span></h2>
<div data-fill-with="spec-metadata">
<dl>
<dt>This version:
Expand Down Expand Up @@ -1923,10 +1923,7 @@ <h3 class="heading settled" data-level="1.3" id="changes-from-level-2"><span cla
<p>The <a data-link-type="dfn" href="#navigation-to" id="ref-for-navigation-to-1"><code>navigation-to</code></a> directive gives a resource control over the endpoints
to which it can initiate navigation.</p>
<li data-md="">
<div class="wip">
Reports generated for inline violations will contain a <a data-link-type="dfn" href="#violation-sample" id="ref-for-violation-sample-1">sample</a> attribute if the relevant directive contains the <a data-link-type="grammar" href="#grammardef-report-sample" id="ref-for-grammardef-report-sample-1"><code>'report-sample'</code></a> expression.
<p class="issue" id="issue-063d72f2"><a class="self-link" href="#issue-063d72f2"></a> <code>'report-sample'</code> is a work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/119">&lt;https://github.com/w3c/webappsec-csp/issues/119></a></p>
</div>
<p>Reports generated for inline violations will contain a <a data-link-type="dfn" href="#violation-sample" id="ref-for-violation-sample-1">sample</a> attribute if the relevant directive contains the <a data-link-type="grammar" href="#grammardef-report-sample" id="ref-for-grammardef-report-sample-1"><code>'report-sample'</code></a> expression.</p>
</ol>
</section>
<section>
Expand Down Expand Up @@ -2781,9 +2778,14 @@ <h3 class="heading settled" data-level="5.2" id="deprecated-serialize-violation"
<dt data-md="">"<code>status-code</code>"
<dd data-md="">
<p><var>violation</var>’s <a data-link-type="dfn" href="#violation-status" id="ref-for-violation-status-2">status</a></p>
<dt data-md="">"<code>sample</code>"
<dt data-md="">"<code>script-sample</code>"
<dd data-md="">
<p><var>violation</var>’s <a data-link-type="dfn" href="#violation-sample" id="ref-for-violation-sample-4">sample</a></p>
<p class="note" role="note"><span>Note:</span> The name <code>script-sample</code> was chosen for compatibility with an earlier iteration of
this feature which has shipped in Firefox since its initial implementation of CSP. Despite
the name, this field will contain samples for non-script violations, like stylesheets. The
data contained in a <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent-1">SecurityPolicyViolationEvent</a></code> object, and in reports generated via
the new <a data-link-type="dfn" href="#report-to" id="ref-for-report-to-1"><code>report-to</code></a> directive, is named in a more encompassing fashion: <code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-sample" id="ref-for-dom-securitypolicyviolationevent-sample-1">sample</a></code>.</p>
</dl>
<li data-md="">
<p>If <var>violation</var>’s <a data-link-type="dfn" href="#violation-source-file" id="ref-for-violation-source-file-2">source file</a> is not <code>null</code>:</p>
Expand All @@ -2806,7 +2808,7 @@ <h3 class="heading settled" data-level="5.2" id="deprecated-serialize-violation"
<h3 class="heading settled algorithm" data-algorithm="Report a violation" data-level="5.3" id="report-violation"><span class="secno">5.3. </span><span class="content"> Report a <var>violation</var> </span><a class="self-link" href="#report-violation"></a></h3>
<p>Given a <a data-link-type="dfn" href="#violation" id="ref-for-violation-19">violation</a> (<var>violation</var>), this algorithm reports it to the
endpoint specified in <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy-4">policy</a>, and
fires a <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent-1">SecurityPolicyViolationEvent</a></code> at <var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object-4">global object</a>.</p>
fires a <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent-2">SecurityPolicyViolationEvent</a></code> at <var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object-4">global object</a>.</p>
<ol>
<li data-md="">
<p>Let <var>global</var> be <var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object-5">global object</a>.</p>
Expand Down Expand Up @@ -2834,7 +2836,7 @@ <h3 class="heading settled algorithm" data-algorithm="Report a violation" data-l
<p>If <var>target</var> is a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/browsers.html#window">Window</a></code>, set <var>target</var> to <var>target</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#concept-document-window">associated <code>Document</code></a>.</p>
</ol>
<li data-md="">
<p><a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-event-fire">Fire an event</a> named <code>securitypolicyviolation</code> that uses the <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent-2">SecurityPolicyViolationEvent</a></code> interface at <var>target</var> with
<p><a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-event-fire">Fire an event</a> named <code>securitypolicyviolation</code> that uses the <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent-3">SecurityPolicyViolationEvent</a></code> interface at <var>target</var> with
its attributes initialized as follows:</p>
<dl>
<dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-documenturi" id="ref-for-dom-securitypolicyviolationevent-documenturi-1">documentURI</a></code>
Expand Down Expand Up @@ -2870,7 +2872,7 @@ <h3 class="heading settled algorithm" data-algorithm="Report a violation" data-l
<dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-columnnumber" id="ref-for-dom-securitypolicyviolationevent-columnnumber-1">columnNumber</a></code>
<dd data-md="">
<p><var>violation</var>’s <a data-link-type="dfn" href="#violation-column-number" id="ref-for-violation-column-number-3">column number</a></p>
<dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-sample" id="ref-for-dom-securitypolicyviolationevent-sample-1">sample</a></code>
<dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-sample" id="ref-for-dom-securitypolicyviolationevent-sample-2">sample</a></code>
<dd data-md="">
<p><var>violation</var>’s <a data-link-type="dfn" href="#violation-sample" id="ref-for-violation-sample-5">sample</a></p>
<dt data-md=""><code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#dom-event-bubbles">bubbles</a></code>
Expand All @@ -2893,7 +2895,7 @@ <h3 class="heading settled algorithm" data-algorithm="Report a violation" data-l
<ol>
<li data-md="">
<p>If <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy-8">policy</a>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set-9">directive set</a> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-13">directive</a> named
"<a data-link-type="dfn" href="#report-to" id="ref-for-report-to-1"><code>report-to</code></a>", skip the remaining substeps.</p>
"<a data-link-type="dfn" href="#report-to" id="ref-for-report-to-2"><code>report-to</code></a>", skip the remaining substeps.</p>
<li data-md="">
<p>Let <var>endpoint</var> be the result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-parser">URL parser</a> with <var>directive</var>’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-8">value</a> as the input, and <var>violation</var>’s <a data-link-type="dfn" href="#violation-url" id="ref-for-violation-url-3">url</a> as the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-base-url">base URL</a>.</p>
<li data-md="">
Expand Down Expand Up @@ -2956,7 +2958,7 @@ <h3 class="heading settled algorithm" data-algorithm="Report a violation" data-l
with browsers that don’t support the new mechanism.</p>
<li data-md="">
<p>If <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy-9">policy</a>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set-10">directive
set</a> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-14">directive</a> named "<a data-link-type="dfn" href="#report-to" id="ref-for-report-to-2"><code>report-to</code></a>"
set</a> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-14">directive</a> named "<a data-link-type="dfn" href="#report-to" id="ref-for-report-to-3"><code>report-to</code></a>"
(<var>directive</var>):</p>
<ol>
<li data-md="">
Expand Down Expand Up @@ -4214,12 +4216,12 @@ <h3 class="heading settled" data-level="6.4" id="directives-reporting"><span cla
constructing a <a data-link-type="dfn" href="#violation" id="ref-for-violation-20">violation</a> object via <a href="#create-violation-for-request">§2.4.2 Create a violation object for request, policy, and directive</a> or <a href="#create-violation-for-global">§2.4.1 Create a violation object for global, policy, and directive</a>, and passing that object to <a href="#report-violation">§5.3 Report a violation</a> to deliver the report.</p>
<h4 class="heading settled" data-level="6.4.1" id="directive-report-uri"><span class="secno">6.4.1. </span><span class="content"><code>report-uri</code></span><a class="self-link" href="#directive-report-uri"></a></h4>
<div class="note" role="note">
Note: The <a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri-3"><code>report-uri</code></a> directive is deprecated. Please use the <a data-link-type="dfn" href="#report-to" id="ref-for-report-to-3"><code>report-to</code></a> directive instead. If the latter directive is present,
Note: The <a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri-3"><code>report-uri</code></a> directive is deprecated. Please use the <a data-link-type="dfn" href="#report-to" id="ref-for-report-to-4"><code>report-to</code></a> directive instead. If the latter directive is present,
this directive will be ignored. To ensure backwards compatibility, we
suggest specifying both, like this:
<div class="example" id="example-9d2ef57e">
<a class="self-link" href="#example-9d2ef57e"></a>
<pre><a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#header-content-security-policy">Content-Security-Policy</a>: ...; <a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri-4">report-uri</a> https://endpoint.com; <a data-link-type="dfn" href="#report-to" id="ref-for-report-to-4">report-to</a> groupname
<pre><a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#header-content-security-policy">Content-Security-Policy</a>: ...; <a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri-4">report-uri</a> https://endpoint.com; <a data-link-type="dfn" href="#report-to" id="ref-for-report-to-5">report-to</a> groupname
</pre>
</div>
</div>
Expand Down Expand Up @@ -5023,7 +5025,7 @@ <h3 class="heading settled" data-level="10.1" id="iana-registry"><span class="se
<dt data-md=""><a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri-5"><code>report-uri</code></a>
<dd data-md="">
<p>This document (see <a href="#directive-report-uri">§6.4.1 report-uri</a>)</p>
<dt data-md=""><a data-link-type="dfn" href="#report-to" id="ref-for-report-to-5"><code>report-to</code></a>
<dt data-md=""><a data-link-type="dfn" href="#report-to" id="ref-for-report-to-6"><code>report-to</code></a>
<dd data-md="">
<p>This document (see <a href="#directive-report-to">§6.4.2 report-to</a>)</p>
<dt data-md=""><a data-link-type="dfn" href="#sandbox" id="ref-for-sandbox-2"><code>sandbox</code></a>
Expand Down Expand Up @@ -5703,7 +5705,6 @@ <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">I
<h2 class="no-num no-ref heading settled" id="issues-index"><span class="content">Issues Index</span><a class="self-link" href="#issues-index"></a></h2>
<div style="counter-reset:issue">
<div class="issue"> <code>unsafe-hashed-attributes</code> is a work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/13">&lt;https://github.com/w3c/webappsec-csp/issues/13></a><a href="#issue-2f321613"> ↵ </a></div>
<div class="issue"> <code>'report-sample'</code> is a work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/119">&lt;https://github.com/w3c/webappsec-csp/issues/119></a><a href="#issue-063d72f2"> ↵ </a></div>
<div class="issue"> Is this kind of thing specified anywhere? I didn’t see anything
that looked useful in <a data-link-type="biblio" href="#biblio-ecma262">[ECMA262]</a>.<a href="#issue-c404edb5"> ↵ </a></div>
<div class="issue"> How, exactly, do we get the status code? We don’t actually store it
Expand Down Expand Up @@ -6774,8 +6775,10 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
<aside class="dfn-panel" data-for="securitypolicyviolationevent">
<b><a href="#securitypolicyviolationevent">#securitypolicyviolationevent</a></b><b>Referenced in:</b>
<ul>
<li><a href="#ref-for-securitypolicyviolationevent-1">5.3.
Report a violation </a> <a href="#ref-for-securitypolicyviolationevent-2">(2)</a>
<li><a href="#ref-for-securitypolicyviolationevent-1">5.2.
Obtain the deprecated serialization of violation </a>
<li><a href="#ref-for-securitypolicyviolationevent-2">5.3.
Report a violation </a> <a href="#ref-for-securitypolicyviolationevent-3">(2)</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-documenturi">
Expand Down Expand Up @@ -6830,7 +6833,9 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
<aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-sample">
<b><a href="#dom-securitypolicyviolationevent-sample">#dom-securitypolicyviolationevent-sample</a></b><b>Referenced in:</b>
<ul>
<li><a href="#ref-for-dom-securitypolicyviolationevent-sample-1">5.3.
<li><a href="#ref-for-dom-securitypolicyviolationevent-sample-1">5.2.
Obtain the deprecated serialization of violation </a>
<li><a href="#ref-for-dom-securitypolicyviolationevent-sample-2">5.3.
Report a violation </a>
</ul>
</aside>
Expand Down Expand Up @@ -7102,10 +7107,12 @@ <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content
<aside class="dfn-panel" data-for="report-to">
<b><a href="#report-to">#report-to</a></b><b>Referenced in:</b>
<ul>
<li><a href="#ref-for-report-to-1">5.3.
Report a violation </a> <a href="#ref-for-report-to-2">(2)</a>
<li><a href="#ref-for-report-to-3">6.4.1. report-uri</a> <a href="#ref-for-report-to-4">(2)</a>
<li><a href="#ref-for-report-to-5">10.1.
<li><a href="#ref-for-report-to-1">5.2.
Obtain the deprecated serialization of violation </a>
<li><a href="#ref-for-report-to-2">5.3.
Report a violation </a> <a href="#ref-for-report-to-3">(2)</a>
<li><a href="#ref-for-report-to-4">6.4.1. report-uri</a> <a href="#ref-for-report-to-5">(2)</a>
<li><a href="#ref-for-report-to-6">10.1.
Directive Registry </a>
</ul>
</aside>
Expand Down
Loading

0 comments on commit edd5f29

Please sign in to comment.