From 3530bd449ed36aebc2ea3eed8a9df622b85d1c2c Mon Sep 17 00:00:00 2001 From: Mike West Date: Wed, 6 Apr 2016 11:05:12 +0200 Subject: [PATCH 1/2] Implement 'HostEnsureCanCompileStrings'. --- index.html | 1477 ++++++++++++++++++++++++++++++------------------ index.src.html | 54 +- 2 files changed, 961 insertions(+), 570 deletions(-) diff --git a/index.html b/index.html index 20821e2a30..6ea89fa604 100644 --- a/index.html +++ b/index.html @@ -10,7 +10,7 @@ * * Indices * - .toc for the Table of Contents (
    ) - * -> for the section numbers + * + for the section numbers * - #toc for the Table of Contents (
+
  • + 4.3 Integration with ECMAScript +
      +
    1. 4.3.1 EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm) +
  • 5 Reporting @@ -1529,7 +1636,7 @@

    1.2.

  • The execution of inline script

  • -

    Dynamic code execution (via eval() and similar constructs)

    +

    Dynamic code execution (via eval() and similar constructs)

  • The application of inline style

    @@ -1557,7 +1664,7 @@

  • Insecure schemes in source expressions now match their secure variants. - That is, http: is equivalent to http: https:, and http://a.com to http://a.com https://a.com.

    + That is, http: is equivalent to http: https:, and http://example.com to http://example.com https://example.com.

    Likewise, 'self' now matches https and wss variants of the page’s origin, even on pages whose scheme is http.

  • @@ -1577,9 +1684,6 @@

    Can we enable sandbox inside meta? It’s not clear what threat we’re - preventing by dropping support for it (and Chrome and Safari support it - today).

    Do we still need to strip values when reporting? I think we’ve removed much of the risk by using the original URL of a blocked resource; there shouldn’t be anything in the report JSON that script can’t gather on its own @@ -1590,24 +1694,59 @@

    2. Framework

    2.1. Policies

    -

    A policy defines a set of allowed and +

    A policy#policyReferenced in:2.1.1. + Parse a serialized CSP as disposition (2) (3)2.1.2. + Parse a serialized CSP list as disposition 2.2. Directives (2) (3) (4) (5)2.3. Violations (2) (3)2.3.1. + Create a violation object for global, policy, and directive 2.3.2. + Create a violation object for request, policy, and directive 3. + Policy Delivery (2)4.1. + Integration with Fetch 4.2. + Integration with HTML (2) (3) (4)4.2.1. + Initialize a Document's CSP list 5. + Reporting (2)6.1.2.1. Algorithms (2)6.1.3.1. Algorithms (2)6.1.4.1. Algorithms (2)6.1.5.1. Algorithms (2)6.1.6.1. Algorithms (2)6.1.7.1. Algorithms (2)6.1.8.1. Algorithms (2)6.1.9.1. Algorithms (2)6.1.10.1. Algorithms (2)6.1.11.1. + Does request violate policy? 7.1. Nonce Reuse9.1. Vendor-specific Extensions and Addons defines a set of allowed and restricted behaviors, and may be applied to a Window or WorkerGlobalScope as described in §4.2.2 Initialize a global object’s CSP list.

    -

    Each policy has an associated directive set, which - is a set of directives that define the policy’s implications when +

    Each policy has an associated directive set#policy-directive-setReferenced in:2.1.1. + Parse a serialized CSP as disposition (2) (3) (4)2.1.2. + Parse a serialized CSP list as disposition 5.3. + Report a violation (2) (3), which + is a set of directives that define the policy’s implications when applied.

    -

    Each policy has an associated disposition, which is +

    Each policy has an associated disposition#policy-dispositionReferenced in:2.1.1. + Parse a serialized CSP as disposition (2)2.1.2. + Parse a serialized CSP list as disposition 4.1.2. + Report Content Security Policy violations for request 4.1.3. + Should request be blocked by Content Security Policy? 4.1.4. + Should response to request be blocked by Content + Security Policy? (2)4.2.3. + Should element’s inline type behavior be blocked by Content Security Policy? , which is either "enforce" or "report".

    -

    A serialized CSP is an ASCII string, consisting of a - semicolon-delimited series of serialized directives, adhering to the +

    A serialized CSP#serialized-cspReferenced in:2.1.1. + Parse a serialized CSP as disposition 2.1.2. + Parse a serialized CSP list as disposition 2.2.1. Source Lists3. + Policy Delivery 3.1. + The Content-Security-Policy HTTP Response Header Field 3.2. + The Content-Security-Policy-Report-Only HTTP Response Header Field 4.1.1. + Set response’s CSP list 5.2. + Obtain the deprecated serialization of violation is an ASCII string, consisting of a + semicolon-delimited series of serialized directives, adhering to the following ABNF grammar [RFC5234]:

    -
    serialized-policy = serialized-directive *( OWS ";" [ OWS serialized-directive ] )
+
    serialized-policy#grammardef-serialized-policyReferenced in:3.1. 
+    The Content-Security-Policy HTTP Response Header Field
+  3.2. 
+    The Content-Security-Policy-Report-Only HTTP Response Header Field
+   = serialized-directive *( OWS ";" [ OWS serialized-directive ] )
                     ; OWS is defined in section 3.2.3 of RFC 7230
 
    
-    
    2.1.1.  Parse a serialized CSP as disposition 
    
-    
    Given a serialized CSP (serialized CSP), and a disposition (disposition), this algorithm will return a policy object. If the string cannot be parsed, the resulting policy’s directive set will be empty.
    
+    
    2.1.1.  Parse a serialized CSP as disposition #parse-serialized-policyReferenced in:2.1.2. 
+    Parse a serialized CSP list as disposition 3.1. 
+    The Content-Security-Policy HTTP Response Header Field 3.2. 
+    The Content-Security-Policy-Report-Only HTTP Response Header Field 4.1. 
+    Integration with Fetch 
    
+    
    Given a serialized CSP (serialized CSP), and a disposition (disposition), this algorithm will return a policy object. If the string cannot be parsed, the resulting policy’s directive set will be empty.
    
     
      
      
    1. 
-      
      Let policy be a new policy with an empty directive set, and a disposition of disposition.
      
+      
      Let policy be a new policy with an empty directive set, and a disposition of disposition.
      
      
    2. 
       
      For each token returned by strictly splitting serialized
   CSP on the U+003B SEMICOLON character (;):
      
@@ -1622,7 +1761,7 @@ 
      space
   characters.
      
        
    3. 
-        
      If policy’s directive set contains a directive whose name is directive
+        
      If policy’s directive set contains a directive whose name is directive
   name, skip the remaining substeps and continue to the next item.
      
         
      The user agent SHOULD notify developers that a directive was ignored.
   A console warning might be appropriate, for example.
      
@@ -1630,17 +1769,17 @@ 
      splitting token on
   spaces.
      
        
    4. 
-        
      Let directive be a new directive whose name is directive name, and value is directive value.
      
+        
      Let directive be a new directive whose name is directive name, and value is directive value.
      
        
    5. 
-        
      Add directive to policy’s directive set.
      
+        
      Add directive to policy’s directive set.
      
       
    
      
  • 
       
    Return policy.
    
     
     
    2.1.2.  Parse a serialized CSP list as disposition 
    
-    
    Given a string (list) and a disposition (disposition)
-  which contains a comma-delimited series of serialized CSP strings, the
-  following algorithm will return a list of policies:
    
+    
    Given a string (list) and a disposition (disposition)
+  which contains a comma-delimited series of serialized CSP strings, the
+  following algorithm will return a list of policies:
    
     
      
      
    1. 
       
      Let policies be an empty list.
      
@@ -1648,9 +1787,9 @@ 
      splitting list on commas:
      
       
        
        
      1. 
-        
        Let policy be the result of executing §2.1.1 Parse a serialized CSP as disposition on token with disposition.
        
+        
        Let policy be the result of executing §2.1.1 Parse a serialized CSP as disposition on token with disposition.
        
        
      2. 
-        
        If policy’s directive set is empty, skip the
+        
        If policy’s directive set is empty, skip the
   remaining substeps, and continue to the next item.
        
        
      3. 
         
        Add policy to policies.
        
@@ -1659,54 +1798,83 @@ 
        2.2. Directives
        
-    
        Policies contain a set of directives, each of which controls
+    
        Policies contain a set of directives#directivesReferenced in:2.1. Policies2.1.1. 
+    Parse a serialized CSP as disposition  (2)2.2. Directives (2)2.2.1. Source Lists2.3. Violations4.1. 
+    Integration with Fetch 4.3.1. 
+    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm)  (2) (3)5.3. 
+    Report a violation  (2) (3)6. 
+    Content Security Policy Directives 6.1.3.1. Algorithms (2)6.1.11.1. 
+    Does request violate policy? , each of which controls
   a specific behavior. The directives defined in this document are described in
   detail in §6 Content Security Policy Directives.
        
-    
        Each directive is a name / value pair. The name is a
-  non-empty string, and the value is a set of non-empty strings. The value set MAY be empty.
        
-    
        A serialized directive is an ASCII string, consisting of one or more
+    
        Each directive is a name#directive-nameReferenced in:2.1.1. 
+    Parse a serialized CSP as disposition  (2)2.2. Directives4.3.1. 
+    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm)  (2)6.1.3.1. Algorithms (2)6.1.11.4. 
+    Get the effective directive for request  / value#directive-valueReferenced in:2.1.1. 
+    Parse a serialized CSP as disposition 2.2. Directives (2)2.2.1. Source Lists4.3.1. 
+    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm)  (2)5.3. 
+    Report a violation  (2)6.1.2.1. Algorithms (2)6.1.3.1. Algorithms (2)6.1.4.1. Algorithms (2)6.1.5.1. Algorithms (2)6.1.6.1. Algorithms (2)6.1.7.1. Algorithms (2)6.1.8.1. Algorithms (2)6.1.9.1. Algorithms (2) (3)6.1.10.1. Algorithms (2) (3) pair. The name is a
+  non-empty string, and the value is a set of non-empty strings. The value set MAY be empty.
        
+    
        A serialized directive#serialized-directiveReferenced in:2.1. Policies is an ASCII string, consisting of one or more
   whitespace-delimited tokens, and adhering to the following ABNF [RFC5234]:
        
-
        serialized-directive = directive-name [ RWS directive-value ]
-directive-name       = 1*( ALPHA / DIGIT / "-" )
-directive-value      = *( %x09 / %x20-%x2B / %x2D-%x3A / %x3C-%7E )
+
        serialized-directive#grammardef-serialized-directiveReferenced in:2.1. Policies (2) = directive-name [ RWS directive-value ]
+directive-name#grammardef-directive-nameReferenced in:2.2. Directives       = 1*( ALPHA / DIGIT / "-" )
+directive-value#grammardef-directive-valueReferenced in:2.2. Directives      = *( %x09 / %x20-%x2B / %x2D-%x3A / %x3C-%7E )
                        ; Directive values may contain whitespace and VCHAR characters,
                        ; excluding ";" and ","
 
 ; RWS is defined in section 3.2.3 of RFC7230. ALPHA, DIGIT, and
 ; VCHAR are defined in Appendix B.1 of RFC 5234.
 
        
-    
        Directives have five associated algorithms:
        
+    
        Directives have five associated algorithms:
        
     
          
      
        1. 
-      
          A pre-request check, which takes a request and a policy as an argument, and is executed during §4.1.3 Should request be blocked by Content Security Policy?. This algorithm returns "Allowed" unless
+      
          A pre-request check#directive-pre-request-checkReferenced in:6.1.1.1. Algorithms6.1.2.1. Algorithms6.1.3.1. Algorithms6.1.4.1. Algorithms6.1.5.1. Algorithms6.1.6.1. Algorithms6.1.7.1. Algorithms6.1.8.1. Algorithms6.1.9.1. Algorithms6.1.10.1. Algorithms6.1.11.1. 
+    Does request violate policy? 6.3. 
+    Directives Defined in Other Documents , which takes a request and a policy as an argument, and is executed during §4.1.3 Should request be blocked by Content Security Policy?. This algorithm returns "Allowed" unless
   otherwise specified.
          
      
        2. 
-      
          A post-request check, which takes a request, a response, and a policy as arguments, and
+      
          A post-request check#directive-post-request-checkReferenced in:4.1.4. 
+    Should response to request be blocked by Content
+    Security Policy? 6.1.1.1. Algorithms6.1.2.1. Algorithms6.1.3.1. Algorithms6.1.4.1. Algorithms6.1.5.1. Algorithms6.1.6.1. Algorithms6.1.7.1. Algorithms6.1.8.1. Algorithms6.1.9.1. Algorithms6.1.10.1. Algorithms6.3. 
+    Directives Defined in Other Documents , which takes a request, a response, and a policy as arguments, and
   is executed during §4.1.4 Should response to request be blocked by Content
     Security Policy?. This algorithm returns
   "Allowed" unless otherwise specified.
          
      
        3. 
-      
          A response check, which takes a request, a response, and a policy as arguments, and
+      
          A response check#directive-response-checkReferenced in:4.1.4. 
+    Should response to request be blocked by Content
+    Security Policy? 6.3. 
+    Directives Defined in Other Documents , which takes a request, a response, and a policy as arguments, and
   is executed during §4.1.4 Should response to request be blocked by Content
     Security Policy?. This algorithm returns
   "Allowed" unless otherwise specified.
          
      
        4. 
-      
          An inline check, which takes an Element and
+      
          An inline check#directive-inline-checkReferenced in:4.2.3. 
+    Should element’s inline type behavior be blocked by Content Security Policy? 6.1.9.1. Algorithms6.1.10.1. Algorithms, which takes an Element and
   a type string as arguments, and is executed during §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. This algorithm returns "Allowed" unless
   otherwise specified.
          
      
        5. 
-      
          An initialization, which takes a Document or global object, a response, and a policy as
+      
          An initialization#directive-initializationReferenced in:4.2.1. 
+    Initialize a Document's CSP list 6.1.9.1. Algorithms6.1.10.1. Algorithms6.3. 
+    Directives Defined in Other Documents , which takes a Document or global object, a response, and a policy as
   arguments. This algorithm is executed during §4.2.1 Initialize a Document's CSP list,
   and has no effect unless otherwise specified.
          
     
        
     
        2.2.1. Source Lists
        
-    
        Many directives' values consist of source lists: sets
+    
        Many directives' values consist of source lists#source-listsReferenced in:6.1.1. child-src6.1.2. connect-src6.1.3. default-src6.1.4. font-src6.1.5. img-src6.1.6. manifest-src6.1.7. media-src6.1.8. object-src6.1.11.2. 
+    Does url match source list? 6.1.12.1. 
+    Does element match source list? : sets
   of tokens which identify content that can be fetched and potentially embedded
-  or executed. These tokens represent one of the following types of source
-  expression:
        
+  or executed. These tokens represent one of the following types of source
+  expression#source-expressionReferenced in:2.2.1. Source Lists4.3.1. 
+    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm) 6.1.11.3. 
+    Does url match expression in origin with redirect count? 6.1.12.1. 
+    Does element match source list? :
        
     
          
      
        1. 
-      
          Keywords such as 'none' and 'self' (which match nothing and the current
+      
          Keywords such as 'none' and 'self' (which match nothing and the current
   URL’s origin, respectively)
          
      
        2. 
       
          Serialized URLs such as https://example.com/path/to/file.js (which matches a specific file) or https://example.com/ (which matches everything on that origin)
          
@@ -1726,84 +1894,143 @@ 
          serialized source list is an ASCII string, consisting of a
-  space-delimited series of source expressions, adhering to the
+  space-delimited series of source expressions, adhering to the
   following ABNF grammar [RFC5234]:
          
-
          serialized-source-list = ( source-expression *( RWS source-expression ) ) / "'none'"
-source-expression      = scheme-source / host-source / keyword-source
-                         / nonce-source / hash-source
+
          serialized-source-list#grammardef-serialized-source-listReferenced in:6.1.1. child-src6.1.2. connect-src6.1.3. default-src6.1.4. font-src6.1.5. img-src6.1.6. manifest-src6.1.7. media-src6.1.8. object-src6.1.9. script-src6.1.10. style-src = ( source-expression *( RWS source-expression ) ) / "'none'#grammardef-noneReferenced in:2.2.1. Source Lists"
+source-expression#grammardef-source-expressionReferenced in:2.2.1. Source Lists (2)      = scheme-source / host-source / keyword-source
+                         / nonce-source / hash-source
 
 ; Schemes:
-scheme-source = scheme ":"
+scheme-source#grammardef-scheme-sourceReferenced in:2.2.1. Source Lists6.1.11.3. 
+    Does url match expression in origin with redirect count?
+   (2) = scheme ":"
                 ; scheme is defined in section 3.1 of RFC 3986.
 
 ; Hosts: "example.com" / "*.example.com" / "https://*.example.com:12/path/to/file.js"
-host-source = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]
-scheme-part = scheme
-host-part   = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
-host-char   = ALPHA / DIGIT / "-"
-port-part   = ":" ( 1*DIGIT / "*" )
-path-part   = path
+host-source#grammardef-host-sourceReferenced in:2.2.1. Source Lists6.1.11.3. 
+    Does url match expression in origin with redirect count?
+   (2) (3) = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]
+scheme-part#grammardef-scheme-partReferenced in:2.2.1. Source Lists6.1.11.3. 
+    Does url match expression in origin with redirect count?
+   (2) (3) (4) (5) (6) = scheme
+host-part#grammardef-host-partReferenced in:2.2.1. Source Lists6.1.11.3. 
+    Does url match expression in origin with redirect count?
+   (2) (3) (4) (5)   = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
+host-char#grammardef-host-charReferenced in:2.2.1. Source Lists (2) (3)   = ALPHA / DIGIT / "-"
+port-part#grammardef-port-partReferenced in:2.2.1. Source Lists6.1.11.3. 
+    Does url match expression in origin with redirect count?
+   (2) (3)   = ":" ( 1*DIGIT / "*" )
+path-part#grammardef-path-partReferenced in:2.2.1. Source Lists6.1.11.3. 
+    Does url match expression in origin with redirect count?
+   (2) (3)   = path
               ; path is defined in section 3.3 of RFC 3986.
    
 ; Keywords:
-keyword-source = "'self'" / "'unsafe-inline'" / "'unsafe-eval'" 
+keyword-source#grammardef-keyword-sourceReferenced in:2.2.1. Source Lists = "'self'#grammardef-selfReferenced in:2.2.1. Source Lists6.1.3. default-src (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15) (16) (17) (18) (19)" / "'unsafe-inline'#grammardef-unsafe-inlineReferenced in:6. 
+    Content Security Policy Directives
+  7.1. Nonce Reuse (2)" / "'unsafe-eval'#grammardef-unsafe-evalReferenced in:4.3.1. 
+    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm)
+  " 
 
 ; Nonces: 'nonce-[nonce goes here]'
-nonce-source  = "'nonce-" base64-value "'"
-base64-value  = 1*( ALPHA / DIGIT / "+" / "/" / "-" / "_" )*2( "=" ) 
+nonce-source#grammardef-nonce-sourceReferenced in:2.2.1. Source Lists6.1.9. script-src6.1.10. style-src6.1.12.1. 
+    Does element match source list?
+   (2)7.1. Nonce Reuse  = "'nonce-" base64-value "'"
+base64-value#grammardef-base64-valueReferenced in:2.2.1. Source Lists (2)6.1.12.1. 
+    Does element match source list?
+   (2)  = 1*( ALPHA / DIGIT / "+" / "/" / "-" / "_" )*2( "=" ) 
 
 ; Digests: 'sha256-[digest goes here]'
-hash-source    = "'" hash-algorithm "-" base64-value "'"
-hash-algorithm = "sha256" / "sha384" / "sha512"
+hash-source#grammardef-hash-sourceReferenced in:2.2.1. Source Lists6.1.9. script-src6.1.10. style-src6.1.12.1. 
+    Does element match source list?
+   (2)    = "'" hash-algorithm "-" base64-value "'"
+hash-algorithm#grammardef-hash-algorithmReferenced in:2.2.1. Source Lists6.1.12.1. 
+    Does element match source list?
+   (2) (3) = "sha256" / "sha384" / "sha512"
 
          
-    
          The host-char production intentionally contains only ASCII
+    
          The host-char production intentionally contains only ASCII
   characters; internationalized domain names cannot be entered directly as part
-  of a serialized CSP, but instead MUST be Punycode-encoded [RFC3492]. For example, the domain üüüüüü.de MUST be represented as xn--tdaaaaaa.de.
          
+  of a serialized CSP, but instead MUST be Punycode-encoded [RFC3492]. For example, the domain üüüüüü.de MUST be represented as xn--tdaaaaaa.de.
          
     
          Note: Though IP address do match the grammar above, only 127.0.0.1 will actually match a URL when used in a source
   expression (see §6.1.11.2 Does url match source list? for details). The security
   properties of IP addresses are suspect, and authors ought to prefer hostnames
   whenever possible.
          
     
          A URL matches a source list if the algorithm in §6.1.11.2 Does url match source list? returns Matches.
          
     
          2.3. Violations
          
-    
          A violation represents an action or resource which goes against the policies associated with a global object.
          
-    
          Each violation has a global object, which
-  is the global object whose policy has been violated.
          
-    
          Each violation has a url which is its global object’s URL.
          
-    
          Each violation has a status which is a
+    
          A violation#violationReferenced in:2.3. Violations (2) (3) (4) (5) (6) (7) (8) (9) (10)2.3.1. 
+    Create a violation object for global, policy, and directive  (2)2.3.2. 
+    Create a violation object for request, policy, and directive 5.2. 
+    Obtain the deprecated serialization of violation 5.3. 
+    Report a violation 6.2. 
+    Reporting Directives  represents an action or resource which goes against the policies associated with a global object.
          
+    
          Each violation has a global object#violation-global-objectReferenced in:2.3. Violations2.3.1. 
+    Create a violation object for global, policy, and directive  (2)5.3. 
+    Report a violation  (2) (3) (4), which
+  is the global object whose policy has been violated.
          
+    
          Each violation has a url#violation-urlReferenced in:5.2. 
+    Obtain the deprecated serialization of violation 5.3. 
+    Report a violation  (2) which is its global object’s URL.
          
+    
          Each violation has a status#violation-statusReferenced in:2.3.1. 
+    Create a violation object for global, policy, and directive 5.2. 
+    Obtain the deprecated serialization of violation 5.3. 
+    Report a violation  which is a
   non-negative integer representing the HTTP status code of the resource for
   which the global object was instantiated.
          
-    
          Each violation has a resource, which is
+    
          Each violation has a resource#violation-resourceReferenced in:2.3.1. 
+    Create a violation object for global, policy, and directive 2.3.2. 
+    Create a violation object for request, policy, and directive 4.2.3. 
+    Should element’s inline type behavior be blocked by Content Security Policy? 5.2. 
+    Obtain the deprecated serialization of violation 5.3. 
+    Report a violation , which is
   either null, "inline", "eval", or a URL. It represents the resource
   which violated the policy.
          
-    
          Each violation has a referrer, which is either null, or a URL. It represents the referrer of the resource whose policy
+    
          Each violation has a referrer#violation-referrerReferenced in:2.3.1. 
+    Create a violation object for global, policy, and directive 5.2. 
+    Obtain the deprecated serialization of violation 5.3. 
+    Report a violation , which is either null, or a URL. It represents the referrer of the resource whose policy
   was violated.
          
-    
          Each violation has a policy, which is the policy that has been violated.
          
-    
          Each violation has an effective directive which is a non-empty string representing the directive whose
+    
          Each violation has a policy#violation-policyReferenced in:2.3.1. 
+    Create a violation object for global, policy, and directive 5.2. 
+    Obtain the deprecated serialization of violation 5.3. 
+    Report a violation  (2) (3) (4) (5), which is the policy that has been violated.
          
+    
          Each violation has an effective directive#violation-effective-directiveReferenced in:2.3.1. 
+    Create a violation object for global, policy, and directive 5.2. 
+    Obtain the deprecated serialization of violation  (2)5.3. 
+    Report a violation  (2) which is a non-empty string representing the directive whose
   enforcement caused the violation.
          
-    
          Each violation has a source file, which is
+    
          Each violation has a source file#violation-source-fileReferenced in:2.3.1. 
+    Create a violation object for global, policy, and directive 5.2. 
+    Obtain the deprecated serialization of violation  (2)5.3. 
+    Report a violation , which is
   either null or a URL.
          
-    
          Each violation has a line number, which is
+    
          Each violation has a line number#violation-line-numberReferenced in:2.3.1. 
+    Create a violation object for global, policy, and directive 5.2. 
+    Obtain the deprecated serialization of violation 5.3. 
+    Report a violation , which is
   a non-negative integer.
          
-    
          Each violation has a column number, which
+    
          Each violation has a column number#violation-column-numberReferenced in:2.3.1. 
+    Create a violation object for global, policy, and directive 5.2. 
+    Obtain the deprecated serialization of violation 5.3. 
+    Report a violation , which
   is a non-negative integer.
          
     
          2.3.1.  Create a violation object for global, policy, and directive 
          
-    
          Given a global object (global), a policy (policy), and a
-  string (directive), the following algorithm creates a new violation object, and populates it with an initial set of data:
          
+    
          Given a global object (global), a policy (policy), and a
+  string (directive), the following algorithm creates a new violation object, and populates it with an initial set of data:
          
     
            
      
          1. 
-      
            Let violation be a new violation whose global
-  object is global, policy is policy, effective directive is directive, and resource is null.
            
+      
            Let violation be a new violation whose global
+  object is global, policy is policy, effective directive is directive, and resource is null.
            
      
          2. 
       
            If the user agent is currently executing script, and can extract a source
-  file’s URL, line number, and column number from the global, set violation’s source file, line
-  number, and column number accordingly.
            
-      
             Is this kind of thing specified anywhere? I didn’t see anything
-  that looked useful in [ES2015].
            
+  file’s URL, line number, and column number from the global, set violation’s source file, line
+  number, and column number accordingly.
            
+      
             Is this kind of thing specified anywhere? I didn’t see anything
+  that looked useful in [ECMA262].
            
      
          3. 
-      
            If global is a Window object, set violation’s referrer to global’s document's referrer.
            
+      
            If global is a Window object, set violation’s referrer to global’s document's referrer.
            
      
          4. 
-      
            Set violation’s status to the HTTP status code
-  for the resource associated with violation’s global
+      
            Set violation’s status to the HTTP status code
+  for the resource associated with violation’s global
   object.
            
       
             How, exactly, do we get the status code? We don’t actually store it
   anywhere.
            
@@ -1811,14 +2038,14 @@ 
            2.3.2.  Create a violation object for request, policy, and directive 
            
-    
            Given a request (request), a policy (policy), and a string
-  (directive), the following algorithm creates a new violation object,
+    
            Given a request (request), a policy (policy), and a string
+  (directive), the following algorithm creates a new violation object,
   and populates it with an initial set of data:
            
     
              
      
            1. 
       
              Let violation be the result of executing §2.3.1 Create a violation object for global, policy, and directive on request’s client’s global object, policy, and directive.
              
      
            2. 
-      
              Set violation’s resource to request’s url.
              
+      
              Set violation’s resource to request’s url.
              
       
              Note: We use request’s url, and not its current url, as the latter might contain information
   about redirect targets to which the page MUST NOT be given access.
              
      
            3. 
@@ -1827,19 +2054,20 @@ 
              3.  Policy Delivery 
              
-    
              A server MAY declare a policy for a particular resource
-  representation via an HTTP response header field whose value is a serialized CSP. This mechanism is defined in detail in §3.1 The Content-Security-Policy HTTP Response Header Field and §3.2 The Content-Security-Policy-Report-Only HTTP Response Header Field, and the integration with Fetch
+    
              A server MAY declare a policy for a particular resource
+  representation via an HTTP response header field whose value is a serialized CSP. This mechanism is defined in detail in §3.1 The Content-Security-Policy HTTP Response Header Field and §3.2 The Content-Security-Policy-Report-Only HTTP Response Header Field, and the integration with Fetch
   and HTML is described in §4.1 Integration with Fetch and §4.2 Integration with HTML.
              
-    
              A policy may also be declared inline in an HTML document via a meta element’s http-equiv attribute, as described in §3.3 The <meta> element.
              
+    
              A policy may also be declared inline in an HTML document via a meta element’s http-equiv attribute, as described in §3.3 The <meta> element.
              
     
              3.1.  The Content-Security-Policy HTTP Response Header Field 
              
-    
              The Content-Security-Policy HTTP response header field
+    
              The Content-Security-Policy#content-security-policyReferenced in:3.1. 
+    The Content-Security-Policy HTTP Response Header Field 6.1.3. default-src (2) (3) (4)6.2.1. report-uri HTTP response header field
   is the preferred mechanism for delivering a policy from a server to a client.
   The header’s value is represented by the following ABNF [RFC5234]:
              
-
              Content-Security-Policy = 1#serialized-policy
+
              Content-Security-Policy = 1#serialized-policy
 
              
     
              
       
-
              Content-Security-Policy: script-src 'self';
+
              Content-Security-Policy: script-src 'self';
                          report-to csp-reporting-endpoint
 
              
     
              
@@ -1849,13 +2077,15 @@ 
              Content-Security-Policy" with a given resource
   representation.
              
     
              When the user agent receives a Content-Security-Policy header field, it
-  MUST parse and enforce each serialized CSP it contains as described in §4.1 Integration with Fetch, §4.2 Integration with HTML.
              
+  MUST parse and enforce each serialized CSP it contains as described in §4.1 Integration with Fetch, §4.2 Integration with HTML.
              
     
              3.2.  The Content-Security-Policy-Report-Only HTTP Response Header Field 
              
-    
              The Content-Security-Policy-Report-Only HTTP response
+    
              The Content-Security-Policy-Report-Only#content-security-policy-report-onlyReferenced in:3.2. 
+    The Content-Security-Policy-Report-Only HTTP Response Header Field  (2)3.3. 
+    The <meta> element  HTTP response
   header field allows web developers to experiment with policies by monitoring
   (but not enforcing) their effects. The header’s value is represented by the
   following ABNF [RFC5234]:
              
-
              Content-Security-Policy-Report-Only = 1#serialized-policy
+
              Content-Security-Policy-Report-Only = 1#serialized-policy
 
              
     
              This header field allows developers to piece together their security policy in
   an iterative fashion, deploying a report-only policy based on their best
@@ -1863,7 +2093,7 @@ 
              
       
-
              Content-Security-Policy-Report-Only: script-src 'self';
+
              Content-Security-Policy-Report-Only: script-src 'self';
                                      report-to csp-reporting-endpoint
 
              
     
@@ -1873,11 +2103,11 @@ 
              Content-Security-Policy-Report-Only" with a given resource
   representation.
              
     
              When the user agent receives a Content-Security-Policy-Report-Only header
-  field, it MUST parse and monitor each serialized CSP it contains as described in §4.1 Integration with Fetch and §4.2 Integration with HTML.
              
-    
              Note: The Content-Security-Policy-Report-Only header is not supported inside a meta element.
              
+  field, it MUST parse and monitor each serialized CSP it contains as described in §4.1 Integration with Fetch and §4.2 Integration with HTML.
              
+    
              Note: The Content-Security-Policy-Report-Only header is not supported inside a meta element.
              
     
              3.3.  The <meta> element 
              
     
              A Document may deliver a policy via one or more HTML meta elements
-  whose http-equiv attributes are an ASCII case-insensitive
+  whose http-equiv attributes are an ASCII case-insensitive
   match for the string "Content-Security-Policy". For example:
              
     
              
       
@@ -1885,7 +2115,7 @@ 
              Content-Security-Policy http-equiv processing instructions [HTML].
              
-    
              Note: The Content-Security-Policy-Report-Only header is not supported inside a meta element. Neither are the report-uri, frame-ancestors, and sandbox directives.
              
+    
              Note: The Content-Security-Policy-Report-Only header is not supported inside a meta element. Neither are the report-uri, frame-ancestors, and sandbox directives.
              
     
               Why sandbox? Can we loosen that?
              
     
              Authors are strongly encouraged to place meta elements as early
   in the document as possible, because policies in meta elements are not
@@ -1896,7 +2126,7 @@ 
              §8.1 The effect of multiple policies.
              
-    
              Note: Modifications to the content attribute of a meta element
+    
              Note: Modifications to the content attribute of a meta element
   after the element has been parsed will be ignored.
              
    
    
              
@@ -1908,7 +2138,7 @@ 
              
     
              4.1.  Integration with Fetch 
              
-    
              A number of directives control resource loading in one way or
+    
              A number of directives control resource loading in one way or
   another. This specification provides algorithms which allow Fetch to make
   decisions about whether or not a particular request should be blocked
   or allowed, and about whether a particular response should be replaced
@@ -1922,8 +2152,8 @@ 
               is called as part of step #13 of its Main
   Fetch algorithm.
              
     
            
-    
            A policy is generally enforced upon a global object, but the
-  user agent needs to parse any policy
+    
            A policy is generally enforced upon a global object, but the
+  user agent needs to parse any policy
   delivered via an HTTP response header field before any global object is created in order to handle directives that require knowledge of a response’s details. To that end:
            
     
              
      
            1. 
@@ -1937,7 +2167,7 @@ 
              
     
            
     
            4.1.1.  Set response’s CSP list 
            
-    
            Given a response (response), this algorithm evaluates its header list for serialized CSP values, and
+    
            Given a response (response), this algorithm evaluates its header list for serialized CSP values, and
   populates its CSP list accordingly:
            
     
              
      
            1. 
@@ -1960,12 +2190,12 @@ 
              client’s "report only" policies.
              
     
                
      
              1. 
-      
                Let CSP list be request’s client’s global object’s CSP list.
                
+      
                Let CSP list be request’s client’s global object’s CSP list.
                
      
              2. 
       
                For each policy in CSP list:
                
       
                  
        
                1. 
-        
                  If policy’s disposition is "enforce",
+        
                  If policy’s disposition is "enforce",
   then skip to the next policy.
                  
        
                2. 
         
                  Let violates be the result of executing §6.1.11.1 Does request violate policy? on request and policy.
                  
@@ -1977,14 +2207,14 @@ 
                  request (request), this algorithm returns Blocked or Allowed and reports violations based on request’s client’s Content Security Policy.
                  
     
                    
      
                  1. 
-      
                    Let CSP list be request’s client’s global object’s CSP list.
                    
+      
                    Let CSP list be request’s client’s global object’s CSP list.
                    
      
                  2. 
       
                    Let result be "Allowed".
                    
      
                  3. 
       
                    For each policy in CSP list:
                    
       
                      
        
                    1. 
-        
                      If policy’s disposition is "report",
+        
                      If policy’s disposition is "report",
   then skip to the next policy.
                      
        
                    2. 
         
                      Let violates be the result of executing §6.1.11.1 Does request violate policy? on request and policy.
                      
@@ -2006,7 +2236,7 @@ 
                      response (response) and a request (request), this algorithm returns Blocked or Allowed, and reports violations based on request’s client’s Content Security Policy.
                      
     
                        
      
                      1. 
-      
                        Let CSP list be request’s client’s global object’s CSP list.
                        
+      
                        Let CSP list be request’s client’s global object’s CSP list.
                        
      
                      2. 
       
                        Let result be "Allowed".
                        
      
                      3. 
@@ -2016,12 +2246,12 @@ 
                        
-          
                        If the result of executing directive’s post-request check is "Blocked", then:
                        
+          
                        If the result of executing directive’s post-request check is "Blocked", then:
                        
           
                          
            
                        1. 
             
                          Execute §5.3 Report a violation on the result of executing §2.3.2 Create a violation object for request, policy, and directive on request, policy, and directive.
                          
            
                        2. 
-            
                          If policy’s disposition is "enforce",
+            
                          If policy’s disposition is "enforce",
   then set result to "Blocked".
                          
           
                        
         
                      
@@ -2036,13 +2266,13 @@ 
                      
-          
                      If the result of executing directive’s response check on request, response,
+          
                      If the result of executing directive’s response check on request, response,
   and policy is "Blocked", then:
                      
           
                        
            
                      1. 
             
                        Execute §5.3 Report a violation on the result of executing §2.3.2 Create a violation object for request, policy, and directive on request, policy, and directive.
                        
            
                      2. 
-            
                        If policy’s disposition is "enforce",
+            
                        If policy’s disposition is "enforce",
   then set result to "Blocked".
                        
           
                      
         
                    
@@ -2055,16 +2285,27 @@ 
                    4.2.  Integration with HTML 
                    
     
                      
      
                    1. 
-      
                      The Document and WorkerGlobalScope objects have a CSP list,
-  which holds all the policy objects which are active for a given
+      
                      The Document and WorkerGlobalScope objects have a CSP list#global-object-csp-listReferenced in:4.1.2. 
+    Report Content Security Policy violations for request 4.1.3. 
+    Should request be blocked by Content Security Policy? 4.1.4. 
+    Should response to request be blocked by Content
+    Security Policy? 4.2. 
+    Integration with HTML 4.2.2. 
+    Initialize a global object’s CSP list  (2) (3) (4)4.2.3. 
+    Should element’s inline type behavior be blocked by Content Security Policy? 4.3. Integration with ECMAScript4.3.1. 
+    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm) ,
+  which holds all the policy objects which are active for a given
   context. This list is empty unless otherwise specified, and is populated
   via the §4.2.2 Initialize a global object’s CSP list algorithm.
                      
      
                    2. 
-      
                      A policy is enforced or monitored for an global object by inserting it into the global object’s CSP list.
                      
+      
                      A policy is enforced#enforcedReferenced in:3.1. 
+    The Content-Security-Policy HTTP Response Header Field 4.2. 
+    Integration with HTML  or monitored#monitoredReferenced in:3.2. 
+    The Content-Security-Policy-Report-Only HTTP Response Header Field  for an global object by inserting it into the global object’s CSP list.
                      
      
                    3. 
       
                      §4.2.2 Initialize a global object’s CSP list is called during the initialising a
   new Document object and run a worker algorithms in order to
-  bind a set of policy objects associated with a response to a
+  bind a set of policy objects associated with a response to a
   newly created global object.
                      
       
                       The algorithm is named "creating a new Document object" in W3C’s
   HTML, and isn’t well-integrated with Fetch.
                      
@@ -2086,11 +2327,13 @@ 
                       This hook is in-flight for WHATWG’s HTML. <https://github.com/WHATWG/html/issues/384>
                      
      
                    4. 
-      
                      Policies are enforced during processing of the meta element’s http-equiv.
                      
+      
                      Policies are enforced during processing of the meta element’s http-equiv.
                      
       
                       This processing was added to WHATWG’s HTML in whatwg/html@5064a62.
   It has not yet been added to W3C’s HTML.
                      
      
                    5. 
-      
                      A Document's embedding document is the Document through which the Document's browsing context is nested.
                      
+      
                      A Document's embedding document#embedding-documentReferenced in:4.2.1. 
+    Initialize a Document's CSP list  (2)4.2.2. 
+    Initialize a global object’s CSP list  is the Document through which the Document's browsing context is nested.
                      
     
                    
     
                    4.2.1.  Initialize a Document's CSP list 
                    
     
                    Given a Document (document), and a response (response), the
@@ -2102,7 +2345,7 @@ 
                    
         
                    Let documents be an empty list.
                    
        
                  4. 
-        
                    If document has an embedding document (embedding), then add embedding to documents.
                    
+        
                    If document has an embedding document (embedding), then add embedding to documents.
                    
        
                  5. 
         
                    If document has an opener browsing context, then add its active document to documents.
                    
        
                  6. 
@@ -2117,8 +2360,8 @@ 
                    Note: local scheme includes about:, and this algorithm will
-  therefore alias the embedding document’s policies for an iframe srcdoc Document.
                    
-      
                    Note: We do all this to ensure that a page cannot bypass its policy by embedding a frame or popping up a new window containing content it
+  therefore alias the embedding document’s policies for an iframe srcdoc Document.
                    
+      
                    Note: We do all this to ensure that a page cannot bypass its policy by embedding a frame or popping up a new window containing content it
   controls (blob: resources, or document.write()).
                    
      
                  7. 
       
                    For each policy in response’s CSP list, insert policy into document’s CSP list.
                    
@@ -2129,13 +2372,13 @@ 
                    
-          
                    Execute directive’s initialization algorithm on document and response.
                    
+          
                    Execute directive’s initialization algorithm on document and response.
                    
         
                  
       
                
     
              
     
              4.2.2.  Initialize a global object’s CSP list 
              
     
              Given a global object (global), and a response (response), the user agent performs the following steps in order
-  to initialize global’s CSP list:
              
+  to initialize global’s CSP list:
              
     
                
      
              1. 
       
                If response’s url’s scheme is a local scheme:
                
@@ -2149,17 +2392,17 @@ 
                
           
                For each policy in document’s global
-  object’s CSP list:
                
+  object’s CSP list:
                
           
                  
            
                1. 
-            
                  Insert an alias to policy in global’s CSP list.
                  
+            
                  Insert an alias to policy in global’s CSP list.
                  
           
                
         
              
       
            
       
            Note: local scheme includes about:, and this algorithm will
-  therefore alias the embedding document’s policies for an iframe srcdoc Document.
            
+  therefore alias the embedding document’s policies for an iframe srcdoc Document.
            
      
          5. 
-      
            For each policy in response’s CSP list, insert policy into global’s CSP list.
            
+      
            For each policy in response’s CSP list, insert policy into global’s CSP list.
            
     
          
     
          4.2.3.  Should element’s inline type behavior be blocked by Content Security Policy? 
          
     
          Given an Element (element), and a string (type) this algorithm returns
@@ -2170,13 +2413,13 @@ 
          
       
          Let result be "Allowed".
          
      
        3. 
-      
          For each policy in element’s Document's global object’s CSP list:
          
+      
          For each policy in element’s Document's global object’s CSP list:
          
       
            
        
          1. 
         
            For each directive in policy:
            
         
              
          
            1. 
-          
              If directive’s inline check returns
+          
              If directive’s inline check returns
   "Allowed" when executed upon element and type, skip to the
   next directive.
              
          
            2. 
@@ -2184,39 +2427,92 @@ 
              style-src" if type is "style" or
   "style-attribute", or "script-src" otherwise.
              
          
            3. 
-          
              Set violation’s resource to "inline".
              
+          
              Set violation’s resource to "inline".
              
          
            4. 
           
              Execute §5.3 Report a violation on violation.
              
          
            5. 
-          
              If policy’s disposition is "enforce", then
+          
              If policy’s disposition is "enforce", then
   set result to "Blocked".
              
         
            
       
          
      
        4. 
       
          Return result.
          
     
        
+    
        4.3. Integration with ECMAScript
        
+    
        ECMAScript defines a HostEnsureCanCompileStrings() operation which allows
+  the host environment to block the compilation of strings into ECMAScript code.
+  This document defines an implementation of that operation which examines the
+  relevant CSP list to determine whether such
+  compilation ought to be blocked.
        
+    
        4.3.1.  EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm) 
        
+    
        Given two realms (callerRealm and calleeRealm), this algorithm
+  returns normally if string compilation is allowed, and throws an "EvalError"
+  if not:
        
+    
          
+     
        1. 
+      
          Let global be callerRealm’s global
+  object.
          
+     
        2. 
+      
          For each policy in global’s CSP list:
          
+      
            
+       
          1. 
+        
            Let source-list be null.
            
+       
          2. 
+        
            If policy contains a directive whose name is "script-src", then set source-list to that directive’s value.
            
+        
            Otherwise if policy contains a directive whose name is "default-src", then set source-list to that directive’s value.
            
+       
          3. 
+        
            If source-list is non-null, and does not contain a source
+  expression which is an ASCII case-insensitive match for the
+  string "'unsafe-eval'", then throw an EvalError exception.
            
+      
          
+     
        3. 
+      
          Return normally.
          
+    
        
    
    
        
     
        5.  Reporting 
        
-    
        When one or more of a policy’s directives is violated, a violation
-  report may be generated and sent out to a reporting endpoint associated
-  with the policy.
        
+    
        When one or more of a policy’s directives is violated, a violation
+  report#violation-reportReferenced in:6.2.1. report-uri may be generated and sent out to a reporting endpoint associated
+  with the policy.
        
     
        5.1.  Violation DOM Events 
        
-
        [Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
-interface SecurityPolicyViolationEvent : Event {
-    readonly    attribute DOMString      documentURI;
-    readonly    attribute DOMString      referrer;
-    readonly    attribute DOMString      blockedURI;
-    readonly    attribute DOMString      violatedDirective;
-    readonly    attribute DOMString      effectiveDirective;
-    readonly    attribute DOMString      originalPolicy;
-    readonly    attribute DOMString      sourceFile;
-    readonly    attribute unsigned short statusCode;
-    readonly    attribute long           lineNumber;
-    readonly    attribute long           columnNumber;
+
        [Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
+interface SecurityPolicyViolationEvent : Event {
+    readonly    attribute DOMString      documentURI#dom-securitypolicyviolationevent-documenturiReferenced in:5.3. 
+    Report a violation
+  ;
+    readonly    attribute DOMString      referrer#dom-securitypolicyviolationevent-referrerReferenced in:5.3. 
+    Report a violation
+  ;
+    readonly    attribute DOMString      blockedURI#dom-securitypolicyviolationevent-blockeduriReferenced in:5.3. 
+    Report a violation
+  ;
+    readonly    attribute DOMString      violatedDirective#dom-securitypolicyviolationevent-violateddirectiveReferenced in:5.3. 
+    Report a violation
+   (2);
+    readonly    attribute DOMString      effectiveDirective#dom-securitypolicyviolationevent-effectivedirectiveReferenced in:5.3. 
+    Report a violation
+   (2);
+    readonly    attribute DOMString      originalPolicy#dom-securitypolicyviolationevent-originalpolicyReferenced in:5.3. 
+    Report a violation
+  ;
+    readonly    attribute DOMString      sourceFile#dom-securitypolicyviolationevent-sourcefileReferenced in:5.3. 
+    Report a violation
+  ;
+    readonly    attribute unsigned short statusCode#dom-securitypolicyviolationevent-statuscodeReferenced in:5.3. 
+    Report a violation
+  ;
+    readonly    attribute long           lineNumber#dom-securitypolicyviolationevent-linenumberReferenced in:5.3. 
+    Report a violation
+  ;
+    readonly    attribute long           columnNumber#dom-securitypolicyviolationevent-columnnumberReferenced in:5.3. 
+    Report a violation
+  ;
 };
 
-dictionary SecurityPolicyViolationEventInit : EventInit {
+dictionary SecurityPolicyViolationEventInit#dictdef-securitypolicyviolationeventinitReferenced in:5.1. 
+    Violation DOM Events
+   : EventInit {
     DOMString      documentURI;
     DOMString      referrer;
     DOMString      blockedURI;
@@ -2230,9 +2526,9 @@ 
        5.2.  Obtain the deprecated serialization of violation 
        
-    
        Given a violation (violation), this algorithm returns a JSON text
+    
        Given a violation (violation), this algorithm returns a JSON text
   string representation of the violation, suitable for submission to a reporting
-  endpoint associated with the deprecated report-uri directive.
        
+  endpoint associated with the deprecated report-uri directive.
        
     
          
      
        1. 
       
          Let object be a new JavaScript object with properties initialized as
@@ -2241,109 +2537,111 @@ 
          
         
          "document-uri"
          
        
          
-        
          The result of executing the URL serializer on violation’s url, with the exclude fragment flag set.
          
+        
          The result of executing the URL serializer on violation’s url, with the exclude fragment flag set.
          
        
          
         
          "referrer"
          
        
          
-        
          The result of executing the URL serializer on violation’s referrer, with the exclude fragment flag set.
          
+        
          The result of executing the URL serializer on violation’s referrer, with the exclude fragment flag set.
          
        
          
         
          "blocked-uri"
          
        
          
-        
          The result of executing the URL serializer on violation’s resource, with the exclude fragment flag set.
          
+        
          The result of executing the URL serializer on violation’s resource, with the exclude fragment flag set.
          
        
          
         
          "effective-directive"
          
        
          
-        
          violation’s effective directive
          
+        
          violation’s effective directive
          
        
          
         
          "violated-directive"
          
        
          
-        
          violation’s effective directive
          
+        
          violation’s effective directive
          
        
          
         
          "original-policy"
          
        
          
-        
          The serialization of violation’s policy
          
+        
          The serialization of violation’s policy
          
        
          
         
          "status-code"
          
        
          
-        
          violation’s status
          
+        
          violation’s status
          
       
      
        2. 
-      
          If violation’s source file is not null:
          
+      
          If violation’s source file is not null:
          
       
            
        
          1. 
         
            Set object’s "source-file" property to the result of executing
-  the URL serializer on violation’s source
+  the URL serializer on violation’s source
   file, with the exclude fragment flag set.
            
        
          2. 
-        
            Set object’s "line-number" property to violation’s line number.
            
+        
            Set object’s "line-number" property to violation’s line number.
            
        
          3. 
-        
            Set object’s "column-number" property to violation’s column number.
            
+        
            Set object’s "column-number" property to violation’s column number.
            
       
          
      
        3. 
-      
          Return the result of executing JSON.stringify() on object.
          
+      
          Return the result of executing JSON.stringify() on object.
          
     
        
     
        5.3.  Report a violation 
        
-    
        Given a violation (violation), this algorithm reports it to the
-  endpoint specified in violation’s policy, and
-  fires a SecurityPolicyViolationEvent at violation’s global object.
        
+    
        Given a violation (violation), this algorithm reports it to the
+  endpoint specified in violation’s policy, and
+  fires a SecurityPolicyViolationEvent#securitypolicyviolationeventReferenced in:5.1. 
+    Violation DOM Events 5.3. 
+    Report a violation  at violation’s global object.
        
     
          
      
        1. 
-      
          Fire a trusted event with the name securitypolicyviolation that uses the SecurityPolicyViolationEvent interface, with its
+      
          Fire a trusted event with the name securitypolicyviolation that uses the SecurityPolicyViolationEvent interface, with its
   attributes initialized as follows:
          
       
          
        
          
-        
          documentURI
          
+        
          documentURI
          
        
          
-        
          violation’s url
          
+        
          violation’s url
          
        
          
-        
          referrer
          
+        
          referrer
          
        
          
-        
          violation’s referrer
          
+        
          violation’s referrer
          
        
          
-        
          blockedURI
          
+        
          blockedURI
          
        
          
-        
          violation’s resource
          
+        
          violation’s resource
          
        
          
-        
          effectiveDirective
          
+        
          effectiveDirective
          
        
          
-        
          violation’s effective directive
          
+        
          violation’s effective directive
          
        
          
-        
          violatedDirective
          
+        
          violatedDirective
          
        
          
-        
          violation’s effective directive
          
+        
          violation’s effective directive
          
        
          
-        
          originalPolicy
          
+        
          originalPolicy
          
        
          
-        
          violation’s policy
          
+        
          violation’s policy
          
        
          
-        
          sourceFile
          
+        
          sourceFile
          
        
          
-        
          violation’s source file
          
+        
          violation’s source file
          
        
          
-        
          statusCode
          
+        
          statusCode
          
        
          
-        
          violation’s status
          
+        
          violation’s status
          
        
          
-        
          lineNumber
          
+        
          lineNumber
          
        
          
-        
          violation’s line number
          
+        
          violation’s line number
          
        
          
-        
          columnNumber
          
+        
          columnNumber
          
        
          
-        
          violation’s column number
          
+        
          violation’s column number
          
       
          
-      
          Note: Both effectiveDirective and violatedDirective are the same value.
+      
          Note: Both effectiveDirective and violatedDirective are the same value.
   This is intentional to maintain backwards compatibility.
          
      
        2. 
-      
          If violation’s policy’s directive
-  set contains a directive named "report-uri"
+      
          If violation’s policy’s directive
+  set contains a directive named "report-uri"
   (directive):
          
       
            
        
          1. 
-        
            If violation’s policy’s directive set contains a directive named
-  "report-to", skip the remaining substeps.
            
+        
            If violation’s policy’s directive set contains a directive named
+  "report-to", skip the remaining substeps.
            
        
          2. 
-        
            Let endpoint be the result of executing the URL parser on directive’s value.
            
+        
            Let endpoint be the result of executing the URL parser on directive’s value.
            
        
          3. 
         
            If endpoint is not a valid URL, skip the remaining substeps.
            
        
          4. 
@@ -2356,11 +2654,11 @@ 
            
           
            url
            
          
            
-          
            violation’s url
            
+          
            violation’s url
            
          
            
           
            origin
            
          
            
-          
            violation’s global object’s origin
            
+          
            violation’s global object’s origin
            
          
            
           
            window
            
          
            
@@ -2368,7 +2666,7 @@ 
            
           
            client
            
          
            
-          
            violation’s global object’s relevant
+          
            violation’s global object’s relevant
   settings object
            
          
            
           
            destination
            
@@ -2414,14 +2712,14 @@ 
            
-      
            If violation’s policy’s directive
-  set contains a directive named "report-to"
+      
            If violation’s policy’s directive
+  set contains a directive named "report-to"
   (directive):
            
       
              
        
            1. 
-        
              Let group be directive’s value.
              
+        
              Let group be directive’s value.
              
        
            2. 
-        
              Let settings object be violation’s global
+        
              Let settings object be violation’s global
   object’s relevant settings object.
              
        
            3. 
         
              Execute [OOB-REPORTING]'s Queue data as type for endpoint group on settings algorithm with the
@@ -2449,7 +2747,7 @@ 
              6.  Content Security Policy Directives 
              
-    
              This specification defines a number of types of directives which allow
+    
              This specification defines a number of types of directives which allow
   developers to control certain aspects of their sites' behavior. This document
   defines directives which govern resource fetching (in §6.1 Fetch Directives)
   and directives which govern reporting (in §6.2 Reporting Directives). These
@@ -2461,24 +2759,25 @@ 
              
-      
              Both the script-src and object-src directives, or
              
+      
              Both the script-src and object-src directives, or
              
      
            4. 
-      
              a default-src directive
              
+      
              a default-src directive
              
     
-    
              In either case, developers SHOULD NOT include either 'unsafe-inline', or data: as valid
+    
              In either case, developers SHOULD NOT include either 'unsafe-inline', or data: as valid
   sources in their policies. Both enable XSS attacks by allowing code to be
   included directly in the document itself; they are best avoided completely.
              
     
              6.1.  Fetch Directives 
              
-    
              Fetch directives control the locations from which certain resource
-  types may be loaded. For instance, script-src allows developers to
-  whitelist trusted sources of script to execute on a page, while font-src controls the sources of web fonts.
              
+    
              Fetch directives#fetch-directivesReferenced in:6.1.3. default-src (2)6.1.11.4. 
+    Get the effective directive for request  control the locations from which certain resource
+  types may be loaded. For instance, script-src allows developers to
+  whitelist trusted sources of script to execute on a page, while font-src controls the sources of web fonts.
              
     
              6.1.1. child-src
              
-    
              The child-src directive governs the creation of nested browsing
+    
              The child-src#child-srcReferenced in:6.1.1. child-src6.1.3. default-src (2) directive governs the creation of nested browsing
   contexts (e.g. iframe and frame navigations) and Worker execution
   contexts. The syntax for the directive’s name and value is described by the
   following ABNF:
              
 
              directive-name  = "child-src"
-directive-value = serialized-source-list
+directive-value = serialized-source-list
 
              
     
              This directive controls requests which will populate a frame or a
   worker. More formally, requests falling into one of the
@@ -2494,10 +2793,10 @@ 
              
     
              
       Given a page with the following Content Security Policy: 
-
              Content-Security-Policy: child-src https://example.com/
+
              Content-Security-Policy: child-src https://example.com/
 
              
      
              Fetches for the following code will all return network errors, as the URLs
-    provided do not match child-src's source list:
              
+    provided do not match child-src's source list:
              
 
              <iframe src="https://not-example.com"></iframe>
 <script>
   var blockedWorker = new Worker("data:application/javascript,...");
@@ -2505,20 +2804,20 @@ 
              
     
              
     
              6.1.1.1. Algorithms
              
-    
              This directive’s pre-request check is as follows:
              
+    
              This directive’s pre-request check is as follows:
              
     
              Given a request (request):
              
     
               TODO.
              
-    
              This directive’s post-request check is as follows:
              
+    
              This directive’s post-request check is as follows:
              
     
               TODO.
              
     
              6.1.2. connect-src
              
-    
              The connect-src directive restricts the URLs which can be loaded
+    
              The connect-src#connect-srcReferenced in:6.1.2. connect-src6.1.3. default-src (2) directive restricts the URLs which can be loaded
   using script interfaces. The syntax for the directive’s name and value is
   described by the following ABNF:
              
 
              directive-name  = "connect-src"
-directive-value = serialized-source-list
+directive-value = serialized-source-list
 
              
     
              This directive controls requests which transmit or receive data from
-  other origins. This includes APIs like fetch(), [XHR], [EVENTSOURCE], [BEACON], and a's ping. This directive also controls
+  other origins. This includes APIs like fetch(), [XHR], [EVENTSOURCE], [BEACON], and a's ping. This directive also controls
   WebSocket [WEBSOCKETS] connections, though those aren’t technically part
   of Fetch.
              
     
              
@@ -2532,10 +2831,10 @@ 
              https://example.com, send the following header:
              
-
              Content-Security-Policy: connect-src https://example.com/
+
              Content-Security-Policy: connect-src https://example.com/
 
              
      
              Fetches for the following code will all return network errors, as the URLs
-    provided do not match connect-src's source list:
              
+    provided do not match connect-src's source list:
              
 
              <a ping="https://not-example.com">...
 <script>
   var xhr = new XMLHttpRequest();
@@ -2551,79 +2850,80 @@ 
              
     
              
     
              6.1.2.1. Algorithms
              
-    
              This directive’s pre-request check is as follows:
              
-    
              Given a request (request) and a policy (policy):
              
+    
              This directive’s pre-request check is as follows:
              
+    
              Given a request (request) and a policy (policy):
              
     
                
      
              1. 
       
                If request’s initiator is "fetch", or its type is "" and destination is
   "subresource":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s post-request check is as follows:
              
-    
              Given a request (request), a response (response), and a policy (policy):
              
+    
              This directive’s post-request check is as follows:
              
+    
              Given a request (request), a response (response), and a policy (policy):
              
     
                
      
              1. 
       
                If request’s initiator is "fetch", or its type is "" and destination is
   "subresource":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
     
              6.1.3. default-src
              
-    
              The default-src directive serves as a fallback for the other fetch directives. The syntax for the directive’s name and value is described by
+    
              The default-src#default-srcReferenced in:6. 
+    Content Security Policy Directives 6.1.3. default-src (2) (3) directive serves as a fallback for the other fetch directives. The syntax for the directive’s name and value is described by
   the following ABNF:
              
 
              directive-name  = "default-src"
-directive-value = serialized-source-list
+directive-value = serialized-source-list
 
              
-    
              If a default-src directive is present in a policy, its value will be
-  used as the policy’s default source list. That is, given default-src 'none'; script-src 'self', script requests will use 'self' as the source
+    
              If a default-src directive is present in a policy, its value will be
+  used as the policy’s default source list. That is, given default-src 'none'; script-src 'self', script requests will use 'self' as the source
   list to match against. Other requests will use 'none'. This is spelled
   out in more detail in the §4.1.3 Should request be blocked by Content Security Policy? and §4.1.4 Should response to request be blocked by Content
     Security Policy? algorithms.
              
     
              
       The following header: 
-
              Content-Security-Policy: default-src 'self'
+
              Content-Security-Policy: default-src 'self'
 
              
      
              will have the same behavior as the following header:
              
-
              Content-Security-Policy: child-src 'self';
-                         connect-src 'self';
-                         font-src 'self';
-                         img-src 'self';
-                         manifest-src 'self';
-                         media-src 'self';
-                         object-src 'self';
-                         script-src 'self';
-                         style-src 'self'
+
              Content-Security-Policy: child-src 'self';
+                         connect-src 'self';
+                         font-src 'self';
+                         img-src 'self';
+                         manifest-src 'self';
+                         media-src 'self';
+                         object-src 'self';
+                         script-src 'self';
+                         style-src 'self'
 
              
-     
              That is, when default-src is set, every fetch directive that isn’t
+     
              That is, when default-src is set, every fetch directive that isn’t
     explicitly set will fall back to the value default-src specifies.
              
     
              
     
              
       There is no inheritance. If a script-src directive is explicitly
     specified, for example, then the value of default-src has no influence on
     script requests. That is, the following header: 
-
              Content-Security-Policy: default-src 'self'; script-src https://example.com
+
              Content-Security-Policy: default-src 'self'; script-src https://example.com
 
              
      
              will have the same behavior as the following header:
              
-
              Content-Security-Policy: child-src 'self';
-                         connect-src 'self';
-                         font-src 'self';
-                         img-src 'self';
-                         manifest-src 'self';
-                         media-src 'self';
-                         object-src 'self';
-                         script-src https://example.com;
-                         style-src 'self'
+
              Content-Security-Policy: child-src 'self';
+                         connect-src 'self';
+                         font-src 'self';
+                         img-src 'self';
+                         manifest-src 'self';
+                         media-src 'self';
+                         object-src 'self';
+                         script-src https://example.com;
+                         style-src 'self'
 
              
      
              Given this behavior, one good way to build a policy for a site would be to
     begin with a default-src of 'none', and to build up a policy from there
@@ -2631,47 +2931,48 @@ 
              
     
              
     
              6.1.3.1. Algorithms
              
-    
              This directive’s pre-request check is as follows:
              
-    
              Given a request (request) and a policy (policy):
              
+    
              This directive’s pre-request check is as follows:
              
+    
              Given a request (request) and a policy (policy):
              
     
                
      
              1. 
       
                Let name be the result of executing §6.1.11.4 Get the effective directive for request on request.
                
      
              2. 
       
                If name is null, return "Allowed".
                
      
              3. 
-      
                If policy contains a directive whose name is name, return "Allowed".
                
+      
                If policy contains a directive whose name is name, return "Allowed".
                
      
              4. 
-      
                If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match", return "Blocked".
                
+      
                If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match", return "Blocked".
                
      
              5. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s post-request check is as follows:
              
-    
              Given a request (request), a response (response), and a policy (policy):
              
+    
              This directive’s post-request check is as follows:
              
+    
              Given a request (request), a response (response), and a policy (policy):
              
     
                
      
              1. 
       
                Let name be the result of executing §6.1.11.4 Get the effective directive for request on request.
                
      
              2. 
       
                If name is null, return "Allowed".
                
      
              3. 
-      
                If policy contains a directive whose name is name, return "Allowed".
                
+      
                If policy contains a directive whose name is name, return "Allowed".
                
      
              4. 
-      
                If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match", return "Blocked".
                
+      
                If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match", return "Blocked".
                
      
              5. 
       
                Return "Allowed".
                
     
              
     
              6.1.4. font-src
              
-    
              The font-src directive restricts the URLs from which font resources
+    
              The font-src#font-srcReferenced in:6.1. 
+    Fetch Directives 6.1.3. default-src (2)6.1.4. font-src directive restricts the URLs from which font resources
   may be loaded. The syntax for the directive’s name and value is described by
   the following ABNF:
              
 
              directive-name  = "font-src"
-directive-value = serialized-source-list
+directive-value = serialized-source-list
 
              
     
              
       Given a page with the following Content Security Policy: 
-
              Content-Security-Policy: font-src https://example.com/
+
              Content-Security-Policy: font-src https://example.com/
 
              
      
              Fetches for the following code will return a network errors, as the URL
-    provided do not match font-src's source list:
              
+    provided do not match font-src's source list:
              
 
              <style>
   @font-face {
     font-family: "Example Font";
@@ -2684,133 +2985,133 @@ 
              
     
              
     
              6.1.4.1. Algorithms
              
-    
              This directive’s pre-request check is as follows:
              
-    
              Given a request (request) and a policy (policy):
              
+    
              This directive’s pre-request check is as follows:
              
+    
              Given a request (request) and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is "font":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s post-request check is as follows:
              
-    
              Given a request (request), a response (response), and a policy (policy):
              
+    
              This directive’s post-request check is as follows:
              
+    
              Given a request (request), a response (response), and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is "font":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
     
              6.1.5. img-src
              
-    
              The img-src directive restricts the URLs from which image resources
+    
              The img-src#img-srcReferenced in:6.1.3. default-src (2)6.1.5. img-src directive restricts the URLs from which image resources
   may be loaded. The syntax for the directive’s name and value is described by
   the following ABNF:
              
 
              directive-name  = "img-src"
-directive-value = serialized-source-list
+directive-value = serialized-source-list
 
              
     
              This directive controls requests which load images. More formally, this
   includes requests whose type is "image" [FETCH].
              
     
              
       Given a page with the following Content Security Policy: 
-
              Content-Security-Policy: img-src https://example.com/
+
              Content-Security-Policy: img-src https://example.com/
 
              
      
              Fetches for the following code will return a network errors, as the URL
-    provided do not match img-src's source list:
              
+    provided do not match img-src's source list:
              
 
              <img src="https://not-example.com/img">
 
              
     
              
     
              6.1.5.1. Algorithms
              
-    
              This directive’s pre-request check is as follows:
              
-    
              Given a request (request) and a policy (policy):
              
+    
              This directive’s pre-request check is as follows:
              
+    
              Given a request (request) and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is "image":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s post-request check is as follows:
              
-    
              Given a request (request), a response (response), and a policy (policy):
              
+    
              This directive’s post-request check is as follows:
              
+    
              Given a request (request), a response (response), and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is "image":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
     
              6.1.6. manifest-src
              
-    
              The manifest-src directive restricts the URLs from which application
+    
              The manifest-src#manifest-srcReferenced in:6.1.3. default-src (2)6.1.6. manifest-src directive restricts the URLs from which application
   manifests may be loaded [APPMANIFEST]. The syntax for the directive’s name
   and value is described by the following ABNF:
              
 
              directive-name  = "manifest-src"
-directive-value = serialized-source-list
+directive-value = serialized-source-list
 
              
     
              
       Given a page with the following Content Security Policy: 
-
              Content-Security-Policy: manifest-src https://example.com/
+
              Content-Security-Policy: manifest-src https://example.com/
 
              
      
              Fetches for the following code will return a network errors, as the URL
-    provided do not match manifest-src's source list:
              
+    provided do not match manifest-src's source list:
              
 
              <link rel="manifest" href="https://not-example.com/manifest">
 
              
     
              
     
              6.1.6.1. Algorithms
              
-    
              This directive’s pre-request check is as follows:
              
-    
              Given a request (request) and a policy (policy):
              
+    
              This directive’s pre-request check is as follows:
              
+    
              Given a request (request) and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is "", and its initiator is "manifest":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s post-request check is as follows:
              
-    
              Given a request (request), a response (response), and a policy (policy):
              
+    
              This directive’s post-request check is as follows:
              
+    
              Given a request (request), a response (response), and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is "", and its initiator is "manifest":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
     
              6.1.7. media-src
              
-    
              The media-src directive restricts the URLs from which video, audio,
+    
              The media-src#media-srcReferenced in:6.1.3. default-src (2)6.1.7. media-src directive restricts the URLs from which video, audio,
   and associated text track resources may be loaded. The syntax for the
   directive’s name and value is described by the following ABNF:
              
 
              directive-name  = "media-src"
-directive-value = serialized-source-list
+directive-value = serialized-source-list
 
              
     
              
       Given a page with the following Content Security Policy: 
-
              Content-Security-Policy: media-src https://example.com/
+
              Content-Security-Policy: media-src https://example.com/
 
              
      
              Fetches for the following code will return a network errors, as the URL
-    provided do not match media-src's source list:
              
+    provided do not match media-src's source list:
              
 
              <audio src="https://not-example.com/audio"></audio>
 <video src="https://not-example.com/video">
     <track kind="subtitles" src="https://not-example.com/subtitles">
@@ -2818,53 +3119,54 @@ 
              
     
              
     
              6.1.7.1. Algorithms
              
-    
              This directive’s pre-request check is as follows:
              
-    
              Given a request (request) and a policy (policy):
              
+    
              This directive’s pre-request check is as follows:
              
+    
              Given a request (request) and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is one of "audio", "video",
   or "track":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s post-request check is as follows:
              
-    
              Given a request (request), a response (response), and a policy (policy):
              
+    
              This directive’s post-request check is as follows:
              
+    
              Given a request (request), a response (response), and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is one of "audio", "video",
   or "track":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
     
              6.1.8. object-src
              
-    
              The object-src directive restricts the URLs from which plugin
+    
              The object-src#object-srcReferenced in:6. 
+    Content Security Policy Directives 6.1.3. default-src (2)6.1.8. object-src directive restricts the URLs from which plugin
   content may be loaded. The syntax for the directive’s name and value is
   described by the following ABNF:
              
 
              directive-name  = "object-src"
-directive-value = serialized-source-list
+directive-value = serialized-source-list
 
              
     
              
       Given a page with the following Content Security Policy: 
-
              Content-Security-Policy: object-src https://example.com/
+
              Content-Security-Policy: object-src https://example.com/
 
              
      
              Fetches for the following code will return a network errors, as the URL
-    provided do not match object-src's source list:
              
+    provided do not match object-src's source list:
              
 
              <embed src="https://not-example.com/flash"></embed>
 <object data="https://not-example.com/flash"></object>
 <applet archive="https://not-example.com/flash"></applet>
 
              
     
              
-    
              If plugin content is loaded without an associated URL (perhaps an object element lacks a data attribute, but loads some default plugin based
+    
              If plugin content is loaded without an associated URL (perhaps an object element lacks a data attribute, but loads some default plugin based
   on the specified type), it MUST be blocked if object-src's value is 'none', but will otherwise be allowed.
              
     
              Note: The object-src directive acts upon any request made on behalf of
   an object, embed, or applet element. This includes requests
@@ -2874,38 +3176,40 @@ 
              object element with a text/html MIME
   type.
              
     
              6.1.8.1. Algorithms
              
-    
              This directive’s pre-request check is as follows:
              
-    
              Given a request (request) and a policy (policy):
              
+    
              This directive’s pre-request check is as follows:
              
+    
              Given a request (request) and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is "", and its destination is "unknown":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s post-request check is as follows:
              
-    
              Given a request (request), a response (response), and a policy (policy):
              
+    
              This directive’s post-request check is as follows:
              
+    
              Given a request (request), a response (response), and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is "", and its destination is "unknown":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
     
              6.1.9. script-src
              
-    
              The script-src directive restricts the locations from which scripts
+    
              The script-src#script-srcReferenced in:6. 
+    Content Security Policy Directives 6.1. 
+    Fetch Directives 6.1.3. default-src (2) (3) directive restricts the locations from which scripts
   may be executed. This includes not only URLs loaded directly into script elements, but also things like inline script blocks and XSLT stylesheets [XSLT] which can trigger script execution. The syntax for the directive’s
   name and value is described by the following ABNF:
              
 
              directive-name  = "script-src"
-directive-value = serialized-source-list
+directive-value = serialized-source-list
 
              
     
              The script-src directive governs four things:
              
     
                
@@ -2918,16 +3222,16 @@ 
                Inline script blocks MUST pass through §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. Their
   behavior will be blocked unless every policy allows inline script, either
   implicitly by not specifying a script-src (or default-src) directive,
-  or explicitly, by whitelisting "unsafe-inline", a nonce-source or a hash-source that matches
+  or explicitly, by whitelisting "unsafe-inline", a nonce-source or a hash-source that matches
   the inline block.
                
      
              1. 
       
                The following JavaScript execution sinks are gated on the "unsafe-eval"
   source expression:
                
       
                  
        
                • 
-        
                  eval()
                  
+        
                  eval()
                  
        
                • 
-        
                  Function()
                  
+        
                  Function()
                  
        
                • 
         
                  setTimeout() with an initial argument which is not callable.
                  
        
                • 
@@ -2936,53 +3240,53 @@ 
                  Note: If a user agent implements non-standard sinks like setImmediate() or execScript(), they SHOULD also be gated on "unsafe-eval".
                  
     
              
     
              6.1.9.1. Algorithms
              
-    
              This directive’s pre-request check is as follows:
              
-    
              Given a request (request) and a policy (policy):
              
+    
              This directive’s pre-request check is as follows:
              
+    
              Given a request (request) and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is "script", and its destination is "subresource":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s post-request check is as follows:
              
-    
              Given a request (request), a response (response), and a policy (policy):
              
+    
              This directive’s post-request check is as follows:
              
+    
              Given a request (request), a response (response), and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is "script", and its destination is "subresource":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s inline check algorithm is as follows:
              
+    
              This directive’s inline check algorithm is as follows:
              
     
              Given an Element (element) and a string (type):
              
     
                
      
              1. 
       
                If type is "script" or "script attribute":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.12.1 Does element match source list? on element, this directive’s value, and type is "Does Not Match", return "Blocked".
                  
+        
                  If the result of executing §6.1.12.1 Does element match source list? on element, this directive’s value, and type is "Does Not Match", return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s initialization algorithm is as follows:
              
+    
              This directive’s initialization algorithm is as follows:
              
     
               Do something interesting to the execution context in order to lock down eval(), et al. I don’t think ECMA gives us any hooks here, so let’s work
   with them to put something reasonable together.
              
     
              6.1.10. style-src
              
-    
              The style-src directive restricts the locations from which style
+    
              The style-src#style-srcReferenced in:6.1.3. default-src (2) directive restricts the locations from which style
   may be applied to a Document. The syntax for the directive’s name and
   value is described by the following ABNF:
              
 
              directive-name  = "style-src"
-directive-value = serialized-source-list
+directive-value = serialized-source-list
 
              
     
              The style-src directive governs several things:
              
     
                
@@ -3005,7 +3309,7 @@ 
                Inline style blocks MUST pass through §4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?. The
   styles will be blocked unless every policy allows inline style, either
   implicitly by not specifying a script-src (or default-src) directive,
-  or explicitly, by whitelisting "unsafe-inline", a nonce-source or a hash-source that matches
+  or explicitly, by whitelisting "unsafe-inline", a nonce-source or a hash-source that matches
   the inline block.
                
      
              1. 
       
                The following CSS algorithms are gated on the unsafe-eval source
@@ -3024,52 +3328,52 @@ 
                 This needs to be better explained.
                
     
              
     
              6.1.10.1. Algorithms
              
-    
              This directive’s pre-request check is as follows:
              
-    
              Given a request (request) and a policy (policy):
              
+    
              This directive’s pre-request check is as follows:
              
+    
              Given a request (request) and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is "style":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on request’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s post-request check is as follows:
              
-    
              Given a request (request), a response (response), and a policy (policy):
              
+    
              This directive’s post-request check is as follows:
              
+    
              Given a request (request), a response (response), and a policy (policy):
              
     
                
      
              1. 
       
                If request’s type is "style":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
+        
                  If the result of executing §6.1.11.2 Does url match source list? on response’s url and this directive’s value is "Does Not Match",
   return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s inline check algorithm is as follows:
              
+    
              This directive’s inline check algorithm is as follows:
              
     
              Given an Element (element) and a string (type):
              
     
                
      
              1. 
       
                If type is "style" or "style attribute":
                
       
                  
        
                1. 
-        
                  If the result of executing §6.1.12.1 Does element match source list? on element, this directive’s value, and type is "Does Not Match", return "Blocked".
                  
+        
                  If the result of executing §6.1.12.1 Does element match source list? on element, this directive’s value, and type is "Does Not Match", return "Blocked".
                  
       
                
      
              2. 
       
                Return "Allowed".
                
     
              
-    
              This directive’s initialization algorithm is as follows:
              
+    
              This directive’s initialization algorithm is as follows:
              
     
               Do something interesting to the execution context in order to lock down
   interesting CSSOM algorithms. I don’t think CSSOM gives us any hooks here, so
   let’s work with them to put something reasonable together.
              
     
              6.1.11. URL Matching Algorithms
              
     
              6.1.11.1.  Does request violate policy? 
              
-    
              Given a request (request) and a policy (policy), this
-  algorithm returns the violated directive if the request violates the
+    
              Given a request (request) and a policy (policy), this
+  algorithm returns the violated directive if the request violates the
   policy, and "Does Not Violate" otherwise.
              
     
                
      
              1. 
@@ -3078,7 +3382,7 @@ 
                For each directive in policy:
                
       
                  
        
                1. 
-        
                  Let result be the result of executing directive’s pre-request check on request and policy.
                  
+        
                  Let result be the result of executing directive’s pre-request check on request and policy.
                  
        
                2. 
         
                  If result is "Blocked", then let violates be directive.
                  
       
                
@@ -3086,7 +3390,7 @@ 
                Return violates.
                
     
              
     
              6.1.11.2.  Does url match source list? 
              
-    
              Given a URL (url), and a source list (source list), this
+    
              Given a URL (url), and a source list (source list), this
   algorithm returns "Matches" if the URL matches one or more source
   expressions in source list, or "Does Not Match" otherwise:
              
     
                
@@ -3106,7 +3410,7 @@ 
                Return "Does Not Match".
                
     
              
     
              6.1.11.3.  Does url match expression in origin with redirect count? 
              
-    
              Given a URL (url), a source expression (expression), an origin (origin), and a number (redirect count), this algorithm
+    
              Given a URL (url), a source expression (expression), an origin (origin), and a number (redirect count), this algorithm
   returns "Matches" if url matches expression, and "Does Not Match"
   otherwise.
              
     
              Note: origin is the origin of the resource relative to which the expression should be resolved. "'self'", for instance, will have distinct
@@ -3115,34 +3419,34 @@ 
              
       
              If expression is the string "*", and url’s scheme is not a local scheme, return "Matches".
              
      
            5. 
-      
              If expression matches the scheme-source or host-source grammar:
              
+      
              If expression matches the scheme-source or host-source grammar:
              
       
                
        
              1. 
-        
                If expression has a scheme-part that is not an ASCII case-insensitive match for url’s scheme, then
+        
                If expression has a scheme-part that is not an ASCII case-insensitive match for url’s scheme, then
   return "Does Not Match" unless one of the following conditions is
   met:
                
         
                  
          
                1. 
-          
                  expression’s scheme-part is an ASCII
+          
                  expression’s scheme-part is an ASCII
   case-insensitive match for "http" and url’s scheme is "https"
                  
          
                2. 
-          
                  expression’s scheme-part is an ASCII
+          
                  expression’s scheme-part is an ASCII
   case-insensitive match for "ws" and url’s scheme is "wss"
                  
         
                
        
              2. 
-        
                If expression matches the scheme-source grammar,
+        
                If expression matches the scheme-source grammar,
   return "Matches".
                
       
              
       
              Note: This logic effectively means that script-src http: is
   equivalent to script-src http: https:, and script-src http://example.com/ is equivalent to script-src http://example.com https://example.com. In short, we always allow a
   secure upgrade from an explicitly insecure expression.
              
      
            6. 
-      
              If expression matches the host-source grammar:
              
+      
              If expression matches the host-source grammar:
              
       
                
        
              1. 
         
                If url’s host is null, return "Does Not Match".
                
        
              2. 
-        
                If expression does not have a scheme-part, then
+        
                If expression does not have a scheme-part, then
   return "Does Not Match" unless one of the following conditions is
   met:
                
         
                  
@@ -3153,10 +3457,10 @@ 
                  
           
                  origin’s scheme is "https", and url’s scheme is "wss".
                  
         
                
-        
                Note: As with scheme-part above, we allow schemeless host-source expressions to be upgraded from insecure
+        
                Note: As with scheme-part above, we allow schemeless host-source expressions to be upgraded from insecure
   schemes to secure schemes.
                
        
              3. 
-        
                If the first character of expression’s host-part is an U+002A ASTERISK character (*):
                
+        
                If the first character of expression’s host-part is an U+002A ASTERISK character (*):
                
         
                  
          
                1. 
           
                  Let remaining be the result of removing the leading "*" from expression.
                  
@@ -3166,32 +3470,32 @@ 
                  host, then return "Does Not Match".
                  
         
                
        
              4. 
-        
                If the first character of expression’s host-part is not an U+002A ASTERISK character (*), and url’s host is not an ASCII case-insensitive match for expression’s host-part, return "Does Not Match".
                
+        
                If the first character of expression’s host-part is not an U+002A ASTERISK character (*), and url’s host is not an ASCII case-insensitive match for expression’s host-part, return "Does Not Match".
                
        
              5. 
-        
                If expression’s host-part matches the IPv4address rule from [RFC3986], and is not
-  "127.0.0.1"; or if expression’s host-part is an IPv6 address, return "Does Not Match".
                
+        
                If expression’s host-part matches the IPv4address rule from [RFC3986], and is not
+  "127.0.0.1"; or if expression’s host-part is an IPv6 address, return "Does Not Match".
                
         
                Note: A future version of this specification may allow literal IPv6
   and IPv4 addresses, depending on usage and demand. Given the weak
   security properties of IP addresses in relation to named hosts,
   however, authors are encouraged to prefer the latter whenever
   possible.
                
        
              6. 
-        
                If expression does not contain a port-part, and url’s port is not the default port for url’s scheme, return "Does Not Match".
                
+        
                If expression does not contain a port-part, and url’s port is not the default port for url’s scheme, return "Does Not Match".
                
        
              7. 
-        
                If expression does contain a port-part:
                
+        
                If expression does contain a port-part:
                
         
                  
          
                1. 
-          
                  If expression’s port-part is not "*", and
+          
                  If expression’s port-part is not "*", and
   is not the same number as url’s port, return "Does Not Match".
                  
         
                
        
              8. 
-        
                If expression contains a non-empty path-part, and redirect count is 0, then:
                
+        
                If expression contains a non-empty path-part, and redirect count is 0, then:
                
         
                  
          
                1. 
-          
                  Let exact match be false if the final character of expression’s path-part is the U+002F SOLIDUS
+          
                  Let exact match be false if the final character of expression’s path-part is the U+002F SOLIDUS
   character (/), and true otherwise.
                  
          
                2. 
-          
                  Let path list be the result of strictly splitting expression’s path-part on the U+002F SOLIDUS
+          
                  Let path list be the result of strictly splitting expression’s path-part on the U+002F SOLIDUS
   character (/).
                  
          
                3. 
           
                  If path list has more items than url’s path, return
@@ -3233,7 +3537,7 @@ 
                  scheme is "http"
                  
         
                
       
              
-      
              Note: Like the scheme-part logic above, the "'self'"
+      
              Note: Like the scheme-part logic above, the "'self'"
   matching algorithm allows upgrades to secure schemes when it is safe to do
   so. We limit these upgrades to endpoints running on the default port for a
   particular scheme or a port that matches the origin of the protected
@@ -3243,8 +3547,8 @@ 
              Does Not Match".
              
     
            
     
            6.1.11.4.  Get the effective directive for request 
            
-    
            Each fetch directive controls a specific type of request. Given
-  a request (request), the following algorithm returns either null or the name of the request’s effective directive:
            
+    
            Each fetch directive controls a specific type of request. Given
+  a request (request), the following algorithm returns either null or the name of the request’s effective directive:
            
     
              
      
            1. 
       
              Switch on request’s type, and execute
@@ -3337,7 +3641,7 @@ 
              6.1.12. Element Matching Algorithms
              
     
              6.1.12.1.  Does element match source list? 
              
-    
              Given an Element (element), a source list (list), and a string
+    
              Given an Element (element), a source list (list), and a string
   (type), this algorithm returns "Matches" or "Does Not Match".
              
     
                
      
              1. 
@@ -3346,10 +3650,10 @@ 
                
-        
                If expression matches the nonce-source or hash-source grammar, set contains nonce or hash to true.
                
+        
                If expression matches the nonce-source or hash-source grammar, set contains nonce or hash to true.
                
       
              
      
            2. 
-      
              If contains nonce or hash is false, and list contains a source expression which is a case-sensitive match for
+      
              If contains nonce or hash is false, and list contains a source expression which is a case-sensitive match for
   the string "unsafe-inline", then return "Matches".
              
      
            3. 
       
              If type is not "script attribute" or "style attribute":
              
@@ -3364,19 +3668,19 @@ 
              
-          
              If expression matches the nonce-source grammar,
-  and element has a nonce attribute whose value is a case-sensitive match for expression’s base64-value part, return "Matches".
              
+          
              If expression matches the nonce-source grammar,
+  and element has a nonce attribute whose value is a case-sensitive match for expression’s base64-value part, return "Matches".
              
          
            4. 
-          
              If expression matches the hash-source grammar:
              
+          
              If expression matches the hash-source grammar:
              
           
                
            
              1. 
             
                Let algorithm be null.
                
            
              2. 
-            
                If expression’s hash-algorithm part is an ASCII case-insensitive match for "sha256", set algorithm to SHA-256.
                
+            
                If expression’s hash-algorithm part is an ASCII case-insensitive match for "sha256", set algorithm to SHA-256.
                
            
              3. 
-            
                If expression’s hash-algorithm part is an ASCII case-insensitive match for "sha384", set algorithm to SHA-384.
                
+            
                If expression’s hash-algorithm part is an ASCII case-insensitive match for "sha384", set algorithm to SHA-384.
                
            
              4. 
-            
                If expression’s hash-algorithm part is an ASCII case-insensitive match for "sha512", set algorithm to SHA-512.
                
+            
                If expression’s hash-algorithm part is an ASCII case-insensitive match for "sha512", set algorithm to SHA-512.
                
            
              5. 
             
                If algorithm is not null:
                
             
                  
@@ -3384,7 +3688,7 @@ 
                  base64 encoding the
   result of applying algorithm to content.
                  
              
                1. 
-              
                  If actual is a case-sensitive match for expression’s base64-value part, return
+              
                  If actual is a case-sensitive match for expression’s base64-value part, return
   "Matches".
                  
             
                
           
              
@@ -3395,19 +3699,21 @@ 
              6.2.  Reporting Directives 
              
     
              Various algorithms in this document hook into the reporting process by
-  constructing a violation object via §2.3.2 Create a violation object for request, policy, and directive or §2.3.1 Create a violation object for global, policy, and directive, and passing that object to §5.3 Report a violation to deliver the report.
              
+  constructing a violation object via §2.3.2 Create a violation object for request, policy, and directive or §2.3.1 Create a violation object for global, policy, and directive, and passing that object to §5.3 Report a violation to deliver the report.
              
     
              6.2.1. report-uri
              
     
              
-      Note: The report-uri directive is deprecated. Please use the report-to directive instead. If the latter directive is present,
+      Note: The report-uri directive is deprecated. Please use the report-to directive instead. If the latter directive is present,
     this directive will be ignored. To ensure backwards compatibility, we
     suggest specifying both, like this: 
      
              
        
-
              Content-Security-Policy: ...; report-uri https://endpoint.com; report-to groupname
+
              Content-Security-Policy: ...; report-uri https://endpoint.com; report-to groupname
 
              
      
              
     
              
-    
              The report-uri directive defines a set of endpoints to which violation reports will be sent when particular behaviors are prevented.
              
+    
              The report-uri#report-uriReferenced in:5.2. 
+    Obtain the deprecated serialization of violation 5.3. 
+    Report a violation 6.2.1. report-uri (2) directive defines a set of endpoints to which violation reports will be sent when particular behaviors are prevented.
              
 
              directive-name  = "report-uri"
 directive-value = uri-reference *( RWS uri-reference )
 
@@ -3416,7 +3722,8 @@ 
              The directive has no effect in and of itself, but only gains meaning in
   combination with other directives.
              
     
              6.2.2. report-to
              
-    
              The report-to directive defines a reporting
+    
              The report-to#report-toReferenced in:5.3. 
+    Report a violation  (2)6.2.1. report-uri (2) directive defines a reporting
   group to which violation reports ought to be sent [OOB-REPORTING]. The
   directive’s behavior is defined in §5.3 Report a violation. The directive’s name
   and value are described by the following ABNF:
              
@@ -3437,8 +3744,8 @@ 
              
     
              Extensions to CSP MUST register themselves via the process outlined in draft-west-webappsec-csp-reg.
   In particular, note the criteria discussed in Section 3.2 of that document.
              
-    
              New directives SHOULD use the pre-request check, post-request check, response
-  check, and initialization hooks in order to
+    
              New directives SHOULD use the pre-request check, post-request check, response
+  check, and initialization hooks in order to
   integrate themselves into Fetch and HTML.
              
    
        
    
        
@@ -3447,7 +3754,7 @@ 
        nonce-source expression as part of a policy, the server MUST generate a unique value each time it
+    
        If a server delivers a nonce-source expression as part of a policy, the server MUST generate a unique value each time it
   transmits a policy. The generated value SHOULD be at least 128 bits long
   (before encoding), and SHOULD be generated via a cryptographically secure
   random number generator in order to ensure that the value is difficult for
@@ -3456,8 +3763,8 @@ 
        'unsafe-inline' when
-  layering a content security policy on top of old code. When considering 'unsafe-inline', authors are encouraged to consider nonces
+  provide a substantial improvement over 'unsafe-inline' when
+  layering a content security policy on top of old code. When considering 'unsafe-inline', authors are encouraged to consider nonces
   (or hashes) instead.
        
    
        
    
        
@@ -3491,7 +3798,7 @@ 
        
     
        9. Implementation Considerations
        
     
        9.1. Vendor-specific Extensions and Addons
        
-    
        Policy enforced on a resource SHOULD NOT interfere with the operation
+    
        Policy enforced on a resource SHOULD NOT interfere with the operation
   of user-agent features like addons, extensions, or bookmarklets. These kinds
   of features generally advance the user’s priority over page authors, as
   espoused in [HTML-DESIGN].
        
@@ -3556,8 +3863,9 @@ 
        
-  
        Index
        
-  
        Terms defined by this specification
        
+
+  
        Index
        
+  
        Terms defined by this specification
        
   
-  
        Terms defined by reference
        
+  
        Terms defined by reference
        
   
-  
        References
        
-  
        Normative References
        
+  
        References
        
+  
        Normative References
        
   
        
-   
        [ES2015]
-   
        Allen Wirfs-Brock. ECMAScript® 2015 Language Specification. URL: http://www.ecma-international.org/ecma-262/6.0/index.html
-   
        [FETCH]
+   
        [CSS-CASCADE-4]
+   
        Elika Etemad; Tab Atkins Jr.. CSS Cascading and Inheritance Level 4. 14 January 2016. CR. URL: http://dev.w3.org/csswg/css-cascade/
+   
        [CSSOM]
+   
        Simon Pieters; Glenn Adams. CSS Object Model (CSSOM). 5 December 2013. WD. URL: http://dev.w3.org/csswg/cssom/
+   
        [ECMA262]
+   
        Brian Terlson; Allen Wirfs-Brock. ECMAScript® Language Specification. URL: https://tc39.github.io/ecma262/
+   
        [FETCH]
    
        Anne van Kesteren. Fetch Standard. Living Standard. URL: https://fetch.spec.whatwg.org/
-   
        [HTML]
+   
        [HTML]
    
        Ian Hickson. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
-   
        [OOB-REPORTING]
+   
        [HTML5]
+   
        Ian Hickson; et al. HTML5. 28 October 2014. REC. URL: http://www.w3.org/html/wg/drafts/html/master/
+   
        [OOB-REPORTING]
    
        Ilya Gregorik; Mike West. Out-of-band Reporting. URL: https://mikewest.github.io/error-reporting/
-   
        [SHA2]
-   
        FIPS PUB 180-4, Secure Hash Standard. URL: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
-   
        [CSS-CASCADE-4]
-   
        Elika Etemad; Tab Atkins Jr.. CSS Cascading and Inheritance Level 4. 14 January 2016. CR. URL: http://www.w3.org/TR/css-cascade-4/
-   
        [CSSOM]
-   
        Simon Pieters; Glenn Adams. CSS Object Model (CSSOM). 5 December 2013. WD. URL: http://www.w3.org/TR/cssom/
-   
        [DOM]
-   
        Anne van Kesteren; et al. W3C DOM4. 19 November 2015. REC. URL: http://www.w3.org/TR/dom/
-   
        [DOM-LS]
-   
        Document Object Model URL: https://dom.spec.whatwg.org/
-   
        [HTML5]
-   
        Ian Hickson; et al. HTML5. 28 October 2014. REC. URL: http://www.w3.org/TR/html5/
-   
        [RFC2119]
+   
        [RFC2119]
    
        S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119
-   
        [RFC3492]
+   
        [RFC3492]
    
        A. Costello. Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA). March 2003. Proposed Standard. URL: https://tools.ietf.org/html/rfc3492
-   
        [RFC3864]
+   
        [RFC3864]
    
        G. Klyne; M. Nottingham; J. Mogul. Registration Procedures for Message Header Fields. September 2004. Best Current Practice. URL: https://tools.ietf.org/html/rfc3864
-   
        [RFC3986]
+   
        [RFC3986]
    
        T. Berners-Lee; R. Fielding; L. Masinter. Uniform Resource Identifier (URI): Generic Syntax. January 2005. Internet Standard. URL: https://tools.ietf.org/html/rfc3986
-   
        [RFC4648]
+   
        [RFC4648]
    
        S. Josefsson. The Base16, Base32, and Base64 Data Encodings. October 2006. Proposed Standard. URL: https://tools.ietf.org/html/rfc4648
-   
        [RFC5234]
+   
        [RFC5234]
    
        D. Crocker, Ed.; P. Overell. Augmented BNF for Syntax Specifications: ABNF. January 2008. Internet Standard. URL: https://tools.ietf.org/html/rfc5234
-   
        [RFC5988]
+   
        [RFC5988]
    
        M. Nottingham. Web Linking. October 2010. Proposed Standard. URL: https://tools.ietf.org/html/rfc5988
-   
        [RFC6454]
+   
        [RFC6454]
    
        A. Barth. The Web Origin Concept. December 2011. Proposed Standard. URL: https://tools.ietf.org/html/rfc6454
-   
        [RFC7230]
+   
        [RFC7230]
    
        R. Fielding, Ed.; J. Reschke, Ed.. Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. June 2014. Proposed Standard. URL: https://tools.ietf.org/html/rfc7230
-   
        [RFC7231]
+   
        [RFC7231]
    
        R. Fielding, Ed.; J. Reschke, Ed.. Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. June 2014. Proposed Standard. URL: https://tools.ietf.org/html/rfc7231
-   
        [SERVICE-WORKERS]
-   
        Alex Russell; Jungkee Song; Jake Archibald. Service Workers. 25 June 2015. WD. URL: http://www.w3.org/TR/service-workers/
-   
        [URL]
-   
        Anne van Kesteren; Sam Ruby. URL. 9 December 2014. WD. URL: http://www.w3.org/TR/url-1/
-   
        [WORKERS]
-   
        Ian Hickson. Web Workers. 24 September 2015. WD. URL: http://www.w3.org/TR/workers/
+   
        [SERVICE-WORKERS]
+   
        Alex Russell; Jungkee Song; Jake Archibald. Service Workers. 25 June 2015. WD. URL: https://slightlyoff.github.io/ServiceWorker/spec/service_worker/
+   
        [SHA2]
+   
        FIPS PUB 180-4, Secure Hash Standard. URL: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
+   
        [WHATWG-DOM]
+   
        Anne van Kesteren. DOM Standard. Living Standard. URL: https://dom.spec.whatwg.org/
+   
        [WHATWG-URL]
+   
        Anne van Kesteren; Sam Ruby. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/
+   
        [WORKERS]
+   
        Ian Hickson. Web Workers. 24 September 2015. WD. URL: https://html.spec.whatwg.org/multipage/workers.html
   
        
-  
        Informative References
        
+  
        Informative References
        
   
        
-   
        [CSP-DOCUMENT]
+   
        [APPMANIFEST]
+   
        Marcos Caceres; et al. Web App Manifest. 15 March 2016. WD. URL: http://www.w3.org/TR/appmanifest/
+   
        [BEACON]
+   
        Ilya Grigorik; et al. Beacon. 25 February 2016. WD. URL: http://www.w3.org/TR/beacon/
+   
        [CSP-DOCUMENT]
    
        Mike West. Content Security Policy: Document Features. URL: https://w3c.github.io/webappsec-csp/document/
-   
        [CSP2]
+   
        [CSP2]
    
        Mike West; Adam Barth; Daniel Veditz. Content Security Policy Level 2. 21 July 2015. CR. URL: http://www.w3.org/TR/CSP2/
-   
        [HTML-DESIGN]
+   
        [EVENTSOURCE]
+   
        Ian Hickson. Server-Sent Events. 3 February 2015. REC. URL: http://www.w3.org/TR/eventsource/
+   
        [HTML-DESIGN]
    
        Anne Van Kesteren; Maciej Stachowiak. HTML Design Principles. URL: http://www.w3.org/TR/html-design-principles/
-   
        [MIX]
+   
        [MIX]
    
        Mike West. Mixed Content. 8 October 2015. CR. URL: http://www.w3.org/TR/mixed-content/
-   
        [TIMING]
+   
        [TIMING]
    
        Paul Stone. Pixel Perfect Timing Attacks with HTML5. URL: http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf
-   
        [XHR]
-   
        Anne van Kesteren. XMLHttpRequest Standard. Living Standard. URL: https://xhr.spec.whatwg.org/
-   
        [APPMANIFEST]
-   
        Marcos Caceres; et al. Web App Manifest. 27 January 2016. WD. URL: http://www.w3.org/TR/appmanifest/
-   
        [BEACON]
-   
        Ilya Grigorik; et al. Beacon. 9 February 2016. WD. URL: http://www.w3.org/TR/beacon/
-   
        [EVENTSOURCE]
-   
        Ian Hickson. Server-Sent Events. 3 February 2015. REC. URL: http://www.w3.org/TR/eventsource/
-   
        [UPGRADE-INSECURE-REQUESTS]
+   
        [UPGRADE-INSECURE-REQUESTS]
    
        Mike West. Upgrade Insecure Requests. 8 October 2015. CR. URL: http://www.w3.org/TR/upgrade-insecure-requests/
-   
        [WEBSOCKETS]
+   
        [WEBSOCKETS]
    
        Ian Hickson. The WebSocket API. 20 September 2012. CR. URL: http://www.w3.org/TR/websockets/
-   
        [XSLT]
+   
        [XHR]
+   
        Anne van Kesteren. XMLHttpRequest Standard. Living Standard. URL: https://xhr.spec.whatwg.org/
+   
        [XSLT]
    
        James Clark. XSL Transformations (XSLT) Version 1.0. 16 November 1999. REC. URL: http://www.w3.org/TR/xslt
   
        
-  
        IDL Index
        
-
        [Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
-interface SecurityPolicyViolationEvent : Event {
+  
        IDL Index
        
+
        [Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
+interface SecurityPolicyViolationEvent : Event {
     readonly    attribute DOMString      documentURI;
     readonly    attribute DOMString      referrer;
     readonly    attribute DOMString      blockedURI;
@@ -4015,15 +4326,12 @@ 
        IDL Inde
 };
 
 
        
-  
        Issues Index
        
+  
        Issues Index
        
   
        
    
         Do we really want to remove frame-src? Though the threat model of
   workers and frames is similar, they have distinct capabilities. Perhaps
   it makes sense for folks to allow workers while disallowing frames, or
   vice-versa?
        
-   
         Can we enable sandbox inside meta? It’s not clear what threat we’re
-  preventing by dropping support for it (and Chrome and Safari support it
-  today).
        
    
         Do we still need to strip values when reporting? I think we’ve removed
   much of the risk by using the original URL of a blocked resource; there
   shouldn’t be anything in the report JSON that script can’t gather on its own
@@ -4031,7 +4339,7 @@ 
        Issue
    
         Should we add 'unsafe-dynamic'?
        
    
         Should we allow hashes to whitelist inline event handlers? <https://github.com/w3c/webappsec-csp/issues/13>
        
    
         Is this kind of thing specified anywhere? I didn’t see anything
-  that looked useful in [ES2015].
        
+  that looked useful in [ECMA262].
        
    
         How, exactly, do we get the status code? We don’t actually store it
   anywhere.
        
    
         Why sandbox? Can we loosen that?
        
@@ -4057,4 +4365,45 @@ 
        Issue
    
         Do something interesting to the execution context in order to lock down
   interesting CSSOM algorithms. I don’t think CSSOM gives us any hooks here, so
   let’s work with them to put something reasonable together.
        
-  
        
\ No newline at end of file
+  
+
\ No newline at end of file
diff --git a/index.src.html b/index.src.html
index f3676db4c1..84f63cfb11 100644
--- a/index.src.html
+++ b/index.src.html
@@ -26,8 +26,11 @@ 
        Content Security Policy Level 3
        
     text: globally unique identifier; url: section-2.3
     text: origin; url: section-3.2
     text: the same; url: section-5
-spec: ES2015; urlPrefix: http://www.ecma-international.org/ecma-262/6.0/index.html
+spec: ECMA262; urlPrefix: https://tc39.github.io/ecma262
+  type: dfn
+    text: realm
   type: method
+    text: HostEnsureCanCompileStrings(); url: sec-hostensurecancompilestrings
     text: eval(); url: sec-eval-x
     text: Function(); url: sec-function-objects
     text: JSON.stringify(); url: sec-json.stringify
@@ -224,6 +227,7 @@ 
        Content Security Policy Level 3
        
     text: update a style block
     text: the worker's documents
     text: Content-Security-Policy http-equiv processing instructions; url: attr-meta-http-equiv-content-security-policy
+    text: realm's global object; url: concept-realm-global-object
   type: element-attr
     text: ping; for: a
     text: nonce; for: script; url: attr-script-nonce
@@ -248,10 +252,10 @@ 
        Content Security Policy Level 3
        
     "title": "HTML Design Principles",
     "publisher": "W3C"
   },
-  "ES2015": {
-    "authors": [ "Allen Wirfs-Brock" ],
-    "href": "http://www.ecma-international.org/ecma-262/6.0/index.html",
-    "title": "ECMAScript® 2015 Language Specification",
+  "ECMA262": {
+    "authors": [ "Brian Terlson", "Allen Wirfs-Brock" ],
+    "href": "https://tc39.github.io/ecma262/",
+    "title": "ECMAScript® Language Specification",
     "publisher": "ECMA"
   },
   "SHA2": {
@@ -695,7 +699,7 @@ 
        
       number, and column number accordingly.
 
       ISSUE: Is this kind of thing specified anywhere? I didn't see anything
-      that looked useful in [[ES2015]].
+      that looked useful in [[ECMA262]].
 
   3.  If |global| is a {{Window}} object, set |violation|'s
       referrer to |global|'s {{Window/document}}'s
@@ -1217,6 +1221,44 @@ 
        
               set |result| to "`Blocked`".
 
   3.  Return |result|. 
+
+  
        Integration with ECMAScript
        
+
+  ECMAScript defines a {{HostEnsureCanCompileStrings()}} operation which allows
+  the host environment to block the compilation of strings into ECMAScript code.
+  This document defines an implementation of that operation which examines the
+  relevant CSP list to determine whether such
+  compilation ought to be blocked.
+
+  
        
+    EnsureCSPDoesNotBlockStringCompilation(|callerRealm|, |calleeRealm|)
+  
        
+
+  Given two realms (|callerRealm| and |calleeRealm|), this algorithm
+  returns normally if string compilation is allowed, and throws an "`EvalError`"
+  if not:
+
+  1.  Let |global| be |callerRealm|'s global
+      object.
+
+  2.  For each |policy| in |global|'s CSP list:
+
+      1.  Let |source-list| be null.
+
+      2.  If |policy| contains a directive whose
+          name is "`script-src`", then set |source-list|
+          to that directive's value.
+
+          Otherwise if |policy| contains a directive whose
+          name is "`default-src`", then set |source-list|
+          to that directive's value.
+
+      3.  If |source-list| is non-null, and does not contain a source
+          expression which is an ASCII case-insensitive match for the
+          string "`'unsafe-eval'`", then throw an `EvalError`
+          exception.
+
+  3.  Return normally.
 
        
 
 

From e6bd859c3fe9bf8be06dd4b465f432ad4539d8b5 Mon Sep 17 00:00:00 2001
From: Mike West 
Date: Wed, 6 Apr 2016 11:12:08 +0200
Subject: [PATCH 2/2] fixup dropping "return normally"

---
 index.html     | 2 --
 index.src.html | 2 --
 2 files changed, 4 deletions(-)

diff --git a/index.html b/index.html
index 6ea89fa604..9ca20766be 100644
--- a/index.html
+++ b/index.html
@@ -2465,8 +2465,6 @@ 
        ASCII case-insensitive match for the
   string "'unsafe-eval'", then throw an EvalError exception.
        
       
      
-     
    2. 
-      
      Return normally.
      
     
    
    
    
    
diff --git a/index.src.html b/index.src.html
index 84f63cfb11..eeb84c2269 100644
--- a/index.src.html
+++ b/index.src.html
@@ -1257,8 +1257,6 @@ 
    
           expression which is an ASCII case-insensitive match for the
           string "`'unsafe-eval'`", then throw an `EvalError`
           exception.
-
-  3.  Return normally.