index.html

<!doctype html>
<html lang="en">
 <head>
  
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  
  
  <title>Content Security Policy Level 2</title>
  
  
  <link href="../default.css" rel="stylesheet" type="text/css">
  
  
  <style>
  body {
    background: url("https://www.w3.org/StyleSheets/TR/logo-ED") top left no-repeat white;
    background-attachment: fixed;
    color: black;
    font-family: sans-serif;
    margin: 0 auto;
    max-width: 50em;
    padding: 2em 1em 2em 70px;
  }
  :link { color: #00C; background: transparent }
  :visited { color: #609; background: transparent }
  a[href]:active { color: #C00; background: transparent }
  a[href]:hover { background: #ffa }

  a[href] img { border-style: none }

  h1, h2, h3, h4, h5, h6 { text-align: left }
  h1, h2, h3 { color: #005A9C; }
  h1 { font: 170% sans-serif }
  h2 { font: 140% sans-serif }
  h3 { font: 120% sans-serif }
  h4 { font: bold 100% sans-serif }
  h5 { font: italic 100% sans-serif }
  h6 { font: small-caps 100% sans-serif }

  .hide { display: none }

  div.head { margin-bottom: 1em }
  div.head h1 { margin-top: 2em; clear: both }
  div.head table { margin-left: 2em; margin-top: 2em }

  p.copyright { font-size: small }
  p.copyright small { font-size: small }

  pre { margin-left: 2em }
  dt { font-weight: bold }

  ul.toc, ol.toc {
    list-style: none;
  }
  </style>
  

  <meta content="Bikeshed 1.0.0" name="generator">
  <style>
      table {
        text-align: left;
        margin: 20px;
        width: 100%;
        border-collapse: collapse;
      }

      tbody tr:nth-child(odd) {
        background-color: #EEE;
      }

      th {
        border-bottom: 1px solid #999;
        padding: 0.5em;
      }

      td:first-child {
        width: 30%;
        padding-right: 1em;
      }

      td {
        vertical-align: top;
        padding: 0.5em;
      }

      tbody th {
        border: 0;
        background-color: #FFF;
      }

      tr.section {
        border-top: 1px solid #999;
        vertical-align: top;
      }
    </style>
  

    
 </head>
 

 <body class="h-entry">

  <div class="head">
  
   <p data-fill-with="logo"><a class="logo" href="http://www.w3.org/">
    <img alt="W3C" height="48" src="https://www.w3.org/Icons/w3c_home" width="72">
</a>
</p>
  
   <h1 class="p-name no-ref" id="title">Content Security Policy Level 2</h1>
  
   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft,
    <time class="dt-updated" datetime="2015-08-12">12 August 2015</time></span></h2>
  
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="https://w3c.github.io/webappsec/specs/CSP2/">https://w3c.github.io/webappsec/specs/CSP2/</a>
     <dt>Latest version:
     <dd><a href="http://www.w3.org/TR/CSP2/">http://www.w3.org/TR/CSP2/</a>
     <dt>Previous Versions:
     <dd><a href="http://www.w3.org/TR/2014/WD-CSP2-20140703/" rel="previous">http://www.w3.org/TR/2014/WD-CSP2-20140703/</a>
     <dd><a href="http://www.w3.org/TR/2014/WD-CSP11-20140211/" rel="previous">http://www.w3.org/TR/2014/WD-CSP11-20140211/</a>
     <dd><a href="http://www.w3.org/TR/2012/CR-CSP-20121115/" rel="previous">http://www.w3.org/TR/2012/CR-CSP-20121115/</a>
     <dt>Feedback:
     <dd><span><a href="mailto:public-webappsec@w3.org?subject=%5BCSP2%5D%20YOUR%20TOPIC%20HERE">public-webappsec@w3.org</a> with subject line “<kbd>[CSP2] <var>… message topic …</var></kbd>” (<a href="http://lists.w3.org/Archives/Public/public-webappsec/" rel="discussion">archives</a>)</span>
     <dt>Issue Tracking:
     <dd><a href="https://github.com/w3c/webappsec/issues/">GitHub</a>
     <dt class="editor">Editors:
     <dd class="editor p-author h-card vcard" data-editor-id="56384"><a class="p-name fn u-email email" href="mailto:mkwst@google.com">Mike West</a> (<span class="p-org org">Google Inc.</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="39502"><a class="p-name fn u-email email" href="mailto:w3c@adambarth.com">Adam Barth</a> (<span class="p-org org">Google Inc.</span>)
     <dd class="editor p-author h-card vcard" data-editor-id="41156"><a class="p-name fn u-email email" href="mailto:dveditz@mozilla.com">Dan Veditz</a> (<span class="p-org org">Mozilla Corporation</span>)
     <dt>Former Editors:
     <dd>
      <dd class="editor p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:brandon@hackmill.com">Brandon Sterne</a> (<span class="p-org org">formerly of Mozilla Corporation</span>)
    </dl>
   </div>
  
   <div data-fill-with="warning"></div>
  
   <p class="copyright" data-fill-with="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2015 <a href="http://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="http://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="http://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="http://www.keio.ac.jp/">Keio</a>, <a href="http://ev.buaa.edu.cn/">Beihang</a>). W3C <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply.
</p>
  
   <hr title="Separator for header">
</div>


  <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>

  <div class="p-summary" data-fill-with="abstract">
   <p>This document defines a policy language used to declare a set of content restrictions for a web resource, and a mechanism for transmitting the policy from a server to a client where the policy is enforced.</p>

</div>


  <h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>

  <div data-fill-with="status">
   <p>
	This is a public copy of the editors’ draft.
	It is provided for discussion only and may change at any moment.
	Its publication here does not imply endorsement of its contents by W3C.
	Don’t cite this document other than as work in progress.

</p>
   <p>
  <strong>Changes to this document may be tracked at
  <a href="https://github.com/w3c/webappsec">https://github.com/w3c/webappsec</a>.</strong>

</p>
   <p>
	The (<a href="http://lists.w3.org/Archives/Public/public-webappsec/">archived</a>) public mailing list
	<a href="mailto:public-webappsec@w3.org?Subject=%5BCSP2%5D%20PUT%20SUBJECT%20HERE">public-webappsec@w3.org</a>
	(see <a href="http://www.w3.org/Mail/Request">instructions</a>)
	is preferred for discussion of this specification.
	When sending e-mail,
	please put the text “CSP2” in the subject,
	preferably like this:
	“[CSP2] <em>…summary of comment…</em>”

</p>
   <p>
	This document was produced by the
  <a href="http://www.w3.org/2011/webappsec/">Web Application Security Working Group</a>.

</p>
   <p>
	This document was produced by a group operating under
	the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent Policy</a>.
	W3C maintains a <a href="http://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a>
	made in connection with the deliverables of the group;
	that page also includes instructions for disclosing a patent.
	An individual who has actual knowledge of a patent which the individual believes contains <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a>
	must disclose the information in accordance with <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the W3C Patent Policy</a>.

</p>
   <p>
  This document is governed by the <a href="http://www.w3.org/2014/Process-20140801/" id="w3c_process_revision">1 August 2014 W3C Process Document</a>.

</p></div>

  <div data-fill-with="at-risk"></div>


  <h2 class="no-num no-toc no-ref heading settled" id="contents"><span class="content">Table of Contents</span></h2>

  <div data-fill-with="table-of-contents" role="navigation">
   <ul class="toc" role="directory">
    <li><a href="#intro"><span class="secno">1</span> <span class="content">Introduction</span></a>
     <ul class="toc">
      <li><a href="#changes-from-level-1"><span class="secno">1.1</span> <span class="content">Changes from Level 1</span></a>
     </ul>
    <li><a href="#key-concepts"><span class="secno">2</span> <span class="content">Key Concepts and Terminology</span></a>
     <ul class="toc">
      <li><a href="#terms-defined-here"><span class="secno">2.1</span> <span class="content">Terms defined by this specification</span></a>
      <li><a href="#terms-defined-by-reference"><span class="secno">2.2</span> <span class="content">Terms defined by reference</span></a>
      <li><a href="#html-concepts"><span class="secno">2.3</span> <span class="content">Relevant Concepts from HTML</span></a>
      <li><a href="#grammar"><span class="secno">2.4</span> <span class="content">Grammatical Concepts</span></a>
     </ul>
    <li><a href="#policy-delivery"><span class="secno">3</span> <span class="content">Policy Delivery</span></a>
     <ul class="toc">
      <li><a href="#content-security-policy-header-field"><span class="secno">3.1</span> <span class="content">
      <code>Content-Security-Policy</code> Header Field
    </span></a>
      <li><a href="#content-security-policy-report-only-header-field"><span class="secno">3.2</span> <span class="content">
      <code>Content-Security-Policy-Report-Only</code> Header Field
    </span></a>
      <li><a href="#delivery-html-meta-element"><span class="secno">3.3</span> <span class="content">
      HTML <code><span>meta</span></code> Element
    </span></a>
      <li><a href="#enforcing-multiple-policies"><span class="secno">3.4</span> <span class="content">Enforcing multiple policies.</span></a>
      <li><a href="#which-policy-applies"><span class="secno">3.5</span> <span class="content">Policy applicability</span></a>
     </ul>
    <li><a href="#syntax-and-algorithms"><span class="secno">4</span> <span class="content">Syntax and Algorithms</span></a>
     <ul class="toc">
      <li><a href="#policy-syntax"><span class="secno">4.1</span> <span class="content">Policy Syntax</span></a>
       <ul class="toc">
        <li><a href="#policy-parsing"><span class="secno">4.1.1</span> <span class="content">Parsing Policies</span></a>
       </ul>
      <li><a href="#source-list-syntax"><span class="secno">4.2</span> <span class="content">Source List Syntax</span></a>
       <ul class="toc">
        <li><a href="#source-list-parsing"><span class="secno">4.2.1</span> <span class="content">Parsing Source Lists</span></a>
        <li><a href="#match-source-expression"><span class="secno">4.2.2</span> <span class="content">Matching Source Expressions</span></a>
         <ul class="toc">
          <li><a href="#source-list-guid-matching"><span class="secno">4.2.2.1</span> <span class="content">
          Security Considerations for GUID URL schemes
        </span></a>
          <li><a href="#source-list-path-patching"><span class="secno">4.2.2.2</span> <span class="content">Path Matching</span></a>
          <li><a href="#source-list-paths-and-redirects"><span class="secno">4.2.2.3</span> <span class="content">Paths and Redirects</span></a>
         </ul>
        <li><a href="#script-src-the-nonce-attribute"><span class="secno">4.2.3</span> <span class="content">
        The <code>nonce</code> attribute
      </span></a>
        <li><a href="#source-list-valid-nonces"><span class="secno">4.2.4</span> <span class="content">Valid Nonces</span></a>
        <li><a href="#source-list-valid-hashes"><span class="secno">4.2.5</span> <span class="content">Valid Hashes</span></a>
       </ul>
      <li><a href="#media-type-list-syntax"><span class="secno">4.3</span> <span class="content">Media Type List Syntax</span></a>
       <ul class="toc">
        <li><a href="#media-type-list-parsing"><span class="secno">4.3.1</span> <span class="content">Parsing</span></a>
        <li><a href="#media-type-list-matching"><span class="secno">4.3.2</span> <span class="content">Matching</span></a>
       </ul>
      <li><a href="#violation-reports"><span class="secno">4.4</span> <span class="content">Reporting</span></a>
     </ul>
    <li><a href="#processing-model"><span class="secno">5</span> <span class="content">Processing Model</span></a>
     <ul class="toc">
      <li><a href="#processing-model-workers"><span class="secno">5.1</span> <span class="content">Workers</span></a>
      <li><a href="#processing-model-iframe-srcdoc"><span class="secno">5.2</span> <span class="content"><code>srcdoc</code> IFrames</span></a>
     </ul>
    <li><a href="#script-interfaces"><span class="secno">6</span> <span class="content">Script Interfaces</span></a>
     <ul class="toc">
      <li><a href="#securitypolicyviolationevent-interface"><span class="secno">6.1</span> <span class="content">
      <code>SecurityPolicyViolationEvent</code> Interface
    </span></a>
      <li><a href="#securitypolicyviolationeventinit-interface"><span class="secno">6.2</span> <span class="content">
      <code>SecurityPolicyViolationEventInit</code> Interface
    </span></a>
      <li><a href="#firing-securitypolicyviolationevent-events"><span class="secno">6.3</span> <span class="content">Firing Violation Events</span></a>
     </ul>
    <li><a href="#directives"><span class="secno">7</span> <span class="content">Directives</span></a>
     <ul class="toc">
      <li><a href="#directive-base-uri"><span class="secno">7.1</span> <span class="content"><code>base-uri</code></span></a>
      <li><a href="#directive-child-src"><span class="secno">7.2</span> <span class="content"><code>child-src</code></span></a>
       <ul class="toc">
        <li><a href="#directive-child-src-nested"><span class="secno">7.2.1</span> <span class="content">Nested Browsing Contexts</span></a>
        <li><a href="#directive-child-src-workers"><span class="secno">7.2.2</span> <span class="content">Workers</span></a>
       </ul>
      <li><a href="#directive-connect-src"><span class="secno">7.3</span> <span class="content"><code>connect-src</code></span></a>
       <ul class="toc">
        <li><a href="#connect-src-usage"><span class="secno">7.3.1</span> <span class="content">Usage</span></a>
       </ul>
      <li><a href="#directive-default-src"><span class="secno">7.4</span> <span class="content"><code>default-src</code></span></a>
       <ul class="toc">
        <li><a href="#default-src-usage"><span class="secno">7.4.1</span> <span class="content">Usage</span></a>
       </ul>
      <li><a href="#directive-font-src"><span class="secno">7.5</span> <span class="content"><code>font-src</code></span></a>
      <li><a href="#directive-form-action"><span class="secno">7.6</span> <span class="content"><code>form-action</code></span></a>
      <li><a href="#directive-frame-ancestors"><span class="secno">7.7</span> <span class="content"><code>frame-ancestors</code></span></a>
       <ul class="toc">
        <li><a href="#frame-ancestors-and-frame-options"><span class="secno">7.7.1</span> <span class="content">
        Relation to <code>X-Frame-Options</code>
      </span></a>
        <li><a href="#frame-ancestors-multiple-source-values"><span class="secno">7.7.2</span> <span class="content">Multiple Host Source Values</span></a>
       </ul>
      <li><a href="#directive-frame-src"><span class="secno">7.8</span> <span class="content"><code>frame-src</code></span></a>
      <li><a href="#directive-img-src"><span class="secno">7.9</span> <span class="content"><code>img-src</code></span></a>
      <li><a href="#directive-media-src"><span class="secno">7.10</span> <span class="content"><code>media-src</code></span></a>
      <li><a href="#directive-object-src"><span class="secno">7.11</span> <span class="content"><code>object-src</code></span></a>
      <li><a href="#directive-plugin-types"><span class="secno">7.12</span> <span class="content"><code>plugin-types</code></span></a>
       <ul class="toc">
        <li><a href="#plugin-types-usage"><span class="secno">7.12.1</span> <span class="content">Usage</span></a>
        <li><a href="#plugin-types-predeclaration"><span class="secno">7.12.2</span> <span class="content">
        Predeclaration of expected media types
      </span></a>
       </ul>
      <li><a href="#directive-report-uri"><span class="secno">7.13</span> <span class="content"><code>report-uri</code></span></a>
      <li><a href="#directive-sandbox"><span class="secno">7.14</span> <span class="content"><code>sandbox</code></span></a>
       <ul class="toc">
        <li><a href="#sandboxing-and-workers"><span class="secno">7.14.1</span> <span class="content">Sandboxing and Workers</span></a>
        <li><a href="#sandbox-usage"><span class="secno">7.14.2</span> <span class="content">Usage</span></a>
       </ul>
      <li><a href="#directive-script-src"><span class="secno">7.15</span> <span class="content"><code>script-src</code></span></a>
       <ul class="toc">
        <li><a href="#script-src-nonce-usage"><span class="secno">7.15.1</span> <span class="content">
        Nonce usage for <code><span>script</span></code> elements
      </span></a>
        <li><a href="#script-src-hash-usage"><span class="secno">7.15.2</span> <span class="content">
        Hash usage for <code><span>script</span></code> elements
      </span></a>
       </ul>
      <li><a href="#directive-style-src"><span class="secno">7.16</span> <span class="content"><code>style-src</code></span></a>
       <ul class="toc">
        <li><a href="#style-src-nonce-usage"><span class="secno">7.16.1</span> <span class="content">
        Nonce usage for <code><span>style</span></code> elements
      </span></a>
        <li><a href="#style-src-hash-usage"><span class="secno">7.16.2</span> <span class="content">
        Hash usage for <code><span>style</span></code> elements
      </span></a>
       </ul>
     </ul>
    <li><a href="#examples"><span class="secno">8</span> <span class="content">Examples</span></a>
     <ul class="toc">
      <li><a href="#example-policies"><span class="secno">8.1</span> <span class="content">Sample Policy Definitions</span></a>
      <li><a href="#example-violation-report"><span class="secno">8.2</span> <span class="content">Sample Violation Report</span></a>
     </ul>
    <li><a href="#security-considerations"><span class="secno">9</span> <span class="content">Security Considerations</span></a>
     <ul class="toc">
      <li><a href="#security-css-parsing"><span class="secno">9.1</span> <span class="content">Cascading Style Sheet (CSS) Parsing</span></a>
      <li><a href="#security-redirects"><span class="secno">9.2</span> <span class="content">Redirect Information Leakage</span></a>
     </ul>
    <li><a href="#implementation-considerations"><span class="secno">10</span> <span class="content">Implementation Considerations</span></a>
     <ul class="toc">
      <li><a href="#complications"><span class="secno">10.1</span> <span class="content">Processing Complications</span></a>
     </ul>
    <li><a href="#iana-considerations"><span class="secno">11</span> <span class="content">IANA Considerations</span></a>
     <ul class="toc">
      <li><a href="#iana-content-security-policy"><span class="secno">11.1</span> <span class="content">Content-Security-Policy</span></a>
      <li><a href="#iana-content-security-policy-report-only"><span class="secno">11.2</span> <span class="content">Content-Security-Policy-Report-Only</span></a>
     </ul>
    <li><a href="#acknowledgements"><span class="secno">12</span> <span class="content">Acknowledgements</span></a>
    <li><a href="#conformance"><span class="secno"></span> <span class="content">Conformance</span></a>
     <ul class="toc">
      <li><a href="#conventions"><span class="secno"></span> <span class="content">Document conventions</span></a>
      <li><a href="#conformant-algorithms"><span class="secno"></span> <span class="content">Conformant Algorithms</span></a>
      <li><a href="#conformance-classes"><span class="secno"></span> <span class="content">Conformance Classes</span></a>
     </ul>
    <li><a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
     <ul class="toc">
      <li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a>
      <li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
     </ul>
    <li><a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ul class="toc">
      <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ul>
    <li><a href="#idl-index"><span class="secno"></span> <span class="content">IDL Index</span></a>
   </ul></div>

  <main>










   <section>
  
    <h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#intro"></a></h2>


    <p><em>This section is not normative.</em></p>


    <p>This document defines Content Security Policy, a mechanism web applications
  can use to mitigate a broad class of content injection vulnerabilities, such
  as cross-site scripting (XSS). Content Security Policy is a declarative policy
  that lets the authors (or server administrators) of a web application inform
  the client about the sources from which the application expects to load
  resources.</p>


    <p>To mitigate XSS attacks, for example, a web application can declare that it
  only expects to load script from specific, trusted sources. This declaration
  allows the client to detect and block malicious scripts injected into the
  application by an attacker.</p>


    <p>Content Security Policy (CSP) is not intended as a first line of defense
  against content injection vulnerabilities. Instead, CSP is best used as
  defense-in-depth, to reduce the harm caused by content injection attacks. As
  a first line of defense against content injection, server operators should
  validate their input and encode their output.</p>


    <p>There is often a non-trivial amount of work required to apply CSP to an
  existing web application. To reap the greatest benefit, authors will need to
  move all inline script and style out-of-line, for example into external
  scripts, because the user agent cannot determine whether an inline script
  was injected by an attacker.</p>


    <p>To take advantage of CSP, a web application opts into using CSP by supplying a
  <code>Content-Security-Policy</code> HTTP header. Such policies apply to the
  current resource representation only. To supply a policy for an entire site,
  the server needs to supply a policy with each resource representation.</p>

  
    <h3 class="heading settled" data-level="1.1" id="changes-from-level-1"><span class="secno">1.1. </span><span class="content">Changes from Level 1</span><a class="self-link" href="#changes-from-level-1"></a></h3>


    <p>This document describes an evolution of the
  <a href="http://www.w3.org/TR/CSP/">Content Security Policy specification</a>.
  Level 2 makes two breaking changes from Level 1, and adds support for a number
  of new directives and capabilities which are summarized below:</p>

  
    <ol>
    
     <li>
      The following changes are backwards incompatible with the majority of
      user agent’s implementations of CSP 1:

      
      <ol>
        
       <li>
          The path component of a source expression is now ignored if the
          resource being loaded is the result of a redirect, as described in
          <a href="#source-list-paths-and-redirects">§4.2.2.3 Paths and Redirects</a>.


        <p class="note" role="note">Note: Paths are technically new in CSP2, but they were already
          implemented in many user agents before this revision of CSP was
          completed, so noting the change here seems reasonable.</p>
        
        
       
        
       <li>
          A <a data-link-type="dfn" href="#protected-resource">protected resource</a>’s ability to load Workers is now controlled
          via <a data-link-type="dfn" href="#child_src"><code>child-src</code></a> rather than
          <a data-link-type="dfn" href="#script_src"><code>script-src</code></a>.
        
       
        
       <li>
          Workers now have their own policy, separate from the <a data-link-type="dfn" href="#protected-resource">protected
          resource</a> which loaded them. This is described in
          <a href="#processing-model-workers">§5.1 Workers</a>.
        
       
      
      </ol>
      
    
     
    
     <li>
      The following directives are brand new in this revision:

      
      <ol>
        
       <li>
          <a data-link-type="dfn" href="#base_uri"><code>base-uri</code></a> controls the <a data-link-type="dfn" href="#protected-resource">protected
          resource</a>’s ability to specify the <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#document-base-url">document base
          URL</a>.
        
       
        
       <li>
          <a data-link-type="dfn" href="#child_src"><code>child-src</code></a> deprecates and replaces
          <a data-link-type="dfn" href="#frame_src"><code>frame-src</code></a>, controlling the <a data-link-type="dfn" href="#protected-resource">protected
          resource</a>’s ability to embed frames, and to load Workers.
        
       
        
       <li>
          <a data-link-type="dfn" href="#form_action"><code>form-action</code></a> controls the <a data-link-type="dfn" href="#protected-resource">protected
          resource</a>’s ability to submit forms.
        
       
        
       <li>
          <a data-link-type="dfn" href="#frame_ancestors"><code>frame-ancestors</code></a> controls the <a data-link-type="dfn" href="#protected-resource">protected
          resource</a>’s ability be embedded in other documents. It is meant
          to supplant the <code>X-Frame-Options</code> HTTP request header.
        
       
        
       <li>
          <a data-link-type="dfn" href="#plugin_types"><code>plugin-types</code></a> controls the <a data-link-type="dfn" href="#protected-resource">protected
          resource</a>’s ability to load specific types of plugins.
        
       
      
      </ol>
      
    
     
    
     <li>
      Individual inline scripts and stylesheets may be whitelisted via nonces
      (as described in <a href="#source-list-valid-nonces">§4.2.4 Valid Nonces</a>) and hashes (as described
      in <a href="#source-list-valid-hashes">§4.2.5 Valid Hashes</a>).
    
     
    
     <li>
      A <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent">SecurityPolicyViolationEvent</a></code> is fired upon violations, as described
      in <a href="#firing-securitypolicyviolationevent-events">§6.3 Firing Violation Events</a>.
    
     
    
     <li>
      A number of new fields were added to violation reports (both those POSTED
      via <a data-link-type="dfn" href="#report_uri"><code>report-uri</code></a>, and those handed to the DOM via
      <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent">SecurityPolicyViolationEvent</a></code> events. These include
      <code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-effectivedirective">effectiveDirective</a></code>,
      <code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-statuscode">statusCode</a></code>,
      <code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-sourcefile">sourceFile</a></code>,
      <code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-linenumber">lineNumber</a></code>, and
      <code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-columnnumber">columnNumber</a></code>.
    
     
    
     <li>
      Certain flags present in the <code><a data-link-type="dfn" href="#sandbox">sandbox</a></code> directive now
      affect Worker creation, as described in <a href="#sandboxing-and-workers">§7.14.1 Sandboxing and Workers</a>.
    
     
  
    </ol>
</section>



   <section>
  
    <h2 class="heading settled" data-level="2" id="key-concepts"><span class="secno">2. </span><span class="content">Key Concepts and Terminology</span><a class="self-link" href="#key-concepts"></a></h2>

  
    <h3 class="heading settled" data-level="2.1" id="terms-defined-here"><span class="secno">2.1. </span><span class="content">Terms defined by this specification</span><a class="self-link" href="#terms-defined-here"></a></h3>
  
    <dl>
    
     <dt>
      <dfn data-dfn-type="dfn" data-export="" data-local-lt="policy" id="security-policy">security policy<a class="self-link" href="#security-policy"></a></dfn>
    
     
    
     <dt>
      <dfn data-dfn-type="dfn" data-export="" data-local-lt="directive" id="security-policy-directive">security policy directive<a class="self-link" href="#security-policy-directive"></a></dfn>
    
     
    
     <dt>
      <dfn data-dfn-type="dfn" data-export="" data-local-lt="directive name" id="security-policy-directive-name">security policy directive name<a class="self-link" href="#security-policy-directive-name"></a></dfn>
    
     
    
     <dt>
      <dfn data-dfn-type="dfn" data-export="" data-local-lt="directive value" id="security-policy-directive-value">security policy directive value<a class="self-link" href="#security-policy-directive-value"></a></dfn>
    
     
    
     <dd>
      A <strong>security policy</strong> refers to both a set of security
      preferences for restrictions within which content can operate, and
      to a fragment of text that codifies or transmits these preferences.
      For example, the following string is a policy which restricts script
      and object content:

      
      <div class="example" id="example-f8c8229d"><a class="self-link" href="#example-f8c8229d"></a>
        <code><a data-link-type="dfn" href="#script_src">script-src</a> 'self'; <a data-link-type="dfn" href="#object_src">object-src</a> 'none'</code>
      </div>
      


      <p>Security policies contain a set of <strong>security policy
      directives</strong> (<code><a data-link-type="dfn" href="#script_src">script-src</a></code> and
      <code><a data-link-type="dfn" href="#object_src">object-src</a></code> in the example above), each responsible
      for declaring the restrictions for a particular resource type, or
      manipulating a specific aspect of the policy’s restrictions. The list
      of directives defined by this specification can be found in
      <a href="#directives">§7 Directives</a>.</p>
      


      <p>Each directives has a <strong>name</strong> and a <strong>value</strong>;
      a detailed grammar can be found in <a href="#syntax-and-algorithms">§4 Syntax and Algorithms</a>.</p>
      
    
     
    
     <dt>
      <dfn data-dfn-type="dfn" data-export="" id="protected-resource">protected resource<a class="self-link" href="#protected-resource"></a></dfn>
    
     
    
     <dd>
      A <a data-link-type="dfn" href="#security-policy">security policy</a> is applied by a user agent to a specific
      <a data-link-type="dfn" href="#resource-representation">resource representation</a>, known as the <strong>protected
      resource</strong>. See <a href="#policy-delivery">§3 Policy Delivery</a> for details regarding
      the mechanisms by which policies may be applied to a protected
      resource.
    
     
  
    </dl>

  
    <h3 class="heading settled" data-level="2.2" id="terms-defined-by-reference"><span class="secno">2.2. </span><span class="content">Terms defined by reference</span><a class="self-link" href="#terms-defined-by-reference"></a></h3>
  
    <dl>
    
     <dt>
      <dfn data-dfn-type="dfn" data-noexport="" id="globally-unique-identifier">globally unique identifier<a class="self-link" href="#globally-unique-identifier"></a></dfn>
    
     
    
     <dd>
      Defined in
      <a href="https://tools.ietf.org/html/rfc6454#section-2.3">Section 2.3 of
      the Origin specification</a>. <a data-link-type="biblio" href="#biblio-rfc6454">[RFC6454]</a>


      <p class="note" role="note">NOTE: URLs which do not use hierarchical elements as naming authorities
      (<code>data:</code>, for instance) have <a data-link-type="dfn" href="#origin">origins</a> which are globally
      unique identifiers.</p>
      
    
     
    
     <dt>
      <dfn data-dfn-type="dfn" data-noexport="" id="http-200-response">HTTP 200 response<a class="self-link" href="#http-200-response"></a></dfn>
    
     
    
     <dd>
      Defined in
      <a href="https://tools.ietf.org/html/rfc7231#section-6.3.1">Section
      6.3.1 of HTTP/1.1 -- Semantics and Content</a>. <a data-link-type="biblio" href="#biblio-rfc7231">[RFC7231]</a>
    
     
    
     <dt>
      <dfn data-dfn-type="dfn" data-noexport="" id="json-object">JSON object<a class="self-link" href="#json-object"></a></dfn>
    
     
    
     <dt>
      <dfn data-dfn-type="dfn" data-noexport="" id="json-stringification">JSON stringification<a class="self-link" href="#json-stringification"></a></dfn>
    
     
    
     <dd>
      Defined in the JSON specification. <a data-link-type="biblio" href="#biblio-rfc4627">[RFC4627]</a>
    
     
    
     <dt>
      <dfn data-dfn-type="dfn" data-noexport="" id="origin">origin<a class="self-link" href="#origin"></a></dfn>
    
     
    
     <dd>
      Defined by the Origin specification. <a data-link-type="biblio" href="#biblio-rfc6454">[RFC6454]</a>
    
     
    
     <dt>
      <dfn data-dfn-type="dfn" data-local-lt="representation" data-noexport="" id="resource-representation">resource representation<a class="self-link" href="#resource-representation"></a></dfn>
    
     
    
     <dd>
      Defined in <a href="https://tools.ietf.org/html/rfc7231#section-3">Section
      3 of HTTP/1.1 -- Semantics and Content</a>. <a data-link-type="biblio" href="#biblio-rfc7231">[RFC7231]</a>
    
     
    
     <dt>
      <dfn data-dfn-type="dfn" data-noexport="" id="url">URL<a class="self-link" href="#url"></a></dfn>
    
     
    
     <dd>
      Defined by <a data-link-type="biblio" href="#biblio-url">[URL]</a>.
    
     
    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="sha_256">SHA-256<a class="self-link" href="#sha_256"></a></dfn>
     
    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="sha_384">SHA-384<a class="self-link" href="#sha_384"></a></dfn>
     
    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="sha_512">SHA-512<a class="self-link" href="#sha_512"></a></dfn>
     
    
     <dd>
      These digest algorithms are defined by the NIST. <a data-link-type="biblio" href="#biblio-fips180">[FIPS180]</a>
    
     
  
    </dl>

  
    <h3 class="heading settled" data-level="2.3" id="html-concepts"><span class="secno">2.3. </span><span class="content">Relevant Concepts from HTML</span><a class="self-link" href="#html-concepts"></a></h3>


    <p>The <code><a data-link-type="element" href="http://www.w3.org/TR/html5/obsolete.html#the-applet-element">applet</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-audio-element">audio</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-img-element">img</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-link-element">link</a></code>,
  <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-source-element">source</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-track-element">track</a></code>, and <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-video-element">video</a></code> are defined in
  <a data-link-type="biblio" href="#biblio-html5">[HTML5]</a>.</p>


    <p>The terms <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#auxiliary-browsing-context">auxiliary browsing contexts</a>,
  <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#opener-browsing-context">opener browsing context</a>, and <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing contexts</a> are
  defined in the HTML5 specification. <a data-link-type="biblio" href="#biblio-html5">[HTML5]</a></p>


    <p>A <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#plugin">plugin</a> is defined in the HTML5 specification. <a data-link-type="biblio" href="#biblio-html5">[HTML5]</a></p>


    <p>The <code>&lt;&lt;@font-face>></code> Cascading Style Sheets (CSS) rule is defined
  in the CSS Fonts Module Level 3 specification. <a data-link-type="biblio" href="#biblio-css3-fonts">[CSS3-FONTS]</a></p>


    <p>The <code>XMLHttpRequest</code> object is defined in the
  <code>XMLHttpRequest</code> specification. <a data-link-type="biblio" href="#biblio-xmlhttprequest">[XMLHTTPREQUEST]</a></p>


    <p>The <code>WebSocket</code> object is defined in the <code>WebSocket</code>
  specification. <a data-link-type="biblio" href="#biblio-websockets">[WEBSOCKETS]</a></p>


    <p>The <code>EventSource</code> object is defined in the <code>EventSource</code>
  specification. <a data-link-type="biblio" href="#biblio-eventsource">[EVENTSOURCE]</a></p>


    <p>The <dfn data-dfn-type="dfn" data-noexport="" id="runs-a-worker">runs a worker<a class="self-link" href="#runs-a-worker"></a></dfn> algorithm is
  <a href="http://www.w3.org/TR/workers/#run-a-worker">defined in the Web
  Workers spec</a>. <a data-link-type="biblio" href="#biblio-workers">[WORKERS]</a></p>


    <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="callable">callable<a class="self-link" href="#callable"></a></dfn> refers to an object whose interface
  has one or more <dfn data-dfn-type="dfn" data-noexport="" id="callers">callers<a class="self-link" href="#callers"></a></dfn> as defined in the <a href="http://www.w3.org/TR/2010/WD-WebIDL-20101021/#idl-callers">Web
  IDL</a> specification <a data-link-type="biblio" href="#biblio-webidl">[WEBIDL]</a>.</p>

  
    <h3 class="heading settled" data-level="2.4" id="grammar"><span class="secno">2.4. </span><span class="content">Grammatical Concepts</span><a class="self-link" href="#grammar"></a></h3>


    <p>The Augmented Backus-Naur Form (ABNF) notation used in this document is
  specified in RFC5234. <a data-link-type="biblio" href="#biblio-abnf">[ABNF]</a></p>


    <p>This document also uses the ABNF extension "#rule" as defined in
  <a href="https://tools.ietf.org/html/rfc7230#section-7">Section 7</a>
  of HTTP/1.1 -- Message Syntax and Routing. <a data-link-type="biblio" href="#biblio-rfc7230">[RFC7230]</a></p>


    <p>The following core rules are included by reference, as defined in
  <a href="https://tools.ietf.org/html/rfc5234#appendix-B.1">Appendix B.1</a>
  of <a data-link-type="biblio" href="#biblio-abnf">[ABNF]</a>: <code><dfn data-dfn-type="dfn" data-noexport="" id="alpha">ALPHA<a class="self-link" href="#alpha"></a></dfn></code> (letters),
  <code><dfn data-dfn-type="dfn" data-noexport="" id="digit">DIGIT<a class="self-link" href="#digit"></a></dfn></code> (decimal 0-9), <code><dfn data-dfn-type="dfn" data-noexport="" id="wsp">WSP<a class="self-link" href="#wsp"></a></dfn></code>
  (white space) and <code><dfn data-dfn-type="dfn" data-noexport="" id="vchar">VCHAR<a class="self-link" href="#vchar"></a></dfn></code> (printing characters).</p>
</section>



   <section>
  
    <h2 class="heading settled" data-level="3" id="policy-delivery"><span class="secno">3. </span><span class="content">Policy Delivery</span><a class="self-link" href="#policy-delivery"></a></h2>


    <p>The server delivers a <a data-link-type="dfn" href="#security-policy">policy</a> to the user agent via an HTTP response
  header (defined in <a href="#content-security-policy-header-field">§3.1 Content-Security-Policy Header Field</a> and
  <a href="#content-security-policy-report-only-header-field">§3.2 Content-Security-Policy-Report-Only Header Field</a>) or an HTML
  <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element (defined in <a href="#delivery-html-meta-element">§3.3 HTML meta Element</a>).</p>

  
    <section>
    
     <h3 class="heading settled" data-level="3.1" id="content-security-policy-header-field"><span class="secno">3.1. </span><span class="content">
      <code>Content-Security-Policy</code> Header Field
    </span><a class="self-link" href="#content-security-policy-header-field"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-export="" id="content_security_policy">Content-Security-Policy<a class="self-link" href="#content_security_policy"></a></dfn></code> header field is
    the preferred mechanism for delivering a policy. The grammar is as follows:</p>
     

    
     <pre>"Content-Security-Policy:" 1#<a data-link-type="dfn" href="#policy_token">policy-token</a>
</pre>
     


     <p>For example, a response might include the following header field:</p>
     

    
     <div class="example" id="example-be526382"><a class="self-link" href="#example-be526382"></a>
      <code>Content-Security-Policy: <a data-link-type="dfn" href="#script_src">script-src</a> 'self'</code>
    </div>
     


     <p>A server MUST NOT send more than one HTTP header field named
    <code>Content-Security-Policy</code> with a given <a data-link-type="dfn" href="#resource-representation">resource
    representation</a>.</p>
     


     <p>A server MAY send different <code>Content-Security-Policy</code>
    header field values with different <a data-link-type="dfn" href="#resource-representation">representations</a> of the same
    resource or with different resources.</p>
     


     <p>Upon receiving an HTTP response containing at least one
    <code>Content-Security-Policy</code> header field, the user agent
    MUST <a data-link-type="dfn" href="#enforce">enforce</a> each of the policies contained in each such
    header field.</p>
     
  
    </section>

  
    <section>
    
     <h3 class="heading settled" data-level="3.2" id="content-security-policy-report-only-header-field"><span class="secno">3.2. </span><span class="content">
      <code>Content-Security-Policy-Report-Only</code> Header Field
    </span><a class="self-link" href="#content-security-policy-report-only-header-field"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-export="" id="content_security_policy_report_only">Content-Security-Policy-Report-Only<a class="self-link" href="#content_security_policy_report_only"></a></dfn></code>
    header field lets servers experiment with policies by monitoring (rather
    than enforcing) a policy. The grammar is as follows:</p>
     

    
     <pre>"Content-Security-Policy-Report-Only:" 1#<a data-link-type="dfn" href="#policy_token">policy-token</a>
</pre>
     


     <p>For example, server operators might wish to develop their
    security policy iteratively. The operators can deploy a report-only
    policy based on their best estimate of how their site behaves:</p>
     

    
     <div class="example" id="example-77886cbd"><a class="self-link" href="#example-77886cbd"></a>
      
      <pre>Content-Security-Policy-Report-Only: <a data-link-type="dfn" href="#script_src">script-src</a> 'self';
                                     <a data-link-type="dfn" href="#report_uri">report-uri</a> /csp-report-endpoint/
</pre>
      
    
     </div>
     


     <p>If their site violates this policy the user agent will <a data-link-type="dfn" href="#send-violation-reports">send violation
    reports</a> to the URL specified in the policy’s <a data-link-type="dfn" href="#report_uri">report-uri</a>
    directive, but allow the violating resources to load regardless. Once a site
    has confidence that the policy is appropriate, they can start enforcing the
    policy using the <code><a data-link-type="dfn" href="#content_security_policy">Content-Security-Policy</a></code> header field.</p>
     


     <p>A server MUST NOT send more than one HTTP header field named
    <code>Content-Security-Policy-Report-Only</code> with a given
    <a data-link-type="dfn" href="#resource-representation">resource representation</a>.</p>
     


     <p>A server MAY send different
    <code>Content-Security-Policy-Report-Only</code> header field values
    with different <a data-link-type="dfn" href="#resource-representation">representations</a> of the same resource or with different
    resources.</p>
     


     <p>Upon receiving an HTTP response containing at least one
    <code>Content-Security-Policy-Report-Only</code> header field, the
    user agent MUST <a data-link-type="dfn" href="#monitor">monitor</a> each of the policies
    contained in each such header field.</p>
     


     <p class="note" role="note">Note: The <code><a data-link-type="dfn" href="#content_security_policy_report_only">Content-Security-Policy-Report-Only</a></code>
    header is <em>not</em> supported inside a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element.</p>
     
  
    </section>

  
    <section>
    
     <h3 class="heading settled" data-level="3.3" id="delivery-html-meta-element"><span class="secno">3.3. </span><span class="content">
      HTML <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> Element
    </span><a class="self-link" href="#delivery-html-meta-element"></a></h3>
     


     <p>The server MAY supply policy via one or more HTML <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> elements
    with <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/document-metadata.html#attr-meta-http-equiv">http-equiv</a></code> attributes that are an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive
    match</a> for the string "<code>Content-Security-Policy</code>". For
    example:</p>
     

    
     <pre class="example" id="example-ff79af85"><a class="self-link" href="#example-ff79af85"></a>&lt;meta http-equiv="Content-Security-Policy" content="<a data-link-type="dfn" href="#script_src">script-src</a> 'self'">
</pre>
     


     <p>Add the following entry to the <a data-link-type="dfn" href="http://www.w3.org/TR/html5/document-metadata.html#pragma-directives">pragma directives</a> for the <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code>
    element:</p>
     

    
     <dl>
      
      <dt>
        Content security policy
        (<code>http-equiv="content-security-policy"</code>)
      
      
      
      <dd>
        
       <ol>
          
        <li>If the Document’s <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-head-element">head</a></code> element is not an ancestor of the
          <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element, abort these steps.
        

          
        <li>If the <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element lacks a <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/document-metadata.html#attr-meta-content">content</a></code> attribute, abort
          these steps.
        

          
        <li>Let <var>policy</var> be the value of the <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/document-metadata.html#attr-meta-content">content</a></code>
          attribute of the <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element.
        

          
        <li>Let <var>directive-set</var> be the result of
          <a data-link-type="dfn" href="#parse-the-policy">parsing <var>policy</var></a>.
        

          
        <li>
            Remove all occurrences of <code><a data-link-type="dfn" href="#report_uri">report-uri</a></code>,
            <code><a data-link-type="dfn" href="#frame_ancestors">frame-ancestors</a></code>, and <code><a data-link-type="dfn" href="#sandbox">sandbox</a></code>
            directives from <var>directive-set</var>.


         <p class="note" role="note">Note: User agents are encouraged to issue a warning to developers
            if one or more of these directives are included in a policy
            delivered via <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code>.</p>
         
          
        

          
        <li>Enforce each of the <a data-link-type="dfn" href="#security-policy-directive">directives</a> in <var>directive-set</var>,
          as <a href="#directives">defined for each directive type</a>.
        
        
       </ol>
       
      
      
    
     </dl>
     


     <p>Authors are <em>strongly encouraged</em> to place <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> elements as early
    in the document as possible, because policies in <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> elements are not
    applied to content which precedes them. In particular, note that resources
    fetched or prefetched using the <code>Link</code> HTTP response header
    field, and resources fetched or prefetched using <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-link-element">link</a></code> and <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code>
    elements which precede a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code>-delivered policy will not be blocked.</p>
     


     <p class="note" role="note">Note: A <a data-link-type="dfn" href="#security-policy">policy</a> specified via a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element will be enforced
    along with any other policies active for the protected resource, regardless
    of where they’re specified. The general impact of enforcing multiple
    policies is described in <a href="#enforcing-multiple-policies">§3.4 Enforcing multiple policies.</a>.</p>
     


     <p class="note" role="note">Note: Modifications to the <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/document-metadata.html#attr-meta-content">content</a></code> attribute of a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element
    after the element has been parsed will be ignored.</p>
     


     <p class="note" role="note">Note: The <code><a data-link-type="dfn" href="#content_security_policy_report_only">Content-Security-Policy-Report-Only</a></code>
    header is <em>not</em> supported inside a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element.</p>
     
  
    </section>

  
    <section>
    
     <h3 class="heading settled" data-level="3.4" id="enforcing-multiple-policies"><span class="secno">3.4. </span><span class="content">Enforcing multiple policies.</span><a class="self-link" href="#enforcing-multiple-policies"></a></h3>
     


     <p><em>This section is not normative.</em></p>
     


     <p>The above sections note that when multiple policies are present,
    each must be enforced or reported, according to its type. An example
    will help clarify how that ought to work in practice. The behavior of
    an <code>XMLHttpRequest</code> might seem unclear given a site
    that, for whatever reason, delivered the following HTTP headers:</p>
     

    
     <pre class="example" id="example-53073245"><a class="self-link" href="#example-53073245"></a>Content-Security-Policy: <a data-link-type="dfn" href="#default_src">default-src</a> 'self' http://example.com http://example.net;
                         <a data-link-type="dfn" href="#connect_src">connect-src</a> 'none';
Content-Security-Policy: <a data-link-type="dfn" href="#connect_src">connect-src</a> http://example.com/;
                         <a data-link-type="dfn" href="#script_src">script-src</a> http://example.com/
</pre>
     


     <p>Is a connection to <code>example.com</code> allowed or not? The
    short answer is that the connection is not allowed. Enforcing both
    policies means that a potential connection would have to pass through
    both unscathed. Even though the second policy would allow this
    connection, the first policy contains <code><a data-link-type="dfn" href="#connect_src">connect-src</a>
    'none'</code>, so its enforcement blocks the connection. The impact is
    that adding additional policies to the list of policies to enforce can
    only further restrict the capabilities of the protected resource.</p>
     


     <p>To demonstrate that further, consider a script tag on this page.
    The first policy would lock scripts down to <code>'self'</code>,
    <code>http://example.com</code> and <code>http://example.net</code>
    via the <code><a data-link-type="dfn" href="#default_src">default-src</a></code> directive. The second, however,
    would only allow script from <code>http://example.com/</code>. Script
    will only load if it meets both policy’s criteria: in this case, the only
    origin that can match is <code>http://example.com</code>, as both
    policies allow it.</p>
     
  
    </section>

  
    <section>
    
     <h3 class="heading settled" data-level="3.5" id="which-policy-applies"><span class="secno">3.5. </span><span class="content">Policy applicability</span><a class="self-link" href="#which-policy-applies"></a></h3>
     


     <p><em>This section is not normative.</em></p>
     


     <p>Policies are associated with an <a data-link-type="dfn" href="#protected-resource">protected resource</a>, and
    <a data-link-type="dfn" href="#enforce">enforced</a> or <a data-link-type="dfn" href="#monitor">monitored</a> for that resource.
    If a resource does not create a new execution context (for example, when
    including a script, image, or stylesheet into a document), then any policies
    delivered with that resource are discarded without effect. Its execution is
    subject to the policy or policies of the including context. The following
    table outlines examples of these relationships:</p>
     

    
     <table>
      
      <thead>
        
       <tr>
          
        <th colspan="2">Resource Type
        
          
        <th>What <a data-link-type="dfn" href="#security-policy">policy</a> applies?
        
        
       
      
      
      
      <tbody>
        
       <tr class="section">
          
        <th rowspan="2">Top-level Contexts
        

          
        <td>HTML as a new, top-level browsing context
        
          
        <td>The policy delivered with the resource
        
        
       
        
       <tr>
          
        <td>SVG, as a top-level document
        
          
        <td>Policy delivered with the resource
        
        
       

        
       <tr class="section">
          
        <th rowspan="3">Embedded Contexts
        

          
        <td>
            Any resource included via <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code>, or <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code>
          
        
          
        <td>
            The policy of the embedding resource controls <em>what</em> may be
            embedded. The embedded resource, however, is controlled by the
            policy delivered with the resource, or the policy of the embedding
            resource if the embedded resource is a <a data-link-type="dfn" href="#globally-unique-identifier">globally unique
            identifier</a> (or a <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-srcdoc">srcdoc</a></code> frame).
          
        
        
       
        
       <tr>
          
        <td>SVG, as an embedded document
        
          
        <td>
            The policy delivered with the resource, or policy of the creating
            context if created from a <a data-link-type="dfn" href="#globally-unique-identifier">globally unique identifier</a>.
          
        
        
       
        
       <tr>
          
        <td>
            JavaScript, as a Worker, Shared Worker or Service Worker
          
        
          
        <td>
            The policy delivered with the resource, or policy of the creating
            context if created from a <a data-link-type="dfn" href="#globally-unique-identifier">globally unique identifier</a>
          
        
        
       

        
       <tr class="section">
          
        <th rowspan="7">Subresources
        

          
        <td>SVG, inlined via <code><a data-link-type="element" href="http://www.w3.org/TR/SVG2/struct.html#SVGElement">svg</a></code>
        
          
        <td>Policy of the including context
        
        
       
        
       <tr>
          
        <td>SVG, as a resource document
        
          
        <td>Policy of the including context
        
        
       
        
       <tr>
          
        <td>HTML via XMLHttpRequest
        
          
        <td>Policy of the context that performed the fetch
        
        
       
        
       <tr>
          
        <td>Image via <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-img-element">img</a></code> element
        
          
        <td>Policy of the including context
        
        
       
        
       <tr>
          
        <td>JavaScript via a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> element
        
          
        <td>Policy of the including context
        
        
       
        
       <tr>
          
        <td>SVG, via <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-img-element">img</a></code>
        
          
        <td>No policy; should be just as safe as JPG
        
        
       
        
       <tr>
          
        <td>SVG, as a WebFont
        
          
        <td>No policy; should be just as safe as WOFF
        
        
       
      
      
    
     </table>
     
  
    </section>
</section>



   <section>
  
    <h2 class="heading settled" data-level="4" id="syntax-and-algorithms"><span class="secno">4. </span><span class="content">Syntax and Algorithms</span><a class="self-link" href="#syntax-and-algorithms"></a></h2>
  
    <section>
    
     <h3 class="heading settled" data-level="4.1" id="policy-syntax"><span class="secno">4.1. </span><span class="content">Policy Syntax</span><a class="self-link" href="#policy-syntax"></a></h3>
     


     <p>A Content Security Policy consists of a U+003B SEMICOLON
    (<code>;</code>) delimited list of directives. Each <a data-link-type="dfn" href="#security-policy-directive">directive</a>
    consists of a <a data-link-type="dfn" href="#security-policy-directive-name">directive name</a> and (optionally) a
    <a data-link-type="dfn" href="#security-policy-directive-value">directive value</a>, defined by the following ABNF:</p>
     

    
     <pre><dfn data-dfn-type="dfn" data-noexport="" id="policy_token">policy-token<a class="self-link" href="#policy_token"></a></dfn>    = [ <a data-link-type="dfn" href="#directive_token">directive-token</a> *( ";" [ <a data-link-type="dfn" href="#directive_token">directive-token</a> ] ) ]
<dfn data-dfn-type="dfn" data-noexport="" id="directive_token">directive-token<a class="self-link" href="#directive_token"></a></dfn> = *WSP [ <a data-link-type="dfn" href="#directive_name">directive-name</a> [ WSP <a data-link-type="dfn" href="#directive_value">directive-value</a> ] ]
<dfn data-dfn-type="dfn" data-noexport="" id="directive_name">directive-name<a class="self-link" href="#directive_name"></a></dfn>  = 1*( ALPHA / DIGIT / "-" )
<dfn data-dfn-type="dfn" data-noexport="" id="directive_value">directive-value<a class="self-link" href="#directive_value"></a></dfn> = *( WSP / &lt;VCHAR except ";" and ","> )
</pre>
     

    
     <section>
      
      <h4 class="heading settled" data-level="4.1.1" id="policy-parsing"><span class="secno">4.1.1. </span><span class="content">Parsing Policies</span><a class="self-link" href="#policy-parsing"></a></h4>
      


      <p>To <dfn data-dfn-type="dfn" data-noexport="" id="parse-the-policy">parse the policy<a class="self-link" href="#parse-the-policy"></a></dfn> <var>policy</var>, the user agent MUST
      use an algorithm equivalent to the following:</p>
      

      
      <ol>
        
       <li>Let the <var>set of directives</var> be the empty set.
       

        
       <li>For each non-empty token returned by
        <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#strictly-split-a-string">strictly splitting</a>
        the string <var>policy</var> on the character U+003B SEMICOLON
        (<code>;</code>):
          
        <ol>
            
         <li><a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#skip-whitespace">Skip whitespace</a>.
         

            
         <li><a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#collect-a-sequence-of-characters">Collect a sequence of characters</a> that are
            not <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#space-character">space characters</a>. The collected characters
            are the <var>directive name</var>.
         

            
         <li>If there are characters remaining in <var>token</var>,
            skip ahead exactly one character (which must be a
            <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#space-character">space character</a>).
         

            
         <li>The remaining characters in <var>token</var> (if any) are
            the <var>directive value</var>.
         

            
         <li>If the <var>set of directives</var> already contains a
            directive whose name is a case insensitive match for
            <var>directive name</var>, ignore this instance of the directive
            and continue to the next token.
         

            
         <li>Add a <var>directive</var> to the <var>set of
            directives</var> with name <var>directive name</var> and value
            <var>directive value</var>.
         
          
        </ol>
        
        
       

        
       <li>Return the <var>set of directives</var>.
      
      </ol>
      
    
     </section>
     
  
    </section>

  
    <section>
    
     <h3 class="heading settled" data-level="4.2" id="source-list-syntax"><span class="secno">4.2. </span><span class="content">Source List Syntax</span><a class="self-link" href="#source-list-syntax"></a></h3>
     


     <p>Many CSP directives use a value consisting of a <dfn data-dfn-type="dfn" data-noexport="" id="source-list">source
    list<a class="self-link" href="#source-list"></a></dfn>, defined in the ABNF grammar below.</p>
     


     <p>Each <dfn data-dfn-type="dfn" data-noexport="" id="source-expression">source expression<a class="self-link" href="#source-expression"></a></dfn> in the source list represents a
    location from which content of the specified type can be retrieved.
    For example, the source expression <code>'none'</code> represents
    the empty set of URLs, and the source expression
    <code>'unsafe-inline'</code> represents content supplied inline in the
    resource itself.</p>
     

    
     <pre><dfn data-dfn-type="dfn" data-noexport="" id="source_list">source-list<a class="self-link" href="#source_list"></a></dfn>       = *WSP [ <a data-link-type="dfn" href="#source_expression">source-expression</a> *( 1*WSP <a data-link-type="dfn" href="#source_expression">source-expression</a> ) *WSP ]
                  / *WSP "'none'" *WSP
<dfn data-dfn-type="dfn" data-noexport="" id="source_expression">source-expression<a class="self-link" href="#source_expression"></a></dfn> = <a data-link-type="dfn" href="#scheme_source">scheme-source</a> / <a data-link-type="dfn" href="#host_source">host-source</a> / <a data-link-type="dfn" href="#keyword_source">keyword-source</a> / <a data-link-type="dfn" href="#nonce_source">nonce-source</a> / <a data-link-type="dfn" href="#hash_source">hash-source</a>
<dfn data-dfn-type="dfn" data-noexport="" id="scheme_source">scheme-source<a class="self-link" href="#scheme_source"></a></dfn>     = <a data-link-type="dfn" href="#scheme_part">scheme-part</a> ":"
<dfn data-dfn-type="dfn" data-noexport="" id="host_source">host-source<a class="self-link" href="#host_source"></a></dfn>       = [ <a data-link-type="dfn" href="#scheme_part">scheme-part</a> "://" ] <a data-link-type="dfn" href="#host_part">host-part</a> [ <a data-link-type="dfn" href="#port_part">port-part</a> ] [ <a data-link-type="dfn" href="#path_part">path-part</a> ]
<dfn data-dfn-type="dfn" data-noexport="" id="keyword_source">keyword-source<a class="self-link" href="#keyword_source"></a></dfn>    = "'self'" / "'unsafe-inline'" / "'unsafe-eval'"
<dfn data-dfn-type="dfn" data-noexport="" id="base64_value">base64-value<a class="self-link" href="#base64_value"></a></dfn>      = 1*( ALPHA / DIGIT / "+" / "/" )*2( "=" )
<dfn data-dfn-type="dfn" data-noexport="" id="nonce_value">nonce-value<a class="self-link" href="#nonce_value"></a></dfn>       = <a data-link-type="dfn" href="#base64_value">base64-value</a>
<dfn data-dfn-type="dfn" data-noexport="" id="hash_value">hash-value<a class="self-link" href="#hash_value"></a></dfn>        = <a data-link-type="dfn" href="#base64_value">base64-value</a>
<dfn data-dfn-type="dfn" data-noexport="" id="nonce_source">nonce-source<a class="self-link" href="#nonce_source"></a></dfn>      = "'nonce-" <a data-link-type="dfn" href="#nonce_value">nonce-value</a> "'"
<dfn data-dfn-type="dfn" data-noexport="" id="hash_algo">hash-algo<a class="self-link" href="#hash_algo"></a></dfn>         = "sha256" / "sha384" / "sha512"
<dfn data-dfn-type="dfn" data-noexport="" id="hash_source">hash-source<a class="self-link" href="#hash_source"></a></dfn>       = "'" <a data-link-type="dfn" href="#hash_algo">hash-algo</a> "-" <a data-link-type="dfn" href="#hash_value">hash-value</a> "'"
<dfn data-dfn-type="dfn" data-noexport="" id="scheme_part">scheme-part<a class="self-link" href="#scheme_part"></a></dfn>       = &lt;scheme production from <a href="https://tools.ietf.org/html/rfc3986#section-3.1">RFC 3986, section 3.1</a>>
<dfn data-dfn-type="dfn" data-noexport="" id="host_part">host-part<a class="self-link" href="#host_part"></a></dfn>         = "*" / [ "*." ] 1*<a data-link-type="dfn" href="#host_char">host-char</a> *( "." 1*<a data-link-type="dfn" href="#host_char">host-char</a> )
<dfn data-dfn-type="dfn" data-noexport="" id="host_char">host-char<a class="self-link" href="#host_char"></a></dfn>         = ALPHA / DIGIT / "-"
<dfn data-dfn-type="dfn" data-noexport="" id="path_part">path-part<a class="self-link" href="#path_part"></a></dfn>         = &lt;path production from <a href="https://tools.ietf.org/html/rfc3986#section-3.3">RFC 3986, section 3.3</a>>
<dfn data-dfn-type="dfn" data-noexport="" id="port_part">port-part<a class="self-link" href="#port_part"></a></dfn>         = ":" ( 1*DIGIT / "*" )
</pre>
     


     <p>If the policy contains a <code><a data-link-type="dfn" href="#nonce_source">nonce-source</a></code> expression, the
    server MUST generate a fresh value for the <code><a data-link-type="dfn" href="#nonce_value">nonce-value</a></code>
    directive at random and independently each time it transmits a policy.
    The generated value SHOULD be at least 128 bits long (before encoding),
    and generated via a cryptographically secure random number generator.
    This requirement ensures that the <code><a data-link-type="dfn" href="#nonce_value">nonce-value</a></code> is
    difficult for an attacker to predict.</p>
     


     <p class="note" role="note">Note: Using a nonce to whitelist inline script or style is less secure than
    not using a nonce, as nonces override the restrictions in the directive in
    which they are present. An attacker who can gain access to the nonce can
    execute whatever script they like, whenever they like. That said, nonces
    provide a substantial improvement over <code>'unsafe-inline'</code> when
    layering a content security policy on top of old code. When considering
    <code>'unsafe-inline'</code>, authors are encouraged to consider nonces (or
    hashes) instead.</p>
     


     <p>The <code><a data-link-type="dfn" href="#host_char">host-char</a></code> production intentionally contains only
    ASCII characters; internationalized domain names cannot be entered
    directly into a policy string, but instead MUST be Punycode-encoded
    <a data-link-type="biblio" href="#biblio-rfc3492">[RFC3492]</a>. For example, the domain <code>üüüüüü.de</code> would be
    encoded as <code>xn--tdaaaaaa.de</code>.</p>
     


     <p class="note" role="note">NOTE: Though IP addresses do match the grammar above, only
    <code>127.0.0.1</code> will actually match a URL when used in a source
    expression (see <a href="#match-source-expression">§4.2.2 Matching Source Expressions</a> for details). The security
    properties of IP addresses are suspect, and authors ought to prefer
    hostnames to IP addresses whenever possible.</p>
     

    
     <section>
      
      <h4 class="heading settled" data-level="4.2.1" id="source-list-parsing"><span class="secno">4.2.1. </span><span class="content">Parsing Source Lists</span><a class="self-link" href="#source-list-parsing"></a></h4>
      


      <p>To <dfn data-dfn-type="dfn" data-noexport="" id="parse-a-source-list">parse a source list<a class="self-link" href="#parse-a-source-list"></a></dfn>
      <var>source list</var>, the user agent MUST use an algorithm
      equivalent to the following:</p>
      

      
      <ol>
        
       <li><a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#strip-leading-and-trailing-whitespace">Strip leading and trailing whitespace</a> from
        <var>source list</var>.
       

        
       <li>If <var>source list</var> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a>
        for the string <code>'none'</code> (including the quotation
        marks), return the empty set.
       

        
       <li>Let <var>set of source expressions</var> be the empty
        set.
       

        
       <li>For each token returned by
        <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-spaces">splitting <var>source
        list</var> on spaces</a>, if the token matches the grammar for
        <code><a data-link-type="dfn" href="#source_expression">source-expression</a></code>, add the token to the <var>set
        of source expressions</var>.
       

        
       <li>Return the <var>set of source expressions</var>.
       
      
      </ol>
      


      <p class="note" role="note">Note: Characters like U+003B SEMICOLON (<code>;</code>) and
      U+002C COMMA (<code>,</code>) cannot appear in source expressions
      directly: if you’d like to include these characters in a source
      expression, they must be <a data-link-type="dfn" href="http://www.w3.org/TR/url/#percent-encode">percent
      encoded</a> as <code>%3B</code> and <code>%2C</code> respectively.</p>
      
    
     </section>
     

    
     <section>
      
      <h4 class="heading settled" data-level="4.2.2" id="match-source-expression"><span class="secno">4.2.2. </span><span class="content">Matching Source Expressions</span><a class="self-link" href="#match-source-expression"></a></h4>
      


      <p>A URL <var>url</var> is said to <dfn data-dfn-type="dfn" data-noexport="" id="match-a-source-expression">match a source expression<a class="self-link" href="#match-a-source-expression"></a></dfn> for
      a <var>protected resource</var> if the following algorithm returns
      <em>does match</em>:</p>
      

      
      <ol>
        
       <li>
          Let <var>url</var> be the result of processing the URL through the
          <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-parser">URL parser</a>.
        
       

        
       <li>
          If the source expression a consists of a single U+002A ASTERISK
          character (<code>*</code>), and <var>url</var>’s <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-scheme">scheme</a> is not
          one of <code>blob</code>, <code>data</code>, <code>filesystem</code>,
          then return <em>does match</em>.
        
       

        
       <li>
          If the source expression matches the grammar for
          <code><a data-link-type="dfn" href="#scheme_source">scheme-source</a></code>:

          
        <ol>
            
         <li>
              If <var>url</var>’s <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-scheme">scheme</a> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive
              match</a> for the source expression’s
              <code><a data-link-type="dfn" href="#scheme_part">scheme-part</a></code>, return <em>does match</em>.
            
         

            
         <li>
              Otherwise, return <em>does not match</em>.
            
         
          
        </ol>
        
        
       
        
       <li>
          If the source expression matches the grammar for
          <code><a data-link-type="dfn" href="#host_source">host-source</a></code>:

          
        <ol>
            
         <li>
              If <var>url</var>’s <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-host">host</a> is <code>null</code>,
              return <em>does not match</em>.
            
         
            
         <li>
              Let <var>url-scheme</var>, <var>url-host</var>, and
              <var>url-port</var> be the <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-scheme">scheme</a>, <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-host">host</a>, and
              <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-port">port</a> of <var>url</var>’s origin, respectively.


          <p class="note" role="note">Note: If <var>url</var> doesn’t specify a port, then its origin’s
              port will be the <a data-link-type="dfn" href="http://www.w3.org/TR/url/#default-port">default port</a> for <var>url</var>’s
              <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-scheme">scheme</a>.</p>
          
            
         
            
         <li>
              Let <var>url-path-list</var> be the <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-path">path</a> of <var>url</var>.
            
         
            
         <li>
              If the source expression has a <code><a data-link-type="dfn" href="#scheme_part">scheme-part</a></code>
              that is not a case insensitive match for <var>url-scheme</var>,
              then return <em>does not match</em>.
            
         
            
         <li>
              If the source expression does <strong>not</strong> have a
              scheme, return <em>does not match</em> if any of the following
              are true:

              
          <ol>
                
           <li>
                  the scheme of the protected resource’s URL is a case
                  insensitive match for <code>HTTP</code>, and
                  <var>url-scheme</var> is <strong>not</strong> a case
                  insensitive match for either <code>HTTP</code> or
                  <code>HTTPS</code>
                
           
                
           <li>
                  the scheme of the protected resource’s URL is
                  <strong>not</strong> a case insensitive match for
                  <code>HTTP</code>, and <var>url-scheme</var> is
                  <strong>not</strong> a case insensitive match
                  for the scheme of the protected resource’s URL.
                
           
              
          </ol>
          
            
         
            
         <li>
              If the first character of the source expression’s
              <code><a data-link-type="dfn" href="#host_part">host-part</a></code> is an U+002A ASTERISK character
              (<code>*</code>) and the remaining characters, including the
              leading U+002E FULL STOP character (<code>.</code>), are not a
              case insensitive match for the rightmost characters of
              <var>url-host</var>, then return <em>does not match</em>.
            
         

            
         <li>
              If the first character of the source expression’s
              <code><a data-link-type="dfn" href="#host_part">host-part</a></code> is <em>not</em> an U+002A ASTERISK
              character (<code>*</code>) and <var>url-host</var> is not a
              case insensitive match for the source expression’s
              <code><a data-link-type="dfn" href="#host_part">host-part</a></code>, then return <em>does not
              match</em>.
            
         

            
         <li>
              If the source expression’s <code><a data-link-type="dfn" href="#host_part">host-part</a></code> matches
              the <code><a data-link-type="dfn" href="https://tools.ietf.org/html/rfc3986#section-3.2.2">IPv4address</a></code> production from <a data-link-type="biblio" href="#biblio-rfc3986">[RFC3986]</a>,
              and is not <code>127.0.0.1</code>, or is an <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-ipv6">IPv6 address</a>,
              return <em>does not match</em>.


          <p class="note" role="note">Note: A future version of this specification may allow literal
              IPv6 and IPv4 addresses, depending on usage and demand. Given the
              weak security properties of IP addresses in relation to named
              hosts, however, authors are encouraged to prefer the latter
              whenever possible.</p>
          
            
         

            
         <li>
              If the source expression does <strong>not</strong> contain
              a <code>port-part</code> and <var>url-port</var> is not the
              <a data-link-type="dfn" href="http://www.w3.org/TR/url/#default-port">default port</a> for <var>url-scheme</var>, then return
              <em>does not match</em>.
            
         

            
         <li>
              If the source expression does contain a <code>port-part</code>,
              then return <em>does not match</em> if both of the following
              are true:

              
          <ol>
                
           <li>
                  <code><a data-link-type="dfn" href="#port_part">port-part</a></code> does <strong>not</strong>
                  contain an U+002A ASTERISK character (<code>*</code>)
                
           
                
           <li>
                  <code><a data-link-type="dfn" href="#port_part">port-part</a></code> does <strong>not</strong>
                  represent the same number as <var>url-port</var>
                
           
              
          </ol>
          
            
         

            
         <li>
              If the source expression contains a non-empty
              <code><a data-link-type="dfn" href="#path_part">path-part</a></code>, and the URL is <em>not</em> the
              result of a redirect, then:

              
          <ol>
                
           <li>
                  Let <var>exact-match</var> be <code>true</code> if the final
                  character of <var>path-part</var> is not the U+002F SOLIDUS
                  character (<code>/</code>), and <code>false</code> otherwise.
                
           

                
           <li>
                  Let <var>source-expression-path-list</var> be the result of
                  splitting <var>path-part</var> on the U+002F SOLIDUS character
                  (<code>/</code>).
                
           

                
           <li>
                  If <var>source-expression-path-list</var>’s length is greater
                  than <var>url-path-list</var>’s length, return <em>does not
                  match</em>.
                
           

                
           <li>
                  For each <var>entry</var> in
                  <var>source-expression-path-list</var>:

                  
            <ol>
                    
             <li>
                      <a data-link-type="dfn" href="http://www.w3.org/TR/url/#percent-decode">Percent decode</a> <var>entry</var>.
                    
             
                    
             <li>
                      <a data-link-type="dfn" href="http://www.w3.org/TR/url/#percent-decode">Percent decode</a> the first item in
                      <var>url-path-list</var>.
                    
             
                    
             <li>
                      If <var>entry</var> is not an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive
                      match</a> for the first item in <var>url-path-list</var>,
                      return <em>does not match</em>.
                    
             
                    
             <li>
                      Pop the first item in <var>url-path-list</var> off the
                      list.
                    
             
                  
            </ol>
            
                
           

                
           <li>
                  If <var>exact-match</var> is <code>true</code>, and
                  <var>url-path-list</var> is not empty, return <em>does not
                  match</em>.
                
           
              
          </ol>
          
            
         

            
         <li>
              Otherwise, return <em>does match</em>.
            
         
          
        </ol>
        
        
       

        
       <li>
          If the source expression is a case insensitive match for
          <code>'self'</code> (including the quotation marks), then:

          
        <ol>
            
         <li>
              Return <em>does match</em> if <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-origin">the
              origin of <var>url</var></a> matches
              <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-origin">the origin of <var>protected
              resource</var>’s URL</a>.


          <p class="note" role="note">Note: This includes IP addresses. That is, a document at
              <code>https://111.111.111.111/</code> with a <a data-link-type="dfn" href="#security-policy">policy</a> of
              <code>img-src 'self'</code> can load the image
              <code>https://111.111.111.111/image.png</code>, as the origins
              match.</p>
          
            
         
          
        </ol>
        
        
       

        
       <li>
          Otherwise, return <em>does not match</em>.
        
       
      
      </ol>
      


      <p class="note" role="note">Note: This algorithm treats the URLs <code>https://example.com/</code>
      and <code>https://example.com./</code> as <em>non-matching</em>. This
      is consistent with browser behavior which treats documents served from
      these URLs as existing in distinct origins.</p>
      


      <p>A URL <var>url</var> is said to <dfn data-dfn-type="dfn" data-noexport="" id="match-a-source-list">match a source list<a class="self-link" href="#match-a-source-list"></a></dfn> for
      <var>protected resource</var> if at least one source expression in the set
      of source expressions obtained by <a data-link-type="dfn" href="#parse-a-source-list">parsing the
      source list</a> <a data-link-type="dfn" href="#match-a-source-expression">matches <var>url</var>
      for <var>protected resource</var></a>.</p>
      


      <p class="note" role="note">Note: No URLs match an empty set of source expressions, such as the set
      obtained by parsing the source list <code>'none'</code>.</p>
      

      
      <section class="informative">
        
       <h5 class="heading settled" data-level="4.2.2.1" id="source-list-guid-matching"><span class="secno">4.2.2.1. </span><span class="content">
          Security Considerations for GUID URL schemes
        </span><a class="self-link" href="#source-list-guid-matching"></a></h5>
       


       <p><em>This section is not normative.</em></p>
       


       <p>As defined above, special URL schemes that refer to specific pieces of
        unique content, such as "data:", "blob:" and "filesystem:" are
        excluded from matching a policy of <code>*</code> and must be
        explicitly listed. Policy authors should note that the content of
        such URLs is often derived from a response body or execution in a
        Document context, which may be unsafe. Especially for the
        <code><a data-link-type="dfn" href="#default_src">default-src</a></code> and <code><a data-link-type="dfn" href="#script_src">script-src</a></code>
        directives, policy authors should be aware that allowing "data:" URLs
        is equivalent to <code>unsafe-inline</code> and allowing "blob:" or
        "filesystem:" URLs is equivalent to <code>unsafe-eval</code>.</p>
       
      
      </section>
      

      
      <section class="informative">
        
       <h5 class="heading settled" data-level="4.2.2.2" id="source-list-path-patching"><span class="secno">4.2.2.2. </span><span class="content">Path Matching</span><a class="self-link" href="#source-list-path-patching"></a></h5>
       


       <p><em>This section is not normative.</em></p>
       


       <p>The rules for matching source expressions that contain paths
        are simpler than they look: paths that end with the <code>'/'</code>
        character match all files in a directory and its subdirectories. Paths
        that do not end with the <code>'/'</code> character match only one
        specific file. A few examples should make this clear:</p>
       

        
       <ol>
          
        <li>The source expression <code>example.com</code> has no path,
          and therefore matches any file served from that host.
        

          
        <li>The source expression <code>example.com/scripts/</code>
          matches any file in the <code>scripts</code> directory of
          <code>example.com</code>, and any of its subdirectories. For
          example, both <code>https://example.com/scripts/file.js</code>
          and <code>https://example.com/scripts/js/file.js</code> would
          match.
        

          
        <li>The source expression
          <code>example.com/scripts/file.js</code> matches only the file
          named <code>file.js</code> in the <code>scripts</code> directory
          of <code>example.com</code>.
        

          
        <li>Likewise, the source expression <code>example.com/js</code>
          matches only the file named <code>js</code>. In particular, note
          that it would not match files inside a directory named
          <code>js</code>. Files like <code>example.com/js/file.js</code>
          would be matched only if the source expression ended with a
          trailing "/", as in <code>example.com/js/</code>.
        
        
       </ol>
       


       <p class="note" role="note">Note: Query strings have no impact on matching: the source
        expression <code>example.com/file</code> matches all of
        <code>https://example.com/file</code>,
        <code>https://example.com/file?key=value</code>,
        <code>https://example.com/file?key=notvalue</code>, and
        <code>https://example.com/file?notkey=notvalue</code>.</p>
       
      
      </section>
      
      
      <section class="informative">
        
       <h5 class="heading settled" data-level="4.2.2.3" id="source-list-paths-and-redirects"><span class="secno">4.2.2.3. </span><span class="content">Paths and Redirects</span><a class="self-link" href="#source-list-paths-and-redirects"></a></h5>
       


       <p>To avoid leaking path information cross-origin (as discussed
        in Egor Homakov’s
        <a href="http://homakov.blogspot.de/2014/01/using-content-security-policy-for-evil.html">Using Content-Security-Policy for Evil</a>),
        the matching algorithm ignores the path component of a source
        expression if the resource being loaded is the result of a
        redirect. For example, given a page with an active policy of
        <code><a data-link-type="dfn" href="#img_src">img-src</a> example.com not-example.com/path</code>:</p>
       

        
       <ul>
          
        <li>Directly loading <code>https://not-example.com/not-path</code>
          would fail, as it doesn’t match the policy.
        
          
        <li>Directly loading <code>https://example.com/redirector</code>
          would pass, as it matches <code>example.com</code>.
        
          
        <li>Assuming that <code>https://example.com/redirector</code>
          delivered a redirect response pointing to <code>https://not-example.com/not-path</code>,
          the load would succeed, as the initial URL matches <code>example.com</code>,
          and the redirect target matches <code>not-example.com/path</code>
          if we ignore its path component.
        
        
       </ul>
       


       <p>This restriction reduces the granularity of a document’s
        policy when redirects are in play, which isn’t wonderful, but
        given that we certainly don’t want to allow brute-forcing paths
        after redirects, it seems a reasonable compromise.</p>
       


       <p>The relatively long thread
        <a href="http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0036.html">"Remove paths from CSP?"</a>
        from public-webappsec@w3.org has more detailed discussion around
        alternate proposals.</p>
       
      
      </section>
      
    
     </section>
     

    
     <section>
      
      <h4 class="heading settled" data-level="4.2.3" id="script-src-the-nonce-attribute"><span class="secno">4.2.3. </span><span class="content">
        The <code>nonce</code> attribute
      </span><a class="self-link" href="#script-src-the-nonce-attribute"></a></h4>
      


      <p>Nonce sources require a new <code>nonce</code> attribute to be added to
      both <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> and <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a></code> elements.</p>
      

      
      <pre class="idl">partial interface <a class="idl-code" data-link-type="interface" href="http://www.w3.org/TR/html5/scripting-1.html#htmlscriptelement">HTMLScriptElement</a> {
  attribute DOMString <a class="idl-code" data-link-type="attribute" data-type="DOMString " href="#dom-htmlscriptelement-nonce">nonce</a>;
};
</pre>
      
      
      <dl>
        
       <dt><dfn class="idl-code" data-dfn-for="HTMLScriptElement" data-dfn-type="attribute" data-export="" id="dom-htmlscriptelement-nonce">nonce<a class="self-link" href="#dom-htmlscriptelement-nonce"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a></span>
       
        
       <dd>This attribute <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#reflect">reflects</a> the value of the
        element’s <code><dfn data-dfn-for="script" data-dfn-type="element-attr" data-export="" id="element-attrdef-script-nonce">nonce<a class="self-link" href="#element-attrdef-script-nonce"></a></dfn></code>
        content attribute.
       
      
      </dl>
      
      
      <pre class="idl">partial interface <a class="idl-code" data-link-type="interface" href="http://www.w3.org/TR/html5/document-metadata.html#htmlstyleelement">HTMLStyleElement</a> {
  attribute DOMString <a class="idl-code" data-link-type="attribute" data-type="DOMString " href="#dom-htmlstyleelement-nonce">nonce</a>;
};
</pre>
      
      
      <dl>
        
       <dt><dfn class="idl-code" data-dfn-for="HTMLStyleElement" data-dfn-type="attribute" data-export="" id="dom-htmlstyleelement-nonce">nonce<a class="self-link" href="#dom-htmlstyleelement-nonce"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a></span>
       
        
       <dd>This attribute <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#reflect">reflects</a> the value of the
        element’s <code><dfn data-dfn-for="style" data-dfn-type="element-attr" data-export="" id="element-attrdef-style-nonce">nonce<a class="self-link" href="#element-attrdef-style-nonce"></a></dfn></code>
        content attribute.
       
      
      </dl>
      

    
     </section>
     

    
     <section>
      
      <h4 class="heading settled" data-level="4.2.4" id="source-list-valid-nonces"><span class="secno">4.2.4. </span><span class="content">Valid Nonces</span><a class="self-link" href="#source-list-valid-nonces"></a></h4>
      


      <p>An element has a <dfn data-dfn-type="dfn" data-noexport="" id="valid-nonce">valid nonce<a class="self-link" href="#valid-nonce"></a></dfn> for a <var>set of source
      expressions</var> if the value of the element’s <code><a data-link-type="element-attr" href="#element-attrdef-script-nonce">nonce</a></code> attribute
      after <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#strip-leading-and-trailing-whitespace">stripping leading
      and trailing whitespace</a> is a case-sensitive match for the
      <code><a data-link-type="dfn" href="#nonce_value">nonce-value</a></code> component of at least one
      <code><a data-link-type="dfn" href="#nonce_source">nonce-source</a></code> expression in <var>set of source
      expressions</var>.</p>
      
    
     </section>
     

    
     <section>
      
      <h4 class="heading settled" data-level="4.2.5" id="source-list-valid-hashes"><span class="secno">4.2.5. </span><span class="content">Valid Hashes</span><a class="self-link" href="#source-list-valid-hashes"></a></h4>
      


      <p>An <dfn data-dfn-type="dfn" data-noexport="" id="elements-content">element’s content<a class="self-link" href="#elements-content"></a></dfn> is <a data-link-type="dfn" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-block's-source">the script block’s
      source</a> for <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements, or the value of the element’s
      <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/dom/#dom-node-textcontent">textContent</a></code> IDL attribute for non-<code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements such as
      <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a></code>.</p>
      


      <p>The <dfn data-dfn-type="dfn" data-noexport="" id="digest-of-elements-content">digest of <var>element</var>’s content<a class="self-link" href="#digest-of-elements-content"></a></dfn> for is the result
      of applying an <var>algorithm</var> to the <a data-link-type="dfn" href="#elements-content">element’s content</a>.</p>
      


      <p>To determine whether <var>element</var> has a <dfn data-dfn-type="dfn" data-noexport="" id="valid-hash">valid hash<a class="self-link" href="#valid-hash"></a></dfn> for
      a <var>set of source expressions</var>, execute the following steps:</p>
      

      
      <ol>
        
       <li>Let <var>hashes</var> be a list of all
        <code><a data-link-type="dfn" href="#hash_source">hash-source</a></code> expressions in <var>set of source
        expressions</var>.
       

        
       <li>For each <var>hash</var> in <var>hashes</var>:
          
        <ol>
            
         <li>Let <var>algorithm</var> be:
              
          <ul>
                
           <li><a data-link-type="dfn" href="#sha_256">SHA-256</a> if the <code><a data-link-type="dfn" href="#hash_algo">hash-algo</a></code>
                component of <var>hash</var> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive
                match</a> for the string "sha256"
           

                
           <li><a data-link-type="dfn" href="#sha_384">SHA-384</a> if the <code><a data-link-type="dfn" href="#hash_algo">hash-algo</a></code>
                component of <var>hash</var> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive
                match</a> for the string "sha384"
           

                
           <li><a data-link-type="dfn" href="#sha_512">SHA-512</a> if the <code><a data-link-type="dfn" href="#hash_algo">hash-algo</a></code>
                component of <var>hash</var> is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive
                match</a> for the string "sha512"
           
              
          </ul>
          
            
         

            
         <li>Let <var>expected</var> be the <code><a data-link-type="dfn" href="#hash_value">hash-value</a></code>
            component of <var>hash</var>.
         

            
         <li>Let <var>actual</var> be the
            <a href="https://tools.ietf.org/html/rfc4648#section-4">base64
            encoding</a> of the binary <a data-link-type="dfn" href="#digest-of-elements-content">digest of <var>element</var>’s
            content</a> using the <var>algorithm</var> algorithm.
         

            
         <li>If <var>actual</var> is a case-sensitive match for
            <var>expected</var>, return <strong>true</strong> and abort these
            steps.
         
          
        </ol>
        
        
       
        
       <li>Return <strong>false</strong>.
       
      
      </ol>
      


      <p class="note" role="note">Note: If an element has an invalid hash, it would be helpful
      if the user agent reported the failure to the author by adding
      a warning message containing the <var>actual</var> hash value.</p>
      
    
     </section>
     
  
    </section>
  
    <section>
    
     <h3 class="heading settled" data-level="4.3" id="media-type-list-syntax"><span class="secno">4.3. </span><span class="content">Media Type List Syntax</span><a class="self-link" href="#media-type-list-syntax"></a></h3>
     


     <p>The <code><a data-link-type="dfn" href="#plugin_types">plugin-types</a></code> directive uses a value consisting
    of a <dfn data-dfn-type="dfn" data-noexport="" id="media-type-list">media type list<a class="self-link" href="#media-type-list"></a></dfn>.</p>
     


     <p>Each <dfn data-dfn-type="dfn" data-noexport="" id="media-type">media type<a class="self-link" href="#media-type"></a></dfn> in the media type list represents a specific
    type of resource that can be retrieved and used to instantiate a
    <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#plugin">plugin</a> in the protected resource.</p>
     

    
     <pre><dfn data-dfn-type="dfn" data-noexport="" id="media_type_list">media-type-list<a class="self-link" href="#media_type_list"></a></dfn>   = <a data-link-type="dfn" href="#media_type">media-type</a> *( 1*WSP <a data-link-type="dfn" href="#media_type">media-type</a> )
<dfn data-dfn-type="dfn" data-noexport="" id="media_type">media-type<a class="self-link" href="#media_type"></a></dfn>        = &lt;type from RFC 2045> "/" &lt;subtype from RFC 2045>
</pre>
     

    
     <section>
      
      <h4 class="heading settled" data-level="4.3.1" id="media-type-list-parsing"><span class="secno">4.3.1. </span><span class="content">Parsing</span><a class="self-link" href="#media-type-list-parsing"></a></h4>
      


      <p>To <dfn data-dfn-type="dfn" data-noexport="" id="parse-a-media-type-list">parse a media type list<a class="self-link" href="#parse-a-media-type-list"></a></dfn> <var>media type list</var>, the
      user agent MUST use an algorithm equivalent to the following:</p>
      

      
      <ol>
        
       <li>Let the <var>set of media types</var> be the empty set.
       

        
       <li>For each token returned by
        <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-spaces">splitting
        <var>media type list</var> on spaces</a>, if the token matches the
        grammar for <code><a data-link-type="dfn" href="#media_type">media-type</a></code>, add the token to the
        <var>set of media types</var>. Otherwise ignore the token.
       

        
       <li>Return the <var>set of media types</var>.
       
      
      </ol>
      
    
     </section>
     

    
     <section>
      
      <h4 class="heading settled" data-level="4.3.2" id="media-type-list-matching"><span class="secno">4.3.2. </span><span class="content">Matching</span><a class="self-link" href="#media-type-list-matching"></a></h4>
      


      <p>A media type <dfn data-dfn-type="dfn" data-lt="match a media type list" data-noexport="" id="match-a-media-type-list">matches a media type
      list<a class="self-link" href="#match-a-media-type-list"></a></dfn> if, and only if, the media type is an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII
      case-insensitive match</a> for at least one token in the set of media
      types obtained by <a data-link-type="dfn" href="#parse-a-media-type-list">parsing the media
      type list</a>.</p>
      
    
     </section>
     
  
    </section>
  
    <section>
    
     <h3 class="heading settled" data-level="4.4" id="violation-reports"><span class="secno">4.4. </span><span class="content">Reporting</span><a class="self-link" href="#violation-reports"></a></h3>
     


     <p>To <dfn data-dfn-type="dfn" data-lt="strip uri for reporting|stripped for reporting" data-noexport="" id="strip-uri-for-reporting">strip
    <var>uri</var> for reporting<a class="self-link" href="#strip-uri-for-reporting"></a></dfn>, the user agent MUST use an
    algorithm equivalent to the following:</p>
     

    
     <ol>
      
      <li>If the <a data-link-type="dfn" href="#origin">origin</a> of <var>uri</var> is a <a data-link-type="dfn" href="#globally-unique-identifier">globally unique
      identifier</a> (for example, <var>uri</var> has a scheme of
      <code>data</code>, <code>blob</code>, or <code>filesystem</code>), then
      abort these steps, and return the ASCII serialization of
      <var>uri</var>’s scheme.
      

      
      <li>If the <a data-link-type="dfn" href="#origin">origin</a> of <var>uri</var> is not the same as the
      <a data-link-type="dfn" href="#origin">origin</a> of the protected resource, then abort these steps, and
      return the
      <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#ascii-serialization-of-an-origin">ASCII
      serialization of <var>uri</var>’s origin</a>.
      

      
      <li>Return <var>uri</var>, with any <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#concept-url-fragment">fragment</a>
      component removed.
      
    
     </ol>
     


     <p>To <dfn data-dfn-type="dfn" data-lt="generate a violation report object|generating a violation report object" data-noexport="" id="generate-a-violation-report-object">generate a violation report object<a class="self-link" href="#generate-a-violation-report-object"></a></dfn>,
    the user agent MUST use an algorithm equivalent to the following:</p>
     

    
     <ol>
      
      <li>Prepare a JSON object <var>violation</var> with the
      following keys and values:

        
       <dl>
          
        <dt id="violation-report-blocked-uri"><a class="self-link" href="#violation-report-blocked-uri"></a>blocked-uri
        
          
        <dd>The originally requested URL of the resource that was
          prevented from loading, <a data-link-type="dfn" href="#strip-uri-for-reporting">stripped for reporting</a>,
          or the empty string if the resource has no URL (inline script and
          inline style, for example).
        

          
        <dt id="violation-report-document-uri"><a class="self-link" href="#violation-report-document-uri"></a>document-uri
        
          
        <dd>The <a data-link-type="dfn" href="http://www.w3.org/TR/html5/dom.html#the-document's-address">address</a>
          of the protected resource, <a data-link-type="dfn" href="#strip-uri-for-reporting">stripped for reporting</a>.
        

          
        <dt id="violation-report-effective-directive"><a class="self-link" href="#violation-report-effective-directive"></a>effective-directive
        
          
        <dd>The name of the policy directive that was violated. This will
          contain the <a data-link-type="dfn" href="#security-policy-directive">directive</a> whose enforcement triggered the
          violation (e.g. "<code><a data-link-type="dfn" href="#script_src">script-src</a></code>") even if that
          directive does not explicitly appear in the policy, but is
          implicitly activated via the <code><a data-link-type="dfn" href="#default_src">default-src</a></code>
          directive.
        

          
        <dt id="violation-report-original-policy"><a class="self-link" href="#violation-report-original-policy"></a>original-policy
        
          
        <dd>The original <a data-link-type="dfn" href="#security-policy">policy</a>, as received by the user agent.
        

          
        <dt id="violation-report-referrer"><a class="self-link" href="#violation-report-referrer"></a>referrer
        
          
        <dd>The <a class="idl-code" data-link-type="attribute" href="http://www.w3.org/TR/html5/dom.html#dom-document-referrer">referrer</a> attribute of the protected
          resource, or the empty string if the protected resource has no
          referrer.
        

          
        <dt id="violation-report-status-code"><a class="self-link" href="#violation-report-status-code"></a>status-code
        
          
        <dd>The <code>status-code</code> of the HTTP response that
          contained the protected resource, if the protected resource was
          obtained over HTTP. Otherwise, the number 0.
        

          
        <dt id="violation-report-violated-directive"><a class="self-link" href="#violation-report-violated-directive"></a>violated-directive
        
          
        <dd>The policy directive that was violated, as it appears in the
          policy. This will contain the <code><a data-link-type="dfn" href="#default_src">default-src</a></code> directive
          in the case of violations caused by falling back to the
          <a data-link-type="dfn" href="#default-sources">default sources</a> when enforcing
          a directive.
        
        
       </dl>
       
      
      

      
      <li>If a specific line or a specific file can be identified as the
      cause of the violation (for example, script execution that violates
      the <code><a data-link-type="dfn" href="#script_src">script-src</a></code> directive), the user agent MAY add the
      following keys and values to <var>violation</var>:

        
       <dl>
          
        <dt id="violation-report-source-file"><a class="self-link" href="#violation-report-source-file"></a><dfn data-dfn-type="dfn" data-noexport="" id="source_file">source-file<a class="self-link" href="#source_file"></a></dfn>
        
          
        <dd>The URL of the resource where the violation occurred,
          <a data-link-type="dfn" href="#strip-uri-for-reporting">stripped for reporting</a>.
        

          
        <dt id="violation-report-line-number"><a class="self-link" href="#violation-report-line-number"></a>line-number
        
          
        <dd>The line number in <code><a data-link-type="dfn" href="#source_file">source-file</a></code> on which
          the violation occurred.
        

          
        <dt id="violation-report-column-number"><a class="self-link" href="#violation-report-column-number"></a>column-number
        
          
        <dd>The column number in <code><a data-link-type="dfn" href="#source_file">source-file</a></code> on which
          the violation occurred.
        
        
       </dl>
       
      
      
      
      <li>Return <var>violation</var>.
      
    
     </ol>
     


     <p class="note" role="note">Note: <code>blocked-uri</code> will not contain the final location of a
    resource that was blocked after one or more redirects. It instead will
    contain only the location that the protected resource requested, before
    any redirects were followed.</p>
     


     <p>To <dfn data-dfn-type="dfn" data-noexport="" id="send-violation-reports">send violation reports<a class="self-link" href="#send-violation-reports"></a></dfn>, the user agent MUST use an
    algorithm equivalent to the following:</p>
     

    
     <ol>
      
      <li>Prepare a <a data-link-type="dfn" href="#json-object">JSON object</a> <var>report object</var> with a single
      key, <code>csp-report</code>, whose value is the result of <a data-link-type="dfn" href="#generate-a-violation-report-object">generating
      a violation report object</a>.
      

      
      <li>Let <var>report body</var> be the <a data-link-type="dfn" href="#json-stringification">JSON stringification</a> of
      <var>report object</var>.
      

      
      <li>For each <var>report URL</var> in the <a data-link-type="dfn" href="#set-of-report-urls">set of report URLs</a>:
        
       <ol>
          
        <li>If the user agent has already sent a violation report for
          the protected resource to <var>report URL</var>, and that report
          contained an entity body that exactly matches
          <var>report body</var>, the user agent MAY abort these
          steps and continue to the next <var>report URL</var>.
        

          
        <li><a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">Queue a task</a> to <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#fetch">fetch</a>
          <var>report URL</var> from the origin of the protected resource,
          with the synchronous flag <em>not</em> set, using HTTP method
          <code>POST</code>, with a <code>Content-Type</code> header field
          of <code>application/csp-report</code>, and an entity body
          consisting of <var>report body</var>. If the origin of
          <var>report URL</var> is <strong>not</strong> the same as the
          origin of the protected resource, the block cookies flag MUST also
          be set. The user agent MUST NOT follow redirects when fetching this
          resource. (Note: The user agent ignores the fetched resource.)
          The <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#task-source">task source</a> for these
          <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#concept-task">tasks</a> is the <dfn data-dfn-type="dfn" data-noexport="" id="content-security-policy-task-source">Content Security Policy task
          source<a class="self-link" href="#content-security-policy-task-source"></a></dfn>.
        
        
       </ol>
       
      
      
    
     </ol>
     


     <p>To <dfn data-dfn-type="dfn" data-noexport="" id="report-a-violation">report a violation<a class="self-link" href="#report-a-violation"></a></dfn>, the user agent MUST:</p>
     

    
     <ol>
      
      <li><a data-link-type="dfn" href="#fire-a-violation-event">Fire a violation event</a> at the protected resource’s
      <code><a class="idl-code" data-link-type="interface" href="http://www.w3.org/TR/dom/#interface-document">Document</a></code>.
      

      
      <li>If the <a data-link-type="dfn" href="#set-of-report-urls">set of report URLs</a> is non-empty, <a data-link-type="dfn" href="#send-violation-reports">send violation
      reports</a> to each.
      
    
     </ol>
     


     <p class="note" role="note">Note: This section of the specification should not be interpreted
    as limiting user agents' ability to apply restrictions to violation
    reports in order to limit data leakage above and beyond what these
    algorithms specify. For example, a user agent might offer users the
    option of disabling reporting entirely.</p>
     
  
    </section>
</section>


   <section>
  
    <h2 class="heading settled" data-level="5" id="processing-model"><span class="secno">5. </span><span class="content">Processing Model</span><a class="self-link" href="#processing-model"></a></h2>


    <p>To <dfn data-dfn-type="dfn" data-noexport="" id="enforce">enforce<a class="self-link" href="#enforce"></a></dfn> a policy, the user agent MUST <a data-link-type="dfn" href="#parse-the-policy">parse the policy</a>
  and enforce each of the directives contained in the policy, where the
  specific requirements for enforcing each directive are defined separately
  for each directive (See <a href="#directives">§7 Directives</a>, below).</p>


    <p>Generally speaking, enforcing a directive prevents the protected
  resource from performing certain actions, such as loading scripts from
  URLs other than those indicated in a source list. These restrictions
  make it more difficult for an attacker to abuse an injection
  vulnerability in the resource because the attacker will be unable to
  usurp the resource’s privileges that have been restricted in this
  way.</p>


    <p class="note" role="note">Note: User agents may allow users to modify or bypass policy enforcement
  through user preferences, bookmarklets, third-party additions to the user
  agent, and other such mechanisms.</p>


    <p>To <dfn data-dfn-type="dfn" data-noexport="" id="monitor">monitor<a class="self-link" href="#monitor"></a></dfn> a policy, the user agent MUST <a data-link-type="dfn" href="#parse-the-policy">parse the policy</a>
  and monitor each of the directives contained in the policy.</p>


    <p>Monitoring a directive does not prevent the protected resource from
  undertaking any actions. Instead, any actions that would have been
  prevented by the directives are allowed, but a violation report is
  <a data-link-type="dfn" href="#report-a-violation">generated and reported</a> to the
  developer of the web application. Monitoring a policy is useful for
  testing whether enforcing the policy will cause the web application to
  malfunction.</p>


    <p>A server MAY cause user agents to monitor one policy while enforcing
  another policy by returning both <code><a data-link-type="dfn" href="#content_security_policy">Content-Security-Policy</a></code>
  and <code><a data-link-type="dfn" href="#content_security_policy_report_only">Content-Security-Policy-Report-Only</a></code> header fields.
  For example, if a server operator may wish to <a data-link-type="dfn" href="#enforce">enforce</a> one policy but
  experiment with a stricter policy, she can monitor the stricter policy while
  enforcing the original policy. Once the server operator is satisfied that
  the stricter policy does not break the web application, the server operator
  can start enforcing the stricter policy.</p>


    <p>If the user agent monitors or enforces a policy that does not contain any
  directives, the user agent SHOULD report a warning message in the
  developer console.</p>


    <p>If the user agent <a data-link-type="dfn" href="#monitor">monitors</a> or <a data-link-type="dfn" href="#enforce">enforces</a> a policy that contains
  an unrecognized directive, the user agent SHOULD report a warning message
  in the developer console indicating the name of the unrecognized directive.</p>

  
    <section>
    
     <h3 class="heading settled" data-level="5.1" id="processing-model-workers"><span class="secno">5.1. </span><span class="content">Workers</span><a class="self-link" href="#processing-model-workers"></a></h3>
     


     <p>Whenever a user agent <a data-link-type="dfn" href="#runs-a-worker">runs a worker</a>:</p>
     

    
     <ul>
      
      <li>If the worker’s script’s origin is a <a data-link-type="dfn" href="#globally-unique-identifier">globally unique identifier</a>
      (for example, the worker’s script’s URL has a scheme of
      <code>data</code>, <code>blob</code>, or <code>filesystem</code>), then:
      
       <ul>
        
        <li>If the user agent is enforcing a CSP policy for the <var>owner
        document</var> or <var>parent worker</var>, the user agent MUST enforce
        the CSP policy for the worker.
        

        
        <li>If the user agent is monitoring a CSP policy for the <var>owner
        document</var> or <var>parent worker</var>, the user agent MUST monitor
        the CSP policy for the worker.
        
      
       </ul>
      
      
      <li>Otherwise:
        
       <ul>
          
        <li>If the worker’s script is delivered with a
          <code>Content-Security-Policy</code> HTTP header containing the
          value <var>policy</var>, the user agent MUST <a data-link-type="dfn" href="#enforce">enforce</a>
          <var>policy</var> for the worker.
        

          
        <li>If the worker’s script is delivered with a
          <code>Content-Security-Policy-Report-Only</code> HTTP header
          containing the value <var>policy</var>, the user agent MUST
          <a data-link-type="dfn" href="#monitor">monitor</a> <var>policy</var> for the worker.
        
        
       </ul>
       
      
      
    
     </ul>
     
  
    </section>

  
    <section>
    
     <h3 class="heading settled" data-level="5.2" id="processing-model-iframe-srcdoc"><span class="secno">5.2. </span><span class="content"><code>srcdoc</code> IFrames</span><a class="self-link" href="#processing-model-iframe-srcdoc"></a></h3>
     


     <p>Whenever a user agent creates <a data-link-type="dfn" href="http://www.w3.org/TR/html5/embedded-content-0.html#an-iframe-srcdoc-document">an <code>iframe</code>
    <code>srcdoc</code> document</a> in a browsing context nested in the
    protected resource, if the user agent is <a data-link-type="dfn" href="#enforce">enforcing</a> any <a data-link-type="dfn" href="#security-policy">policies</a>
    for the protected resource, the user agent MUST <a data-link-type="dfn" href="#enforce">enforce</a> those
    <a data-link-type="dfn" href="#security-policy">policies</a> on the <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code> <code>srcdoc</code> document as well.</p>
     


     <p>Whenever a user agent creates <a data-link-type="dfn" href="http://www.w3.org/TR/html5/embedded-content-0.html#an-iframe-srcdoc-document">an <code>iframe</code>
    <code>srcdoc</code> document</a> in a browsing context nested in the
    protected resource, if the user agent is monitoring any policies for the
    protected resource, the user agent MUST <a data-link-type="dfn" href="#monitor">monitor</a> those policies on
    the <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code> <code>srcdoc</code> document as well.</p>
     
  
    </section>
</section>


   <section>
  
    <h2 class="heading settled" data-level="6" id="script-interfaces"><span class="secno">6. </span><span class="content">Script Interfaces</span><a class="self-link" href="#script-interfaces"></a></h2>

  
    <section>
    
     <h3 class="heading settled" data-level="6.1" id="securitypolicyviolationevent-interface"><span class="secno">6.1. </span><span class="content">
      <code>SecurityPolicyViolationEvent</code> Interface
    </span><a class="self-link" href="#securitypolicyviolationevent-interface"></a></h3>
     

    
     <pre class="idl">[<dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="constructor" data-export="" data-lt="SecurityPolicyViolationEvent(type, eventInitDict)" id="dom-securitypolicyviolationevent-securitypolicyviolationevent">Constructor<a class="self-link" href="#dom-securitypolicyviolationevent-securitypolicyviolationevent"></a></dfn>(DOMString <dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent/SecurityPolicyViolationEvent(type, eventInitDict)" data-dfn-type="argument" data-export="" id="dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-type">type<a class="self-link" href="#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-type"></a></dfn>, optional <a data-link-type="idl-name" href="#dictdef-securitypolicyviolationeventinit">SecurityPolicyViolationEventInit</a> <dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent/SecurityPolicyViolationEvent(type, eventInitDict)" data-dfn-type="argument" data-export="" id="dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-eventinitdict">eventInitDict<a class="self-link" href="#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-eventinitdict"></a></dfn>)]
interface <dfn class="idl-code" data-dfn-type="interface" data-export="" id="securitypolicyviolationevent">SecurityPolicyViolationEvent<a class="self-link" href="#securitypolicyviolationevent"></a></dfn> : <a data-link-type="idl-name" href="http://www.w3.org/TR/dom/#event">Event</a> {
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-documenturi">documentURI</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-referrer">referrer</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-blockeduri">blockedURI</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-violateddirective">violatedDirective</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-effectivedirective">effectiveDirective</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-originalpolicy">originalPolicy</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-sourcefile">sourceFile</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-statuscode">statusCode</a>;
    readonly    attribute long      <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="long      " href="#dom-securitypolicyviolationevent-linenumber">lineNumber</a>;
    readonly    attribute long      <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="long      " href="#dom-securitypolicyviolationevent-columnnumber">columnNumber</a>;
};
</pre>
     
    
     <dl>
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" id="dom-securitypolicyviolationevent-documenturi">documentURI<a class="self-link" href="#dom-securitypolicyviolationevent-documenturi"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a>, readonly</span>
      
      
      <dd>Refer to the <a href="#violation-report-document-uri"><code>document-uri</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" id="dom-securitypolicyviolationevent-referrer">referrer<a class="self-link" href="#dom-securitypolicyviolationevent-referrer"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a>, readonly</span>
      
      
      <dd>Refer to the <a href="#violation-report-referrer"><code>referrer</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" id="dom-securitypolicyviolationevent-blockeduri">blockedURI<a class="self-link" href="#dom-securitypolicyviolationevent-blockeduri"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a>, readonly</span>
      
      
      <dd>Refer to the <a href="#violation-report-blocked-uri"><code>blocked-uri</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" id="dom-securitypolicyviolationevent-violateddirective">violatedDirective<a class="self-link" href="#dom-securitypolicyviolationevent-violateddirective"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a>, readonly</span>
      
      
      <dd>Refer to the <a href="#violation-report-violated-directive"><code>violated-directive</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" id="dom-securitypolicyviolationevent-effectivedirective">effectiveDirective<a class="self-link" href="#dom-securitypolicyviolationevent-effectivedirective"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a>, readonly</span>
      
      
      <dd>Refer to the <a href="#violation-report-effective-directive"><code>effective-directive</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" id="dom-securitypolicyviolationevent-originalpolicy">originalPolicy<a class="self-link" href="#dom-securitypolicyviolationevent-originalpolicy"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a>, readonly</span>
      
      
      <dd>Refer to the <a href="#violation-report-original-policy"><code>original-policy</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" id="dom-securitypolicyviolationevent-statuscode">statusCode<a class="self-link" href="#dom-securitypolicyviolationevent-statuscode"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a>, readonly</span>
      
      
      <dd>Refer to the <a href="#violation-report-status-code"><code>status-code</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" id="dom-securitypolicyviolationevent-sourcefile">sourceFile<a class="self-link" href="#dom-securitypolicyviolationevent-sourcefile"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a>, readonly</span>
      
      
      <dd>Refer to the <a href="#violation-report-source-file"><code>source-file</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" id="dom-securitypolicyviolationevent-linenumber">lineNumber<a class="self-link" href="#dom-securitypolicyviolationevent-linenumber"></a></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-long">long</a>, readonly</span>
      
      
      <dd>Refer to the <a href="#violation-report-line-number"><code>line-number</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" id="dom-securitypolicyviolationevent-columnnumber">columnNumber<a class="self-link" href="#dom-securitypolicyviolationevent-columnnumber"></a></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-long">long</a>, readonly</span>
      
      
      <dd>Refer to the <a href="#violation-report-column-number"><code>column-number</code></a> property of violation reports for a description of this property.
      
    
     </dl>
     
  
    </section>
  
    <section>
    
     <h3 class="heading settled" data-level="6.2" id="securitypolicyviolationeventinit-interface"><span class="secno">6.2. </span><span class="content">
      <code>SecurityPolicyViolationEventInit</code> Interface
    </span><a class="self-link" href="#securitypolicyviolationeventinit-interface"></a></h3>
     

    
     <pre class="idl">dictionary <dfn class="idl-code" data-dfn-type="dictionary" data-export="" id="dictdef-securitypolicyviolationeventinit">SecurityPolicyViolationEventInit<a class="self-link" href="#dictdef-securitypolicyviolationeventinit"></a></dfn> : <a data-link-type="idl-name" href="http://www.w3.org/TR/dom/#eventinit">EventInit</a> {
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-documenturi">documentURI</a>;
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-referrer">referrer</a>;
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-blockeduri">blockedURI</a>;
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-violateddirective">violatedDirective</a>;
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-effectivedirective">effectiveDirective</a>;
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-originalpolicy">originalPolicy</a>;
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-sourcefile">sourceFile</a>;
    long      <a class="idl-code" data-link-type="dict-member" data-type="long      " href="#dom-securitypolicyviolationeventinit-linenumber">lineNumber</a>;
    long      <a class="idl-code" data-link-type="dict-member" data-type="long      " href="#dom-securitypolicyviolationeventinit-columnnumber">columnNumber</a>;
};
</pre>
     
    
     <dl>
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" id="dom-securitypolicyviolationeventinit-documenturi">documentURI<a class="self-link" href="#dom-securitypolicyviolationeventinit-documenturi"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a></span>
      
      
      <dd>Refer to the <a href="#violation-report-document-uri"><code>document-uri</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" id="dom-securitypolicyviolationeventinit-referrer">referrer<a class="self-link" href="#dom-securitypolicyviolationeventinit-referrer"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a></span>
      
      
      <dd>Refer to the <a href="#violation-report-referrer"><code>referrer</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" id="dom-securitypolicyviolationeventinit-blockeduri">blockedURI<a class="self-link" href="#dom-securitypolicyviolationeventinit-blockeduri"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a></span>
      
      
      <dd>Refer to the <a href="#violation-report-blocked-uri"><code>blocked-uri</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" id="dom-securitypolicyviolationeventinit-violateddirective">violatedDirective<a class="self-link" href="#dom-securitypolicyviolationeventinit-violateddirective"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a></span>
      
      
      <dd>Refer to the <a href="#violation-report-violated-directive"><code>violated-directive</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" id="dom-securitypolicyviolationeventinit-effectivedirective">effectiveDirective<a class="self-link" href="#dom-securitypolicyviolationeventinit-effectivedirective"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a></span>
      
      
      <dd>Refer to the <a href="#violation-report-effective-directive"><code>effective-directive</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" id="dom-securitypolicyviolationeventinit-originalpolicy">originalPolicy<a class="self-link" href="#dom-securitypolicyviolationeventinit-originalpolicy"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a></span>
      
      
      <dd>Refer to the <a href="#violation-report-original-policy"><code>original-policy</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" id="dom-securitypolicyviolationeventinit-sourcefile">sourceFile<a class="self-link" href="#dom-securitypolicyviolationeventinit-sourcefile"></a></dfn>, <span> of type <a data-link-type="idl-name" href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a></span>
      
      
      <dd>Refer to the <a href="#violation-report-source-file"><code>source-file</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" id="dom-securitypolicyviolationeventinit-linenumber">lineNumber<a class="self-link" href="#dom-securitypolicyviolationeventinit-linenumber"></a></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-long">long</a></span>
      
      
      <dd>Refer to the <a href="#violation-report-line-number"><code>line-number</code></a> property of violation reports for a description of this property.
      
      
      <dt><dfn class="idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" id="dom-securitypolicyviolationeventinit-columnnumber">columnNumber<a class="self-link" href="#dom-securitypolicyviolationeventinit-columnnumber"></a></dfn>, <span> of type <a data-link-type="idl-name" href="https://heycam.github.io/webidl/#idl-long">long</a></span>
      
      
      <dd>Refer to the <a href="#violation-report-column-number"><code>column-number</code></a> property of violation reports for a description of this property.
      
    
     </dl>
     
  
    </section>
  
    <section>
    
     <h3 class="heading settled" data-level="6.3" id="firing-securitypolicyviolationevent-events"><span class="secno">6.3. </span><span class="content">Firing Violation Events</span><a class="self-link" href="#firing-securitypolicyviolationevent-events"></a></h3>
     


     <p>To <dfn data-dfn-type="dfn" data-noexport="" id="fire-a-violation-event">fire a violation event<a class="self-link" href="#fire-a-violation-event"></a></dfn>, the user agent MUST use an algorithm
    equivalent to the following:</p>
     

    
     <ol>
      
      <li>Let <var>report object</var> be the result of <a data-link-type="dfn" href="#generate-a-violation-report-object">generating a
      violation report object</a>.
      

      
      <li><a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#queue-a-task">Queue a task</a> to
      <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#concept-event-fire">fire an event</a> named
      <code>securitypolicyviolation</code> using the
      <code><a class="idl-code" data-link-type="interface" href="#securitypolicyviolationevent">SecurityPolicyViolationEvent</a></code> interface
      with the following initializations:

        
       <ul>
          
        <li><code>blockedURI</code> MUST be initialized to the value of
          <var>report object</var>’s <code>blocked-uri</code> key.
        

          
        <li><code>documentURI</code> MUST be initialized to the value of
          <var>report object</var>’s <code>document-uri</code> key.
        

          
        <li><code>effectiveDirective</code> MUST be initialized to the value of
          <var>report object</var>’s <code>effective-directive</code> key.
        

          
        <li><code>originalPolicy</code> MUST be initialized to the value of
          <var>report object</var>’s <code>original-policy</code> key.
        

          
        <li><code>referrer</code> MUST be initialized to the value of
          <var>report object</var>’s <code>referrer</code> key.
        

          
        <li><code>violatedDirective</code> MUST be initialized to the value of
          <var>report object</var>’s <code>violated-directive</code> key.
        

          
        <li><code>sourceFile</code> MUST be initialized to the value of
          <var>report object</var>’s <code>source-file</code> key.
        

          
        <li><code>lineNumber</code> MUST be initialized to the value of
          <var>report object</var>’s <code>line-number</code> key.
        

          
        <li><code>columnNumber</code> MUST be initialized to the value of
          <var>report object</var>’s <code>column-number</code> key.
        
        
       </ul>
       
      
      
    
     </ol>
     


     <p>The <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#task-source">task source</a> for these <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#concept-task">tasks</a>
    is the <a data-link-type="dfn" href="#content-security-policy-task-source">Content Security Policy task source</a>.</p>
     
  
    </section>
</section>


   <section>
  
    <h2 class="heading settled" data-level="7" id="directives"><span class="secno">7. </span><span class="content">Directives</span><a class="self-link" href="#directives"></a></h2>


    <p>This section describes the content security policy directives
  introduced in this specification. Directive names are case insensitive.</p>


    <p>In order to protect against Cross-Site Scripting (XSS), web
  application authors SHOULD include:</p>

  
    <ul>
    
     <li>both the <code><a data-link-type="dfn" href="#script_src">script-src</a></code> and
    <code><a data-link-type="dfn" href="#object_src">object-src</a></code> directives, or
     

    
     <li>include a <code><a data-link-type="dfn" href="#default_src">default-src</a></code> directive, which covers both
    scripts and plugins.
     
  
    </ul>


    <p>In either case, authors SHOULD NOT include either
  <code>'unsafe-inline'</code> or <code>data:</code> as valid sources in
  their policies. Both enable XSS attacks by allowing code to be included
  directly in the document itself; they are best avoided completely.</p>


  
    <section>
    
     <h3 class="heading settled" data-level="7.1" id="directive-base-uri"><span class="secno">7.1. </span><span class="content"><code>base-uri</code></span><a class="self-link" href="#directive-base-uri"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="base_uri">base-uri<a class="self-link" href="#base_uri"></a></dfn></code> directive restricts the URLs that can
    be used to specify the <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#document-base-url">document base URL</a>. The syntax for
    the name and value of the directive are described by the following ABNF
    grammar:</p>
     

    
     <pre>directive-name    = "base-uri"
directive-value   = <a data-link-type="dfn" href="#source_list">source-list</a>
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-base-urls">allowed base URLs<a class="self-link" href="#allowed-base-urls"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>base-uri</code> directive’s
    value as a source list</a>.</p>
     


     <p class="note" role="note">Note: <code>base-uri</code> does not fall back to the <a data-link-type="dfn" href="#default-sources">default
    sources</a>.</p>
     


     <p>Step 4 of the algorithm defined in HTML5 to obtain a
    <em>document’s base URL</em> MUST be changed to:</p>
     

    
     <ol start="4">
      
      <li>If the previous step was not successful, or the result of the
      previous step does not <a data-link-type="dfn" href="#match-a-source-list">match</a>
      the <a data-link-type="dfn" href="#allowed-base-urls">allowed base URLs</a> for the <a data-link-type="dfn" href="#protected-resource">protected resource</a>, then the
      <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#document-base-url">document base URL</a> is <var>fallback base URL</var>.
      Otherwise, it is the result of the previous step.
      
    
     </ol>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.2" id="directive-child-src"><span class="secno">7.2. </span><span class="content"><code>child-src</code></span><a class="self-link" href="#directive-child-src"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="child_src">child-src<a class="self-link" href="#child_src"></a></dfn></code> directive governs the creation of
    <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing contexts</a> as well as Worker execution
    contexts. The syntax for the name and value of the directive are described
    by the following ABNF grammar:</p>
     

    
     <pre>directive-name    = "child-src"
directive-value   = <a data-link-type="dfn" href="#source_list">source-list</a>
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-child-sources">allowed child sources<a class="self-link" href="#allowed-child-sources"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>child-src</code>
    directive’s value as a source list</a> if a <code>child-src</code>
    directive is explicitly specified, and otherwise to the
    <a data-link-type="dfn" href="#default-sources">default sources</a>.</p>
     

    
     <section>
      
      <h4 class="heading settled" data-level="7.2.1" id="directive-child-src-nested"><span class="secno">7.2.1. </span><span class="content">Nested Browsing Contexts</span><a class="self-link" href="#directive-child-src-nested"></a></h4>
      


      <p>To enforce the <code>child-src</code> directive the user agent MUST
      enforce the <code><a data-link-type="dfn" href="#frame_src">frame-src</a></code> directive.</p>
      
    
     </section>
     

    
     <section>
      
      <h4 class="heading settled" data-level="7.2.2" id="directive-child-src-workers"><span class="secno">7.2.2. </span><span class="content">Workers</span><a class="self-link" href="#directive-child-src-workers"></a></h4>
      


      <p>Whenever the user agent <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#fetch">fetches</a> a URL while processing the
      <code>Worker</code> or <code>SharedWorker</code> constructors
      <a data-link-type="biblio" href="#biblio-workers">[WORKERS]</a>, the user agent MUST act as if there was a fatal network
      error and no resource was obtained, <em>and</em> <a data-link-type="dfn" href="#report-a-violation">report a violation</a>
      if the URL does not <a data-link-type="dfn" href="#match-a-source-list">match</a> the
      <a data-link-type="dfn" href="#allowed-child-sources">allowed child sources</a> for the <a data-link-type="dfn" href="#protected-resource">protected resource</a>.</p>
      
    
     </section>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.3" id="directive-connect-src"><span class="secno">7.3. </span><span class="content"><code>connect-src</code></span><a class="self-link" href="#directive-connect-src"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="connect_src">connect-src<a class="self-link" href="#connect_src"></a></dfn></code> directive restricts which URLs the
    protected resource can load using script interfaces. The syntax for the name
    and value of the directive are described by the following ABNF grammar:</p>
     

    
     <pre>directive-name    = "connect-src"
directive-value   = <a data-link-type="dfn" href="#source_list">source-list</a>
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-connection-targets">allowed connection targets<a class="self-link" href="#allowed-connection-targets"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>connect-src</code>
    directive’s value as a source list</a> if the policy contains an
    explicit <code>connect-src</code> directive, or otherwise to the
    <a data-link-type="dfn" href="#default-sources">default sources</a>.</p>
     


     <p>Whenever the user agent <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#fetch">fetches</a> a URL in the course of one of the
    following activities, if the URL does not
    <a data-link-type="dfn" href="#match-a-source-list">match</a> the <a data-link-type="dfn" href="#allowed-connection-targets">allowed connection
    targets</a> for the <a data-link-type="dfn" href="#protected-resource">protected resource</a>, the user agent MUST act as
    if there was a fatal network error and no resource was obtained,
    <em>and</em> <a data-link-type="dfn" href="#report-a-violation">report a violation</a>:</p>
     

    
     <ul>
      
      
      <li>Processing the <a href="http://www.w3.org/TR/XMLHttpRequest/#the-send()-method"><code>send()</code>
      method</a> of an <code>XMLHttpRequest</code> object.
      

      
      <li>Processing the <a href="http://dev.w3.org/html5/websockets/#websocket"><code>WebSocket</code>
      constructor</a>.
      

      
      <li>Processing the <a href="http://dev.w3.org/html5/eventsource/#eventsource"><code>EventSource</code>
      constructor</a>.
      

      
      <li>Pinging an endpoint during <a href="https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing">hyperlink auditing</a>.
      

      
      <li>Sending a beacon via the <a href="http://www.w3.org/TR/beacon/#sec-sendBeacon-method"><code>sendBeacon()</code></a> method <a data-link-type="biblio" href="#biblio-beacon">[BEACON]</a>
      
    
     </ul>
     
    
     <section class="informative">
      
      <h4 class="heading settled" data-level="7.3.1" id="connect-src-usage"><span class="secno">7.3.1. </span><span class="content">Usage</span><a class="self-link" href="#connect-src-usage"></a></h4>
      


      <p><em>This section is not normative.</em></p>
      


      <p>JavaScript offers a few mechanisms that directly connect to an
      external server to send or receive information. <code>EventSource</code>
      maintains an open HTTP connection to a server in order to receive push
      notifications, <code>WebSockets</code> open a bidirectional communication
      channel between your browser and a server, and <code>XMLHttpRequest</code>
      makes arbitrary HTTP requests on your behalf. These are powerful APIs that
      enable useful functionality, but also provide tempting avenues for data
      exfiltration.</p>
      


      <p>The <code>connect-src</code> directive allows you to ensure that
      these sorts of connections are only opened to origins you trust.
      Sending a policy that defines a list of source expressions for this
      directive is straightforward. For example, to limit connections to
      only <code>example.com</code>, send the following header:</p>
      


      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#connect_src">connect-src</a> example.com</pre>
      


      <p>All of the following will fail with the preceding directive in
      place:</p>
      

      
      <ul>
        
       <li><code>new WebSocket("wss://evil.com/");</code>
       
        
       <li><code>(new XMLHttpRequest()).open("GET", "https://evil.com/", true);</code>
       
        
       <li><code>new EventSource("https://evil.com");</code>
       
      
      </ul>
      
    
     </section>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.4" id="directive-default-src"><span class="secno">7.4. </span><span class="content"><code>default-src</code></span><a class="self-link" href="#directive-default-src"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="default_src">default-src<a class="self-link" href="#default_src"></a></dfn></code> directive sets a default
    source list for a number of directives. The syntax for the name and
    value of the directive are described by the following ABNF grammar:</p>
     

    
     <pre>directive-name    = "default-src"
directive-value   = <a data-link-type="dfn" href="#source_list">source-list</a>
</pre>
     


     <p>Let the <dfn data-dfn-type="dfn" data-noexport="" id="default-sources">default sources<a class="self-link" href="#default-sources"></a></dfn> be the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>default-src</code>
    directive’s value as a source list</a> if a <code>default-src</code>
    directive is explicitly specified, and otherwise the U+002A ASTERISK
    character (*).</p>
     


     <p>To enforce the <code>default-src</code> directive, the user agent
    MUST enforce the following directives:</p>
     

    
     <ul>
      
      <li><code><a data-link-type="dfn" href="#child_src">child-src</a></code>
      
      
      <li><code><a data-link-type="dfn" href="#connect_src">connect-src</a></code>
      
      
      <li><code><a data-link-type="dfn" href="#font_src">font-src</a></code>
      
      
      <li><code><a data-link-type="dfn" href="#img_src">img-src</a></code>
      
      
      <li><code><a data-link-type="dfn" href="#media_src">media-src</a></code>
      
      
      <li><code><a data-link-type="dfn" href="#object_src">object-src</a></code>
      
      
      <li><code><a data-link-type="dfn" href="#script_src">script-src</a></code>
      
      
      <li><code><a data-link-type="dfn" href="#style_src">style-src</a></code>
      
    
     </ul>
     


     <p>If not specified explicitly in the policy, the directives listed
    above will use the <a data-link-type="dfn" href="#default-sources">default sources</a> as their source list.</p>
     

    
     <section>
      
      <h4 class="heading settled" data-level="7.4.1" id="default-src-usage"><span class="secno">7.4.1. </span><span class="content">Usage</span><a class="self-link" href="#default-src-usage"></a></h4>
      


      <p><em>This section is not normative.</em></p>
      


      <p><code>default-src</code>, as the name implies, serves as a default
      source list which the other source list-style directives will use as
      a fallback if they’re not otherwise explicitly set. That is, consider
      the following policy declaration:</p>
      


      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#default_src">default-src</a> 'self'</pre>
      


      <p>Under this policy, fonts, frames, images, media, objects, scripts,
      and styles will all only load from the same origin as the protected
      resource, and connections will only be made to the same origin. Adding
      a more specific declaration to the policy would completely override
      the default source list for that resource type.</p>
      


      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#default_src">default-src</a> 'self'; <a data-link-type="dfn" href="#script_src">script-src</a> example.com</pre>
      


      <p>Under this new policy, fonts, frames, and etc. continue to be load
      from the same origin, but scripts will <em>only</em> load from
      <code>example.com</code>. There’s no inheritance; the
      <code><a data-link-type="dfn" href="#script_src">script-src</a></code> directive sets the allowed sources of
      script, and the default list is not used for that resource type.</p>
      


      <p>Given this behavior, one good way of building a policy for a site
      would be to begin with a <code>default-src</code> of
      <code>'none'</code>, and to build up a policy from there that contains
      only those resource types which are actually in use for the page you’d
      like to protect. If you don’t use webfonts, for instance, there’s no
      reason to specify a source list for <code><a data-link-type="dfn" href="#font_src">font-src</a></code>;
      specifying only those resource types a page uses ensures that the
      possible attack surface for that page remains as small as possible.</p>
      
    
     </section>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.5" id="directive-font-src"><span class="secno">7.5. </span><span class="content"><code>font-src</code></span><a class="self-link" href="#directive-font-src"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="font_src">font-src<a class="self-link" href="#font_src"></a></dfn></code> directive restricts from where the
    protected resource can load fonts. The syntax for the name and value
    of the directive are described by the following ABNF grammar:</p>
     

    
     <pre>directive-name    = "font-src"
directive-value   = <a data-link-type="dfn" href="#source_list">source-list</a>
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-font-sources">allowed font sources<a class="self-link" href="#allowed-font-sources"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>font-src</code>
    directive’s value as a source list</a> if the policy contains an
    explicit <code>font-src</code>, or otherwise to the
    <a data-link-type="dfn" href="#default-sources">default sources</a>.</p>
     


     <p>Whenever the user agent <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#fetch">fetches</a> a URL in the course of one of the
    following activities, if the URL does not
    <a data-link-type="dfn" href="#match-a-source-list">match</a> the <a data-link-type="dfn" href="#allowed-font-sources">allowed font sources</a>
    for the <a data-link-type="dfn" href="#protected-resource">protected resource</a>, the user agent MUST act as if there was
    a fatal network error and no resource was obtained, <em>and</em> <a data-link-type="dfn" href="#report-a-violation">report
    a violation</a>:</p>
     

    
     <ul>
      
      <li>Requesting data for display in a font, such as when processing
      the &lt;&lt;@font-face>> Cascading Style Sheets (CSS) rule.
      
    
     </ul>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.6" id="directive-form-action"><span class="secno">7.6. </span><span class="content"><code>form-action</code></span><a class="self-link" href="#directive-form-action"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="form_action">form-action<a class="self-link" href="#form_action"></a></dfn></code> restricts which URLs can be used as
    the action of HTML <code><a data-link-type="element" href="http://www.w3.org/TR/html5/forms.html#the-form-element">form</a></code> elements. The syntax for the name and value of
    the directive are described by the following ABNF grammar:</p>
     

    
     <pre>directive-name    = "form-action"
directive-value   = <a data-link-type="dfn" href="#source_list">source-list</a>
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-form-actions">allowed form actions<a class="self-link" href="#allowed-form-actions"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>form-action</code>
    directive’s value as a source list</a>.</p>
     


     <p>Whenever the user agent <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#fetch">fetches</a> a URL in the course of processing
    an HTML <code><a data-link-type="element" href="http://www.w3.org/TR/html5/forms.html#the-form-element">form</a></code> element, if the URL does not
    <a data-link-type="dfn" href="#match-a-source-list">match</a> the <a data-link-type="dfn" href="#allowed-form-actions">allowed form actions</a> for
    the <a data-link-type="dfn" href="#protected-resource">protected resource</a>, the user agent MUST act as if there was a
    fatal network error and no resource was obtained, <em>and</em> <a data-link-type="dfn" href="#report-a-violation">report a
    violation</a>.</p>
     


     <p class="note" role="note">Note: <code>form-action</code> does not fall back to the <a data-link-type="dfn" href="#default-sources">default
    sources</a> when the directive is not defined. That is, a policy that
    defines <code><a data-link-type="dfn" href="#default_src">default-src</a> 'none'</code> but not
    <code>form-action</code> will still allow form submissions to any
    target.</p>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.7" id="directive-frame-ancestors"><span class="secno">7.7. </span><span class="content"><code>frame-ancestors</code></span><a class="self-link" href="#directive-frame-ancestors"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="frame_ancestors">frame-ancestors<a class="self-link" href="#frame_ancestors"></a></dfn></code> directive indicates whether the
    user agent should allow embedding the resource using a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/obsolete.html#frame">frame</a></code>,
    <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code> or <code><a data-link-type="element" href="http://www.w3.org/TR/html5/obsolete.html#the-applet-element">applet</a></code> element, or equivalent
    functionality in non-HTML resources. Resources can use this directive to
    avoid many UI Redressing <a data-link-type="biblio" href="#biblio-uiredress">[UIREDRESS]</a> attacks by avoiding being embedded
    into potentially hostile contexts.</p>
     


     <p>The syntax for the name and value of the directive are described by the
    following ABNF grammar:</p>
     

    
     <pre><dfn data-dfn-type="dfn" data-noexport="" id="ancestor_source_list">ancestor-source-list<a class="self-link" href="#ancestor_source_list"></a></dfn> = [ <a data-link-type="dfn" href="#ancestor_source">ancestor-source</a> *( 1*WSP <a data-link-type="dfn" href="#ancestor_source">ancestor-source</a> ) ] / "'none'"
<dfn data-dfn-type="dfn" data-noexport="" id="ancestor_source">ancestor-source<a class="self-link" href="#ancestor_source"></a></dfn>      = <a data-link-type="dfn" href="#scheme_source">scheme-source</a> / <a data-link-type="dfn" href="#host_source">host-source</a>

directive-name  = "frame-ancestors"
directive-value = <a data-link-type="dfn" href="#ancestor_source_list">ancestor-source-list</a>
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-frame-ancestors">allowed frame ancestors<a class="self-link" href="#allowed-frame-ancestors"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>frame-ancestors</code>
    directive’s value as a source list</a>. If a <code>frame-ancestors</code>
    directive is not explicitly included in the policy, then <a data-link-type="dfn" href="#allowed-frame-ancestors">allowed frame
    ancestors</a> is "<code>*</code>".</p>
     


     <p>To enforce the <code>frame-ancestors</code> directive, whenever the
    user agent would load the protected resource into a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing
    context</a>, the user agent MUST perform the following steps:</p>
     

    
     <ol>
      
      <li>Let <var>nestedContext</var> be the nested browsing context into
      which the protected resource is being loaded.
      

      
      <li>Let <var>ancestorList</var> be the list of all
      <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#ancestor-browsing-context">ancestors</a> of <var>nestedContext</var>.
      

      
      <li>For each <var>ancestorContext</var> in <var>ancestorList</var>:
        
       <ol>
          
        <li>Let <var>document</var> be <var>ancestorContext</var>’s
          <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#active-document">active document</a>.
        

          
        <li>If <var>document</var>’s URL does not
          <a data-link-type="dfn" href="#match-a-source-list">match</a> the <a data-link-type="dfn" href="#allowed-frame-ancestors">allowed frame
          ancestors</a> for the <a data-link-type="dfn" href="#protected-resource">protected resource</a>, the user agent MUST:
            
         <ol>
              
          <li>Abort loading the protected resource.
          

              
          <li>Take one of the following actions:

                
           <ol>
                  
            <li>
                    Act as if it received an empty <a data-link-type="dfn" href="#http-200-response">HTTP 200 response</a>.
                  
            
                  
            <li>
                    Redirect the user to a friendly error page which provides
                    the option of opening the blocked page in a new <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#top-level-browsing-context">top-level
                    browsing context</a>.
                  
            
                
           </ol>
           
              
          

              
          <li>
                <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#parse-a-sandboxing-directive">Parse a sandboxing directive</a> using the
                empty string as the <em>input</em> and the newly created
                document’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#forced-sandboxing-flag-set">forced sandboxing flag set</a> as the
                <em>output</em>.
              
          

              
          <li><a data-link-type="dfn" href="#report-a-violation">Report a violation</a>.
          

              
          <li>Abort these steps.
          
            
         </ol>
         
          
        
        
       </ol>
       
      
      
    
     </ol>
     


     <p>Steps 3.2.2 and 3.2.3 ensure that the blocked frame appears to be a
    normal cross-origin document’s load. If these steps are ignored,
    leakage of a document’s policy state is possible.</p>
     


     <p>The <code>frame-ancestors</code> directive MUST be ignored
    when <a data-link-type="dfn" href="#monitor">monitoring</a> a policy, and when a contained in a
    policy defined via a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element.</p>
     


     <p class="note" role="note">Note: <code><a data-link-type="dfn" href="#frame_ancestors">frame-ancestors</a></code> does not fall back to the
    <a data-link-type="dfn" href="#default-sources">default sources</a> when the directive is not defined. That is, a policy
    that defines <code><a data-link-type="dfn" href="#default_src">default-src</a> 'none'</code> but not
    <code>frame-ancestors</code> will still allow the resource to be framed from
    anywhere.</p>
     


     <p>When generating a violation report for a <code>frame-ancestors</code>
    violation, the user agent MUST NOT include the value of the embedding
    ancestor as a <code>blocked-uri</code> value unless it is same-origin with
    the protected resource, as disclosing the value of cross-origin ancestors
    is a violation of the Same-Origin Policy.</p>
     

    
     <section>
      
      <h4 class="heading settled" data-level="7.7.1" id="frame-ancestors-and-frame-options"><span class="secno">7.7.1. </span><span class="content">
        Relation to <code>X-Frame-Options</code>
      </span><a class="self-link" href="#frame-ancestors-and-frame-options"></a></h4>
      


      <p>This directive is similar to the <code>X-Frame-Options</code> header that
      several user agents have implemented. The <code>'none'</code> source
      expression is roughly equivalent to that header’s <code>DENY</code>,
      <code>'self'</code> to <code>SAMEORIGIN</code>, and so on. The major
      difference is that many user agents implement <code>SAMEORIGIN</code> such
      that it only matches against the top-level document’s location. This
      directive checks each ancestor. If any ancestor doesn’t match, the load
      is cancelled. <a data-link-type="biblio" href="#biblio-rfc7034">[RFC7034]</a></p>
      


      <p>The <code>frame-ancestors</code> directive <em>obsoletes</em> the
      <code>X-Frame-Options</code> header.  If a resource has both policies,
      the <code>frame-ancestors</code> policy SHOULD be enforced and the
      <code>X-Frame-Options</code> policy SHOULD be ignored.</p>
      
    
     </section>
     

    
     <section class="informative" id="multiple-host-source-values">
      
      <h4 class="heading settled" data-level="7.7.2" id="frame-ancestors-multiple-source-values"><span class="secno">7.7.2. </span><span class="content">Multiple Host Source Values</span><a class="self-link" href="#frame-ancestors-multiple-source-values"></a></h4>
      


      <p><em>This section is not normative.</em></p>
      


      <p>Multiple source-list expressions are allowed in a single policy (in contrast
      to <code>X-Frame-Options</code>, which allows only one) to enable
      scenarios involving embedded application components that are multiple levels
      below the top-level browsing context.</p>
      


      <p>Many common scenarios for permissioned embedding (e.g. embeddable payment,
      sharing or social apps) involve potentially many hundreds or thousands of
      valid <code>source-list</code> expressions, but it is strongly recommended
      against accommodating such scenarios with a static
      <code>frame-ancestors</code> directive listing multiple values. In such
      cases it is beneficial to generate this value dynamically, based on an
      HTTP Referer header or an explicitly passed-in value, to allow only the
      sources necessary for each given embedding of the resource.</p>
      


      <p>Consider a service providing a payments application at
      <code>https://payments/makeEmbedded</code>. The service allows this resource
      to be embedded by both merchant Alice and merchant Bob, who compete with each
      other. Sending:</p>
      

      
      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#frame_ancestors">frame-ancestors</a> https://alice https://bob
</pre>
      


      <p>would allow Bob to re-frame Alice’s resource and create fraudulent clicks,
      perhaps discrediting Alice with her customers or the payments service. If the
      payments service used additional information (e.g. as part of a URL like
      <code>https://payments/makeEmbedded?merchant=alice</code>) to send
      individually-tailored headers listing only the source-list expressions
      needed by each merchant, this attack would be eliminated.</p>
      
    
     </section>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.8" id="directive-frame-src"><span class="secno">7.8. </span><span class="content"><code>frame-src</code></span><a class="self-link" href="#directive-frame-src"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="frame_src">frame-src<a class="self-link" href="#frame_src"></a></dfn></code> directive is <em>deprecated</em>.
    Authors who wish to govern nested browsing contexts SHOULD use the
    <code>child-src</code> directive instead.</p>
     


     <p>The <code>frame-src</code> directive restricts from where the
    protected resource can embed frames. The syntax for the name
    and value of the directive are described by the following ABNF
    grammar:</p>
     

    
     <pre>directive-name    = "frame-src"
directive-value   = <a data-link-type="dfn" href="#source_list">source-list</a>
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-frame-sources">allowed frame sources<a class="self-link" href="#allowed-frame-sources"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>frame-src</code>
    directive’s value as a source list</a> if the policy contains an
    explicit <code>frame-src</code>, or otherwise to the list of
    <a data-link-type="dfn" href="#allowed-child-sources">allowed child sources</a>.</p>
     


     <p>Whenever the user agent <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#fetch">fetches</a> a URL in the course of one of the
    following activities, if the URL does not
    <a data-link-type="dfn" href="#match-a-source-list">match</a> the <a data-link-type="dfn" href="#allowed-frame-sources">allowed frame sources</a>
    for the <a data-link-type="dfn" href="#protected-resource">protected resource</a>, the user agent MUST act as if there was a
    fatal network error and no resource was obtained, <em>and</em> <a data-link-type="dfn" href="#report-a-violation">report a
    violation</a>:</p>
     

    
     <ul>
      
      <li>Requesting data for display in a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing context</a> in the
      protected resource created by an <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code> or a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/obsolete.html#frame">frame</a></code> element.

      
      <li><a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#navigate">Navigated</a> such a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing context</a>.
      
    
     </ul>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.9" id="directive-img-src"><span class="secno">7.9. </span><span class="content"><code>img-src</code></span><a class="self-link" href="#directive-img-src"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="img_src">img-src<a class="self-link" href="#img_src"></a></dfn></code> directive restricts from where the
    protected resource can load images. The syntax for the name and value
    of the directive are described by the following ABNF grammar:</p>
     

    
     <pre>directive-name    = "img-src"
directive-value   = <a data-link-type="dfn" href="#source_list">source-list</a>
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-image-sources">allowed image sources<a class="self-link" href="#allowed-image-sources"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>img-src</code>
    directive’s value as a source list</a> if the policy contains an
    explicit <code>img-src</code>, or otherwise to the list of
    <a data-link-type="dfn" href="#default-sources">default sources</a>.</p>
     


     <p>Whenever the user agent <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#fetch">fetches</a> a URL in the course of one of the
    following activities, if the URL does not
    <a data-link-type="dfn" href="#match-a-source-list">match</a> the <a data-link-type="dfn" href="#allowed-image-sources">allowed image sources</a>
    for the <a data-link-type="dfn" href="#protected-resource">protected resource</a>, the user agent MUST act as if there was a
    fatal network error and no resource was obtained, <em>and</em> <a data-link-type="dfn" href="#report-a-violation">report a
    violation</a>:</p>
     

    
     <ul>
      
      
      <li>Requesting data for an image, such as when processing the
      <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-img-src">src</a></code> or <code>srcset</code> attributes of an <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-img-element">img</a></code> element, the
      <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/forms.html#attr-input-src">src</a></code> attribute of an <code><a data-link-type="element" href="http://www.w3.org/TR/html5/forms.html#the-input-element">input</a></code> element with a type of
      <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/forms.html#attr-input-type-image-keyword">image</a></code>, the <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-video-poster">poster</a></code> attribute of a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-video-element">video</a></code> element,
      the <a data-link-type="functionish" href="http://www.w3.org/TR/CSS21/syndata.html#uri">url()</a>, <a data-link-type="functionish" href="https://drafts.csswg.org/css-images-4/#funcdef-image">image()</a> or <a data-link-type="functionish" href="https://drafts.csswg.org/css-images-3/#funcdef-image-set">image-set()</a> values on any
      Cascading Style Sheets (CSS) property that is capable of loading an image
      <a data-link-type="biblio" href="#biblio-css4-images">[CSS4-IMAGES]</a>, or the <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/document-metadata.html#attr-link-href">href</a></code> attribute of a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-link-element">link</a></code> element
      with an image-related <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/document-metadata.html#attr-link-rel">rel</a></code> attribute, such as <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/links.html#rel-icon">icon</a></code>.
      
    
     </ul>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.10" id="directive-media-src"><span class="secno">7.10. </span><span class="content"><code>media-src</code></span><a class="self-link" href="#directive-media-src"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="media_src">media-src<a class="self-link" href="#media_src"></a></dfn></code> directive restricts from where the
    protected resource can load video, audio, and associated text tracks.
    The syntax for the name and value of the directive are described by the
    following ABNF grammar:</p>
     

    
     <pre>directive-name    = "media-src"
directive-value   = <a data-link-type="dfn" href="#source_list">source-list</a>
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-media-sources">allowed media sources<a class="self-link" href="#allowed-media-sources"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>media-src</code>
    directive’s value as a source list</a> if the policy contains an
    explicit <code>media-src</code>, or otherwise to the list of
    <a data-link-type="dfn" href="#default-sources">default sources</a>.</p>
     


     <p>Whenever the user agent <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#fetch">fetches</a> a URL in the course of one of the
    following activities, if the URL does not
    <a data-link-type="dfn" href="#match-a-source-list">match</a> the <a data-link-type="dfn" href="#allowed-media-sources">allowed media sources</a>
    for the <a data-link-type="dfn" href="#protected-resource">protected resource</a>, the user agent MUST act as if there was
    a fatal network error and no resource was obtained, <em>and</em> <a data-link-type="dfn" href="#report-a-violation">report
    a violation</a>:</p>
     

    
     <ul>
      
      <li>Requesting data for a video or audio clip, such as when processing the
      <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-media-src">src</a></code> attribute of a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-video-element">video</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-audio-element">audio</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-source-element">source</a></code>, or
      <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-track-element">track</a></code> element.
      
    
     </ul>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.11" id="directive-object-src"><span class="secno">7.11. </span><span class="content"><code>object-src</code></span><a class="self-link" href="#directive-object-src"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="object_src">object-src<a class="self-link" href="#object_src"></a></dfn></code> directive restricts from where
    the protected resource can load plugins. The syntax for the name and value
    of the directive are described by the following ABNF grammar:</p>
     

    
     <pre>directive-name    = "object-src"
directive-value   = <a data-link-type="dfn" href="#source_list">source-list</a>
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-object-sources">allowed object sources<a class="self-link" href="#allowed-object-sources"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>object-src</code>
    directive’s value as a source list</a> if the policy contains an
    explicit <code>object-src</code>, or otherwise to the list of
    <a data-link-type="dfn" href="#default-sources">default sources</a>.</p>
     


     <p>Whenever the user agent <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#fetch">fetches</a> a URL in the course of one of the
    following activities, if the URL does not
    <a data-link-type="dfn" href="#match-a-source-list">match</a> the <a data-link-type="dfn" href="#allowed-object-sources">allowed object sources</a>
    for the <a data-link-type="dfn" href="#protected-resource">protected resource</a>, the user agent MUST act as if there was a
    fatal network error and no resource was obtained, <em>and</em> <a data-link-type="dfn" href="#report-a-violation">report a
    violation</a>:</p>
     

    
     <ul>
      
      <li>Requesting data for a plugin, such as when processing the
      <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-object-data">data</a></code> attribute of an <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code> element, the <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-embed-src">src</a></code>
      attribute of an <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code> element, or the <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/obsolete.html#dom-applet-code">code</a></code> or
      <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/obsolete.html#dom-applet-archive">archive</a></code> attributes of an <code><a data-link-type="element" href="http://www.w3.org/TR/html5/obsolete.html#the-applet-element">applet</a></code> element.
      

      
      <li>Requesting data for display in a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing context</a>
      in the protected resource created by an <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code> or an <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code>
      element.
      

      
      <li>Navigating such a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing context</a>.
      
    
     </ul>
     


     <p>It is not required that the consumer of the element’s data be a
    <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#plugin">plugin</a> in order for the <code>object-src</code> directive to be
    enforced. Data for any <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code>, <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code>, or <code><a data-link-type="element" href="http://www.w3.org/TR/html5/obsolete.html#the-applet-element">applet</a></code> element MUST
    match the <a data-link-type="dfn" href="#allowed-object-sources">allowed object sources</a> in order to be fetched. This is true
    even when the element data is semantically equivalent to content which would
    otherwise be restricted by one of the other <a href="#directives">§7 Directives</a>, such as an
    <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code> element with a <code>text/html</code> MIME type.</p>
     


     <p>Whenever the user agent would load a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#plugin">plugin</a> without an associated
    URL (e.g., because the <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code> element lacked a <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-object-data">data</a></code>
    attribute), if the protected resource’s URL does not
    <a data-link-type="dfn" href="#match-a-source-list">match</a> the <a data-link-type="dfn" href="#allowed-object-sources">allowed object sources</a>
    for the <a data-link-type="dfn" href="#protected-resource">protected resource</a>, the user agent MUST NOT load the plugin.</p>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.12" id="directive-plugin-types"><span class="secno">7.12. </span><span class="content"><code>plugin-types</code></span><a class="self-link" href="#directive-plugin-types"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="plugin_types">plugin-types<a class="self-link" href="#plugin_types"></a></dfn></code> directive restricts the set
    of plugins that can be invoked by the protected resource by limiting
    the types of resources that can be embedded. The syntax for the name
    and value of the directive are described by the following ABNF
    grammar:</p>
     

    
     <pre>directive-name    = "plugin-types"
directive-value   = media-type-list
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-plugin-media-types">allowed plugin media types<a class="self-link" href="#allowed-plugin-media-types"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-media-type-list">parsing the <code>plugin-types</code>
    directive’s value as a media type list</a>.</p>
     


     <p>Whenever the user agent would instantiate a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#plugin">plugin</a>
    to handle <var>resource</var> while enforcing the <code>plugin-types</code>
    directive, the user agent MUST instead act as though the plugin reported an
    error <em>and</em> <a data-link-type="dfn" href="#report-a-violation">report a violation</a> if any of the following
    conditions hold:</p>
     

    
     <ul>
        
      <li>The plugin is embedded into the protected resource via an
        <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code> or <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code> element that does not explicitly
        declare a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#mime-type">MIME type</a> via a <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-object-type">type</a></code>
        attribute.
      

        
      <li><var>resource</var>’s media type does not
        <a data-link-type="dfn" href="#match-a-media-type-list">match</a> the list of <a data-link-type="dfn" href="#allowed-plugin-media-types">allowed
        plugin media types</a>.
      

        
      <li>The plugin is embedded into the protected resource via an
        <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code> or <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code> element, and the media type declared
        in the element’s <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-object-type">type</a></code> attribute is not an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII
        case-insensitive match</a> for the <var>resource</var>’s media
        type.
      

        
      <li>The plugin is embedded into the protected resource via an
        <code><a data-link-type="element" href="http://www.w3.org/TR/html5/obsolete.html#the-applet-element">applet</a></code> element, and <var>resource</var>’s media type is not an
        <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for
        <code>application/x-java-applet</code>.
      
    
     </ul>
     


     <p class="note" role="note">Note: In any of these cases, acting as though the plugin reported an
    error will cause the user agent to display the <a data-link-type="dfn" href="http://www.w3.org/TR/html5/dom.html#fallback-content">fallback
    content</a>.</p>
     


     <p>Whenever the user agent creates a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#plugin-document">plugin document</a> as the
    <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#active-document">active document</a> of a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#child-browsing-context">child browsing context</a> of the
    <a data-link-type="dfn" href="#protected-resource">protected resource</a>, if the user agent is enforcing any
    <code>plugin-types</code> directives for the protected resource, the user
    agent MUST <a data-link-type="dfn" href="#enforce">enforce</a> those <code>plugin-types</code> directives on the
    plugin document as well.</p>
     


     <p>Whenever the user agent creates a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#plugin-document">plugin document</a> as the
    <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#active-document">active document</a> of a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#child-browsing-context">child browsing context</a> of the
    <a data-link-type="dfn" href="#protected-resource">protected resource</a>, if the user agent is monitoring any
    <code>plugin-types</code> directives for the protected resource, the user
    agent MUST <a data-link-type="dfn" href="#monitor">monitor</a> those <code>plugin-types</code> directives on the
    plugin document as well.</p>
     

    
     <section class="informative">
      
      <h4 class="heading settled" data-level="7.12.1" id="plugin-types-usage"><span class="secno">7.12.1. </span><span class="content">Usage</span><a class="self-link" href="#plugin-types-usage"></a></h4>
      


      <p><em>This section is not normative.</em></p>
      


      <p>The <code>plugin-types</code> directive whitelists a certain set
      of MIME types that can be embedded in a protected resource. For
      example, a site might want to ensure that PDF content loads, but that
      no other plugins can be instantiated. The following directive would
      satisfy that requirement:</p>
      


      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#plugin_types">plugin-types</a> application/pdf</pre>
      


      <p>Resources embedded via an <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code> or
      <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code> element delivered with an
      <code>application/pdf</code> content type would be rendered in the
      appropriate plugin; resources delivered with some other content type
      would be blocked. Multiple types can be specified, in any order. If the
      site decided to additionally allow Flash at some point in the future, it
      could do so with the following directive:</p>
      


      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#plugin_types">plugin-types</a> application/pdf application/x-shockwave-flash</pre>
      


      <p class="note" role="note">Note: Wildcards are not accepted in the <code>plugin-types</code>
      directive. Only the resource types explicitly listed in the directive
      will be allowed.</p>
      
  
     </section>
     
  
     <section class="informative">
      
      <h4 class="heading settled" data-level="7.12.2" id="plugin-types-predeclaration"><span class="secno">7.12.2. </span><span class="content">
        Predeclaration of expected media types
      </span><a class="self-link" href="#plugin-types-predeclaration"></a></h4>
      


      <p><em>This section is not normative.</em></p>
      


      <p>Enforcing the <code>plugin-types</code> directive requires that
      <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code> and <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code>
      elements declare the expected media type of the resource they include via
      the <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-object-type">type</a></code> attribute. If an author expects
      to load a PDF, she could specify this as follows:</p>
      


      <pre>&lt;object data="<var>resource</var>" type="application/pdf">&lt;/object></pre>
      


      <p>If <var>resource</var> isn’t actually a PDF file, it won’t
      load. This prevents certain types of attacks that rely on serving
      content that unexpectedly invokes a plugin other than that which the
      author intended.</p>
      


      <p class="note" role="note">Note: <var>resource</var> will not load in this scenario even
      if its media type is otherwise whitelisted: resources will only load
      when their media type is whitelisted <em>and</em> matches the
      declared type in their containing element.</p>
      
    
     </section>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.13" id="directive-report-uri"><span class="secno">7.13. </span><span class="content"><code>report-uri</code></span><a class="self-link" href="#directive-report-uri"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="report_uri">report-uri<a class="self-link" href="#report_uri"></a></dfn></code> directive specifies a URL to
    which the user agent sends reports about policy violation. The syntax
    for the name and value of the directive are described by the following
    ABNF grammar:</p>
     

    
     <pre>directive-name    = "report-uri"
directive-value   = <a data-link-type="dfn" href="#uri_reference">uri-reference</a> *( 1*WSP <a data-link-type="dfn" href="#uri_reference">uri-reference</a> )
<dfn data-dfn-type="dfn" data-noexport="" id="uri_reference">uri-reference<a class="self-link" href="#uri_reference"></a></dfn>     = &lt;URI-reference from RFC 3986>
</pre>
     


     <p>The <dfn data-dfn-type="dfn" data-noexport="" id="set-of-report-urls">set of report URLs<a class="self-link" href="#set-of-report-urls"></a></dfn> is the value of the
    <code>report-uri</code> directive, each resolved relative to the
    protected resource’s URL.</p>
     


     <p>The process of sending violation reports to the URLs specified in
    this directive’s value is defined in this document’s
    <a href="#violation-reports">§4.4 Reporting</a> section.</p>
     


     <p class="note" role="note">Note: The <code>report-uri</code> directive will be ignored if contained
    within a <a href="#delivery-html-meta-element"><code>meta</code>
    element</a>.</p>
     
  
    </section>

  
    <section>
    
     <h3 class="heading settled" data-level="7.14" id="directive-sandbox"><span class="secno">7.14. </span><span class="content"><code>sandbox</code></span><a class="self-link" href="#directive-sandbox"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="sandbox">sandbox<a class="self-link" href="#sandbox"></a></dfn></code> directive specifies an HTML
    sandbox policy that the user agent applies to the protected resource.
    The syntax for the name and value of the directive are described by
    the following ABNF grammar:</p>
     

    
     <pre>directive-name    = "sandbox"
directive-value   = "" / sandbox-token *( 1*WSP <a data-link-type="dfn" href="#sandbox_token">sandbox-token</a> )
<dfn data-dfn-type="dfn" data-noexport="" id="sandbox_token">sandbox-token<a class="self-link" href="#sandbox_token"></a></dfn>     = &lt;token from RFC 7230>
</pre>
     


     <p>When enforcing the <code>sandbox</code> directive, the user agent
    MUST <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#parse-a-sandboxing-directive">parse a sandboxing directive</a> using the
    <code>directive-value</code> as the <em>input</em> and protected
    resource’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#forced-sandboxing-flag-set">forced sandboxing flag set</a>
    as the output. <a data-link-type="biblio" href="#biblio-html5">[HTML5]</a></p>
     


     <p>The <code>sandbox</code> directive will be ignored when <a data-link-type="dfn" href="#monitor">monitoring</a>
    a policy, and when contained in a policy defined via a
    <a href="#delivery-html-meta-element"><code>meta</code> element</a>.
    Moreover, this directive has no effect when <a data-link-type="dfn" href="#monitor">monitored</a>, and has no
    reporting requirements.</p>
     

    
     <h4 class="heading settled" data-level="7.14.1" id="sandboxing-and-workers"><span class="secno">7.14.1. </span><span class="content">Sandboxing and Workers</span><a class="self-link" href="#sandboxing-and-workers"></a></h4>
     


     <p>When delivered via an HTTP header, a Content Security Policy may indicate
    that sandboxing flags ought to be applied to a JavaScript execution
    environment that is not a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/dom/#interface-document">Document</a></code>. Of particular interest is the
    script content intended for use as a Worker, Shared Worker, or Service
    Worker. Many of the sandboxing flags do not apply to such environments, but
    <a data-link-type="element-attr" href="http://www.w3.org/TR/html5/browsers.html#attr-iframe-sandbox-allow-scripts">allow-scripts</a> and
    <a data-link-type="element-attr" href="http://www.w3.org/TR/html5/browsers.html#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a> have special
    requirements.</p>
     


     <p>When a resource is loaded while executing the <a data-link-type="dfn" href="#runs-a-worker">runs a
    <code>Worker</code></a> algorithm, the user agent MUST act as if there was
    a fatal network error and no resource could be obtained if either of the
    following conditions holds:</p>
     

    
     <ol>
      
      <li>
        The <code><a data-link-type="dfn" href="#sandbox">sandbox</a></code> directive delivered with the resource
        does <em>not</em> contain the
        <a data-link-type="element-attr" href="http://www.w3.org/TR/html5/browsers.html#attr-iframe-sandbox-allow-scripts">allow-scripts</a> flag.
      
      
      
      <li>
        The <code><a data-link-type="dfn" href="#sandbox">sandbox</a></code> directive delivered with the resource
        does <em>not</em> contain the
        <a data-link-type="element-attr" href="http://www.w3.org/TR/html5/browsers.html#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a> flag, <em>and</em>
        the creation of the new execution context requires it to be same-origin
        with its creating context.
      
      
    
     </ol>
     

    
     <section class="informative">
      
      <h4 class="heading settled" data-level="7.14.2" id="sandbox-usage"><span class="secno">7.14.2. </span><span class="content">Usage</span><a class="self-link" href="#sandbox-usage"></a></h4>
      


      <p><em>This section is not normative.</em></p>
      

      
      <p>HTML5 defines a <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/embedded-content-0.html#attr-iframe-sandbox">sandbox</a></code> attribute for
      <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code> elements, intended to allow web authors
      to reduce the risk of including potentially untrusted content by imposing
      restrictions on that content’s abilities. When the attribute is set,
      the content is forced into a unique origin, prevented from submitting
      forms, running script, creating or navigating other browsing contexts,
      and prevented from running plugins. These restrictions can be loosened
      by setting certain flags as the attribute’s value.

</p>
      <p>The <code>sandbox</code> directive allows any resource, framed or
      not, to ask for the same sorts of restrictions to be applied to
      itself.</p>
      


      <p>For example, a message board or email system might provide
      downloads of arbitrary attachments provided by other users. Attacks
      that rely on tricking a client into rendering one of these attachments
      could be mitigated by requesting that resources only be rendered in a
      very restrictive sandbox. Sending the <code>sandbox</code> directive
      with an empty value establishes such an environment:</p>
      


      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#sandbox">sandbox</a></pre>
      


      <p>More trusted resources might be allowed to run in an environment
      with fewer restrictions by adding <code>allow-*</code> flags to the
      directive’s value. For example, you can allow a page that you trust
      to run script, while ensuring that it isn’t treated as same-origin
      with the rest of your site. This can be accomplished by sending the
      <code>sandbox</code> directive with the
      <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/browsers.html#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code> flag:</p>
      


      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#sandbox">sandbox</a> <a data-link-type="element-attr" href="http://www.w3.org/TR/html5/browsers.html#attr-iframe-sandbox-allow-scripts">allow-scripts</a></pre>
      


      <p>The set of flags available to the CSP directive should match those
      available to the <code><a data-link-type="element" href="http://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code> attribute.
      Currently, those include:</p>
      

      
      <ul>
        
       <li><code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/browsers.html#attr-iframe-sandbox-allow-forms">allow-forms</a></code>
       
        
       <li><code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/browsers.html#attr-iframe-sandbox-allow-pointer-lock">allow-pointer-lock</a></code>
       
        
       <li><code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/browsers.html#attr-iframe-sandbox-allow-popups">allow-popups</a></code>
       
        
       <li><code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/browsers.html#attr-iframe-sandbox-allow-same-origin">allow-same-origin</a></code>
       
        
       <li><code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/browsers.html#attr-iframe-sandbox-allow-scripts">allow-scripts</a></code>, and
       
        
       <li><code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/browsers.html#attr-iframe-sandbox-allow-top-navigation">allow-top-navigation</a></code>
       
      
      </ul>
      


      <p class="note" role="note">Note: Like the rest of Content Security Policy, the <code>sandbox</code>
      directive is meant as a defense-in-depth. Web authors would be well-served
      to use it <em>in addition to</em> standard sniffing-mitigation and
      privilege-reduction techniques.</p>
      
    
     </section>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.15" id="directive-script-src"><span class="secno">7.15. </span><span class="content"><code>script-src</code></span><a class="self-link" href="#directive-script-src"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="script_src">script-src<a class="self-link" href="#script_src"></a></dfn></code> directive restricts which scripts the
    protected resource can execute. The directive also controls other resources,
    such as XSLT style sheets <a data-link-type="biblio" href="#biblio-xslt">[XSLT]</a>, which can cause the user agent to
    execute script. The syntax for the name and value of the directive are
    described by the following ABNF grammar:</p>
     

    
     <pre>directive-name    = "script-src"
directive-value   = <a data-link-type="dfn" href="#source_list">source-list</a>
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-script-sources">allowed script sources<a class="self-link" href="#allowed-script-sources"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>script-src</code>
    directive’s value as a source list</a> if the policy contains an
    explicit <code>script-src</code>, or otherwise to the <a data-link-type="dfn" href="#default-sources">default
    sources</a>.</p>
     


     <p>If <code>'unsafe-inline'</code> is <strong>not</strong> in the
    list of <a data-link-type="dfn" href="#allowed-script-sources">allowed script sources</a>, or if at least one
    <code><a data-link-type="dfn" href="#nonce_source">nonce-source</a></code> or <code><a data-link-type="dfn" href="#hash_source">hash-source</a></code> is
    present in the list of <a data-link-type="dfn" href="#allowed-script-sources">allowed script sources</a>:</p>
     

    
     <ul>
      
      <li>Whenever the user agent would execute an inline script from a
      <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> element that lacks a <a data-link-type="dfn" href="#valid-nonce">valid nonce</a>
      <em>and</em> lacks a <a data-link-type="dfn" href="#valid-hash">valid hash</a> for the <a data-link-type="dfn" href="#allowed-script-sources">allowed script
      sources</a>, instead the user agent MUST NOT execute script, <em>and</em>
      MUST <a data-link-type="dfn" href="#report-a-violation">report a violation</a>.
      

      
      <li>Whenever the user agent would execute an inline script from an
      inline event handler, instead the user agent MUST NOT execute script,
      <em>and</em> MUST <a data-link-type="dfn" href="#report-a-violation">report a violation</a>.
      

      
      <li>Whenever the user agent would execute script contained in a
      <code>javascript</code> URL, instead the user agent MUST NOT execute
      the script, <em>and</em> MUST <a data-link-type="dfn" href="#report-a-violation">report a violation</a>.
      
    
     </ul>
     


     <p>If <code>'unsafe-eval'</code> is <strong>not</strong> in <a data-link-type="dfn" href="#allowed-script-sources">allowed script
    sources</a>:</p>
     

    
     <ul>
      
      <li>Instead of evaluating their arguments, both operator
      <code>eval</code> and function <code>eval</code> <a data-link-type="biblio" href="#biblio-ecma-262">[ECMA-262]</a>
      MUST throw an <code>EvalError</code> exception.
      

      
      <li>When called as a constructor, the function <code>Function</code>
      <a data-link-type="biblio" href="#biblio-ecma-262">[ECMA-262]</a> MUST throw an <code>EvalError</code> exception.
      

      
      <li>When called with a first argument that is not <a data-link-type="dfn" href="#callable">callable</a> (a
      string, for example), the
      <code><a class="idl-code" data-link-type="method" href="http://www.w3.org/TR/html5/webappapis.html#dom-windowtimers-settimeout">setTimeout()</a></code> function MUST
      return zero without creating a timer.
      

      
      <li>When called with a first argument that is not <a data-link-type="dfn" href="#callable">callable</a> (a
      string, for example), the
      <code><a class="idl-code" data-link-type="method" href="http://www.w3.org/TR/html5/webappapis.html#dom-windowtimers-setinterval">setInterval()</a></code> function MUST
      return zero without creating a timer.
      
    
     </ul>
     


     <p>Whenever the user agent <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#fetch">fetches</a> a URL (including when following
    redirects) in the course of one of the following activities, if the URL does
    not <a data-link-type="dfn" href="#match-a-source-list">match</a> the <a data-link-type="dfn" href="#allowed-script-sources">allowed script
    sources</a> for the <a data-link-type="dfn" href="#protected-resource">protected resource</a>, the user agent MUST act as if
    there was a fatal network error and no resource was obtained, <em>and</em>
    <a data-link-type="dfn" href="#report-a-violation">report a violation</a>:</p>
     

    
     <ul>
      
      <li>Requesting a script while processing the <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/scripting-1.html#attr-script-src">src</a></code> attribute of
      a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> element that lacks a <a data-link-type="dfn" href="#valid-nonce">valid nonce</a> for the <a data-link-type="dfn" href="#allowed-script-sources">allowed
      script sources</a>.
      

      
      <li>Requesting a script while invoking the <code>importScripts</code>
      method on a WorkerGlobalScope object. <a data-link-type="biblio" href="#biblio-workers">[WORKERS]</a>
      

      
      <li>Requesting an HTML component, such as
      when processing the <code>href</code> attribute of a <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-link-element">link</a></code>
      element with a <code>rel</code> attribute containing the token
      <code>import</code>. <a data-link-type="biblio" href="#biblio-html-imports">[HTML-IMPORTS]</a>
      

      
      <li>Requesting an Extensible Stylesheet Language Transformations
      (XSLT) <a data-link-type="biblio" href="#biblio-xslt">[XSLT]</a>, such as when processing the
      <code>&lt;?xml-stylesheet?></code> processing directive in an XML
      document <a data-link-type="biblio" href="#biblio-xml11">[XML11]</a>, the <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/document-metadata.html#attr-link-href">href</a></code> attributes
      on <code>&lt;xsl:include></code> and <code>&lt;xsl:import></code>
      elements.
      
    
     </ul>
     

    
     <section class="informative">
      
      <h4 class="heading settled" data-level="7.15.1" id="script-src-nonce-usage"><span class="secno">7.15.1. </span><span class="content">
        Nonce usage for <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements
      </span><a class="self-link" href="#script-src-nonce-usage"></a></h4>
      


      <p><em>This section is not normative.</em></p>
      


      <p>The <code><a data-link-type="dfn" href="#script_src">script-src</a></code> directive lets developers specify
      exactly which script elements on a page were intentionally included
      for execution. Ideally, developers would avoid inline script entirely
      and whitelist scripts by URL. However, in some cases, removing inline
      scripts can be difficult or impossible. For those cases, developers can
      whitelist scripts using a randomly generated nonce.</p>
      


      <p>Usage is straightforward. For <em>each</em> request, the server
      generates a unique value at random, and includes it in the
      <code>Content-Security-Policy</code> header:</p>
      

      
      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#default_src">default-src</a> 'self';
                         <a data-link-type="dfn" href="#script_src">script-src</a> 'self' https://example.com 'nonce-<em>$RANDOM</em>'
</pre>
      


      <p>This same value is then applied as a <code>nonce</code> attribute
      to each <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> element that ought to be
      executed. For example, if the server generated the random value
      <code>Nc3n83cnSAd3wc3Sasdfn939hc3</code>,  the server would send the
      following policy:</p>
      

      
      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#default_src">default-src</a> 'self';
                         <a data-link-type="dfn" href="#script_src">script-src</a> 'self' https://example.com 'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3'
</pre>
      


      <p>Script elements can then execute either because their <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/scripting-1.html#attr-script-src">src</a></code> URLs
      are whitelisted or because they have a <a data-link-type="dfn" href="#valid-nonce">valid nonce</a>:</p>
      

      
      <pre>&lt;script>
alert("Blocked because the policy doesn’t have 'unsafe-inline'.")
&lt;/script>

&lt;script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">
alert("Still blocked because nonce is wrong.")
&lt;/script>

&lt;script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3">
alert("Allowed because nonce is valid.")
&lt;/script>

&lt;script src="https://example.com/allowed-because-of-src.js">&lt;/script>

&lt;script nonce="EDNnf03nceIOfn39fn3e9h3sdfa"
    src="https://elsewhere.com/blocked-because-nonce-is-wrong.js">&lt;/script>

&lt;script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3"
    src="https://elsewhere.com/allowed-because-nonce-is-valid.js">&lt;/script>
</pre>
      


      <p>Note that the nonce’s value is <em>not</em> a hash or signature
      that verifies the contents of the script resources. It’s quite simply
      a random string that informs the user agent which scripts were
      intentionally included in the page.</p>
      


      <p>Script elements with the proper nonce execute, regardless of
      whether they’re inline or external. Script elements without the
      proper nonce don’t execute unless their URLs are whitelisted.
      Even if an attacker is able to inject markup into the protected
      resource, the attack will be blocked by the attacker’s inability
      to guess the random value.</p>
      
    
     </section>
     
    
     <section class="informative">
      
      <h4 class="heading settled" data-level="7.15.2" id="script-src-hash-usage"><span class="secno">7.15.2. </span><span class="content">
        Hash usage for <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements
      </span><a class="self-link" href="#script-src-hash-usage"></a></h4>
      


      <p><em>This section is not normative.</em></p>
      


      <p>The <code><a data-link-type="dfn" href="#script_src">script-src</a></code> directive lets developers whitelist a
      particular inline script by specifying its hash as an allowed source
      of script.</p>
      


      <p>Usage is straightforward. The server computes the hash of a
      particular script block’s contents, and includes the base64 encoding
      of that value in the <code>Content-Security-Policy</code> header:</p>
      

      
      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#default_src">default-src</a> 'self';
                         <a data-link-type="dfn" href="#script_src">script-src</a> 'self' https://example.com 'sha256-<var>base64 encoded hash</var>'
</pre>
      


      <p>Each inline script block’s contents are hashed, and compared against
      the whitelisted value. If there’s a match, the script is executed. For
      example, the SHA-256 digest of <code>alert('Hello, world.');</code> is
      <code>qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=</code>.</p>
      

      
      <div class="example" id="example-f54407db"><a class="self-link" href="#example-f54407db"></a>
        You can obtain the digest of a string on the command line simply
        via the <code>openssl</code> program. For example:

        
       <pre>echo -n "alert('Hello, world.');" | openssl dgst -sha256 -binary | openssl enc -base64
</pre>
       
      
      </div>
      


      <p>If the server sent the following header:</p>
      

      
      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#script_src">script-src</a> 'sha512-YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo='
</pre>
      


      <p>Then the following script tag would result in script execution:</p>
      

      
      <pre>&lt;script>alert('Hello, world.');&lt;/script>
</pre>
      


      <p>Whitespace is significant. The following scripts blocks would not hash to
      the same value, and would therefore <em>not</em> execute:</p>
      

      
      <pre>&lt;script> alert('Hello, world.');&lt;/script>
&lt;script>alert('Hello, world.'); &lt;/script>
&lt;script> alert('Hello, world.'); &lt;/script>
&lt;script>
alert('Hello, world.');
&lt;/script>
</pre>
      


      <p>Note also that the hash applies <em>only</em> to inline script. An
      externalized script containing the value
      <code>alert('Hello, world.');</code> would <em>not</em> execute if its
      origin was not whitelisted as a valid source of script.</p>
      
    
     </section>
     
  
    </section>


  
    <section>
    
     <h3 class="heading settled" data-level="7.16" id="directive-style-src"><span class="secno">7.16. </span><span class="content"><code>style-src</code></span><a class="self-link" href="#directive-style-src"></a></h3>
     


     <p>The <code><dfn data-dfn-type="dfn" data-noexport="" id="style_src">style-src<a class="self-link" href="#style_src"></a></dfn></code> directive restricts which styles the
    user may applies to the protected resource. The syntax for the name and
    value of the directive are described by the following ABNF grammar:</p>
     

    
     <pre>directive-name    = "style-src"
directive-value   = <a data-link-type="dfn" href="#source_list">source-list</a>
</pre>
     


     <p>The term <dfn data-dfn-type="dfn" data-noexport="" id="allowed-style-sources">allowed style sources<a class="self-link" href="#allowed-style-sources"></a></dfn> refers to the result of
    <a data-link-type="dfn" href="#parse-a-source-list">parsing the <code>style-src</code>
    directive’s value as a source list</a> if the policy contains an
    explicit <code>style-src</code>, or otherwise to the <a data-link-type="dfn" href="#default-sources">default sources</a>.</p>
     


     <p>If <code>'unsafe-inline'</code> is <strong>not</strong> in the
    list of <a data-link-type="dfn" href="#allowed-style-sources">allowed style sources</a>, or if at least one
    <code><a data-link-type="dfn" href="#nonce_source">nonce-source</a></code> or <code><a data-link-type="dfn" href="#hash_source">hash-source</a></code>
    is present in the list of <a data-link-type="dfn" href="#allowed-style-sources">allowed style sources</a>:</p>
     

    
     <ul>
      
      <li>Whenever the user agent would apply style from a
      <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a></code> element that lacks a
      <a data-link-type="dfn" href="#valid-nonce">valid nonce</a> <em>and</em> lacks a <a data-link-type="dfn" href="#valid-hash">valid hash</a> for the
      <a data-link-type="dfn" href="#allowed-style-sources">allowed style sources</a>, instead the user agent <code>MUST</code>
      ignore the style, <em>and</em> MUST <a data-link-type="dfn" href="#report-a-violation">report a violation</a>.
      

      
      <li>Whenever the user agent would apply style from a
      <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a></code> attribute, instead the user agent
      <code>MUST</code> ignore the style, <em>and</em> MUST <a data-link-type="dfn" href="#report-a-violation">report a
      violation</a>.
      
    
     </ul>
     


     <p class="note" role="note">Note: These restrictions on inline do not prevent the user agent
    from applying style from an external stylesheet (e.g., found via
    <code>&lt;link rel="stylesheet" ...></code>).</p>
     


     <p>If <code>'unsafe-eval'</code> is <strong>not</strong> in <a data-link-type="dfn" href="#allowed-style-sources">allowed style
    sources</a>, then:</p>
     

    
     <ul>
      
      <li>Whenever the user agent would invoke the Cascading Style Sheets
      Object Model algorithms
      <a data-link-type="dfn" href="http://www.w3.org/TR/cssom/#insert-a-css-rule">insert a CSS rule</a>, <a data-link-type="dfn" href="http://www.w3.org/TR/cssom/#parse-a-css-rule">parse a CSS rule</a>,
      <a data-link-type="dfn" href="http://www.w3.org/TR/cssom/#parse-a-css-declaration-block">parse a CSS declaration block</a>, or
      <a data-link-type="dfn" href="http://www.w3.org/TR/cssom/#parse-a-group-of-selectors">parse a group of selectors</a>
      instead the user agent MUST throw a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#securityerror">SecurityError</a>
      exception <em>and</em> terminate the algorithm. This would include,
      for example, all invocations of CSSOM’s various <code>cssText</code>
      setters and <code>insertRule</code> methods. <a data-link-type="biblio" href="#biblio-cssom">[CSSOM]</a> <a data-link-type="biblio" href="#biblio-html5">[HTML5]</a>
      
    
     </ul>
     


     <p>Whenever the user agent <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#fetch">fetches</a> a URL in the course of one of the
    following activities, if the URL does not
    <a data-link-type="dfn" href="#match-a-source-list">match</a> the <a data-link-type="dfn" href="#allowed-style-sources">allowed style sources</a>
    for the <a data-link-type="dfn" href="#protected-resource">protected resource</a>, the user agent MUST act as if there was
    a fatal network error and no resource was obtained, <em>and</em> <a data-link-type="dfn" href="#report-a-violation">report
    a violation</a>:</p>
     

    
     <ul>
      
      <li>
        Requesting an external stylesheet when processing the
        <a data-link-type="element-attr" href="http://www.w3.org/TR/html5/document-metadata.html#attr-link-href">href</a> of a <a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-link-element">link</a> element
        whose <a data-link-type="element-attr" href="http://www.w3.org/TR/html5/document-metadata.html#attr-link-rel">rel</a> attribute contains the token
        <code><a data-link-type="dfn" href="http://www.w3.org/TR/html5/links.html#link-type-stylesheet">stylesheet</a></code>.
      
      
      
      <li>
        Requesting an external stylesheet when processing the &lt;&lt;@import>>
        directive.
      
      
      
      <li>
        Requesting an external stylesheet when processing a <code>Link</code>
        HTTP response header field <a data-link-type="biblio" href="#biblio-rfc5988">[RFC5988]</a>.


       <p class="note" role="note">Note: As this stylesheet might be prefetched before a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/dom/#interface-document">Document</a></code>
        actually exists, user agents will need to carefully consider how to
        instantiate a meaningful <a data-link-type="dfn" href="#security-policy">policy</a> against which to compare this
        request. See <a href="#complications">§10.1 Processing Complications</a> for more detail.</p>
       
      
      
    
     </ul>
     


     <p class="note" role="note">Note: The <code>style-src</code> directive does not restrict the
    use of XSLT. XSLT is restricted by the <code><a data-link-type="dfn" href="#script_src">script-src</a></code>
    directive because the security consequences of including an untrusted
    XSLT stylesheet are similar to those incurred by including an
    untrusted script.</p>
     

    
     <section class="informative">
      
      <h4 class="heading settled" data-level="7.16.1" id="style-src-nonce-usage"><span class="secno">7.16.1. </span><span class="content">
        Nonce usage for <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a></code> elements
      </span><a class="self-link" href="#style-src-nonce-usage"></a></h4>
      


      <p><em>This section is not normative.</em></p>
      


      <p>See the <a href="#script-src-nonce-usage"><code>script-src</code>
      nonce usage information</a> for detail; the application of nonces
      to <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a></code> elements is similar enough to avoid
      repetition here.</p>
      
    
     </section>
     
    
     <section class="informative">
      
      <h4 class="heading settled" data-level="7.16.2" id="style-src-hash-usage"><span class="secno">7.16.2. </span><span class="content">
        Hash usage for <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a></code> elements
      </span><a class="self-link" href="#style-src-hash-usage"></a></h4>
      


      <p><em>This section is not normative.</em></p>
      


      <p>See the <a href="#script-src-hash-usage"><code>script-src</code>
      hash usage information</a> for detail; the application of hashes
      to <code><a data-link-type="element" href="http://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a></code> elements is similar enough to avoid
      repetition here.</p>
      
    
     </section>
     
  
    </section>
</section>



   <section>
  
    <h2 class="heading settled" data-level="8" id="examples"><span class="secno">8. </span><span class="content">Examples</span><a class="self-link" href="#examples"></a></h2>

  
    <section class="informative">
    
     <h3 class="heading settled" data-level="8.1" id="example-policies"><span class="secno">8.1. </span><span class="content">Sample Policy Definitions</span><a class="self-link" href="#example-policies"></a></h3>
     


     <p>This section provides some sample use cases and supporting <a data-link-type="dfn" href="#security-policy">policies</a>.</p>
     

    
     <div class="example" id="example-f62636cb"><a class="self-link" href="#example-f62636cb"></a>
      A server wishes to load resources only from its own origin:


      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#default_src">default-src</a> 'self'</pre>
      
    
     </div>
     

    
     <div class="example" id="example-60f388c8"><a class="self-link" href="#example-60f388c8"></a>
      An auction site wishes to load images from any URL, plugin content from a
      list of trusted media providers (including a content distribution network),
      and scripts only from a server under its control hosting sanitized
      ECMAScript:

      
      <pre>Content-Security-Policy:
    <a data-link-type="dfn" href="#default_src">default-src</a> 'self'; img-src *;
    <a data-link-type="dfn" href="#object_src">object-src</a> media1.example.com media2.example.com *.cdn.example.com;
    <a data-link-type="dfn" href="#script_src">script-src</a> trustedscripts.example.com
</pre>
      
    
     </div>
     

    
     <div class="example" id="example-d8347684"><a class="self-link" href="#example-d8347684"></a>
      An online banking site wishes to ensure that all of the content in its pages
      is loaded over TLS to prevent attackers from eavesdropping on insecure
      content requests:


      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#default_src">default-src</a> https: 'unsafe-inline' 'unsafe-eval'</pre>
      


      <p>This policy allows inline content (such as inline
      <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements), use of <code>eval</code>,
      and loading resources over <code>https</code>. Note: This policy does
      not provide any protection from cross-site scripting vulnerabilities.</p>
      
    
     </div>
     

    
     <div class="example" id="example-a287d03d"><a class="self-link" href="#example-a287d03d"></a>
      A website that relies on inline <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements
      wishes to ensure that script is only executed from its own origin, and those
      elements it intentionally inserted inline:


      <pre>Content-Security-Policy: <a data-link-type="dfn" href="#script_src">script-src</a> 'self' 'nonce-<em>$RANDOM</em>';</pre>
      


      <p>The inline <code><a data-link-type="element" href="http://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements would then only
      execute if they contained a matching
      <code><a data-link-type="element-attr" href="#element-attrdef-script-nonce">nonce</a></code> attribute:</p>
      


      <pre>&lt;script nonce="<em>$RANDOM</em>">...&lt;/script></pre>
      
    
     </div>
     
  
    </section>

  
    <section class="informative">
    
     <h3 class="heading settled" data-level="8.2" id="example-violation-report"><span class="secno">8.2. </span><span class="content">Sample Violation Report</span><a class="self-link" href="#example-violation-report"></a></h3>
     


     <p>This section contains an example violation report the user agent
    might sent to a server when the protected resource violations a sample
    policy.</p>
     


     <p>In the following example, the user agent rendered a representation
    of the resource <code>http://example.org/page.html</code> with the
    following policy:</p>
     


     <pre><a data-link-type="dfn" href="#default_src">default-src</a> 'self'; <a data-link-type="dfn" href="#report_uri">report-uri</a> http://example.org/csp-report.cgi</pre>
     


     <p>The protected resource loaded an image from
    <code>http://evil.example.com/image.png</code>, violating the
    policy.</p>
     

    
     <pre>{
  "csp-report": {
    "document-uri": "http://example.org/page.html",
    "referrer": "http://evil.example.com/haxor.html",
    "blocked-uri": "http://evil.example.com/image.png",
    "violated-directive": "default-src 'self'",
    "effective-directive": "img-src",
    "original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi"
  }
}
</pre>
     
  
    </section>
</section>



   <section>
  
    <h2 class="heading settled" data-level="9" id="security-considerations"><span class="secno">9. </span><span class="content">Security Considerations</span><a class="self-link" href="#security-considerations"></a></h2>
  
    <section>
    
     <h3 class="heading settled" data-level="9.1" id="security-css-parsing"><span class="secno">9.1. </span><span class="content">Cascading Style Sheet (CSS) Parsing</span><a class="self-link" href="#security-css-parsing"></a></h3>
     


     <p>The <code><a data-link-type="dfn" href="#style_src">style-src</a></code> directive restricts the locations from
    which the protected resource can load styles. However, if the user agent uses a
    lax CSS parsing algorithm, an attacker might be able to trick the user
    agent into accepting malicious "stylesheets" hosted by an otherwise
    trustworthy origin.</p>
     


     <p>These attacks are similar to the <a href="http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html">CSS
    cross-origin data leakage</a> attack described by Chris Evans in 2009.
    User agents SHOULD defend against both attacks using the same
    mechanism: stricter CSS parsing rules for style sheets with improper
    MIME types.</p>
     
  
    </section>

  
    <section>
    
     <h3 class="heading settled" data-level="9.2" id="security-redirects"><span class="secno">9.2. </span><span class="content">Redirect Information Leakage</span><a class="self-link" href="#security-redirects"></a></h3>
     


     <p>The violation reporting mechanism in this document has been
    designed to mitigate the risk that a malicious web site could use
    violation reports to probe the behavior of other servers. For example,
    consider a malicious web site that white lists <code>https://example.com</code>
    as a source of images. If the malicious site attempts to load
    <code>https://example.com/login</code> as an image, and the
    <code>example.com</code> server redirects to an identity provider (e.g.,
    <code>identityprovider.example.net</code>), CSP will block the request.
    If violation reports contained the full blocked URL, the violation
    report might contain sensitive information contained in the redirected URL,
    such as session identifiers or purported identities. For this reason, the
    user agent includes only the origin of the blocked URL.</p>
     


     <p>The mitigations are not complete, however: redirects which are blocked will
    produce side-effects which may be visible to JavaScript (via
    <code>img.naturalHeight</code>, for instance). An earlier version of this
    specification defined a
    <a href="http://www.w3.org/TR/2015/CR-CSP2-20150721/#csp-request-header"><code>CSP</code>
    request header</a> which servers could use (in conjunction with the
    <code>referer</code> and <code>origin</code> headers) to determine whether
    or not it was completely safe to redirect a user. This header caused some
    issues with CORS processing (tracked in
    <a href="https://github.com/whatwg/fetch/issues/52">whatwg/fetch#52</a>),
    and has been punted to the next version of this document.</p>
     
  
    </section>
</section>



   <section>
  
    <h2 class="heading settled" data-level="10" id="implementation-considerations"><span class="secno">10. </span><span class="content">Implementation Considerations</span><a class="self-link" href="#implementation-considerations"></a></h2>


    <p>The <code><a data-link-type="dfn" href="#content_security_policy">Content-Security-Policy</a></code> header is an end-to-end
  header. It is processed and enforced at the client and, therefore,
  SHOULD NOT be modified or removed by proxies or other intermediaries not
  in the same administrative domain as the resource.</p>


    <p>The originating administrative domain for a resource might wish to
  apply a <code><a data-link-type="dfn" href="#content_security_policy">Content-Security-Policy</a></code> header outside of the
  immediate context of an application. For example, a large organization
  might have many resources and applications managed by different
  individuals or teams but all subject to a uniform organizational
  standard. In such situations, a <code><a data-link-type="dfn" href="#content_security_policy">Content-Security-Policy</a></code>
  header might be added or combined with an existing one at a network-edge
  security gateway device or web application firewall. To enforce multiple
  policies, the administrator SHOULD combine the policy into a single header.
  An administrator might wish to use different combination algorithms
  depending on his or her intended semantics.</p>


    <p>One sensible policy combination algorithm is to start by allowing a
  default set of sources and then letting individual upstream resource
  owners expand the set of allowed sources by including additional origins.
  In this approach, the resultant policy is the union of all allowed
  origins in the input policies.</p>


    <p>Another sensible policy combination algorithm is to intersect the
  given policies. This approach enforces that content comes from a certain
  whitelist of origins, for example, preventing developers from including
  third-party scripts or content in violation of organizational standards
  and practices. In this approach, the combination algorithm forms the
  combined policy by removing disallowed hosts from the policies supplied
  by upstream resource owners.</p>


    <p>Interactions between the <code><a data-link-type="dfn" href="#default_src">default-src</a></code> and other directives
  SHOULD be given special consideration when combining policies. If none
  of the policies contains a <code><a data-link-type="dfn" href="#default_src">default-src</a></code> directive, adding new
  src directives results in a more restrictive policy. However, if one or
  more of the input policies contain a <code><a data-link-type="dfn" href="#default_src">default-src</a></code> directive,
  adding new src directives might result in a less restrictive policy, for
  example, if the more specific directive contains a more permissive set of
  allowed origins.</p>


    <p>Using a more restrictive policy than the input policy authored by the
  resource owner might prevent the resource from rendering or operating as
  intended.</p>


    <p class="note" role="note">Note: Migration to <code>HTTPS</code> from <code>HTTP</code>
  may require updates to the policy in order to keep things running as
  before. Source expressions like <code>http://example.com</code> do
  <em>not</em> match <code>HTTPS</code> resources. For example,
  administrators SHOULD carefully examine existing policies before rolling
  out <a href="https://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security</a>
  headers for an application. <a data-link-type="biblio" href="#biblio-rfc6797">[RFC6797]</a></p>

  
    <div class="note" role="note">
    Server administrators MAY wish to send multiple policies if different
    reporting options are desired for subsets of an overall policy. For instance,
    the following headers:

    
     <pre>Content-Security-Policy: <a data-link-type="dfn" href="#frame_ancestors">frame-ancestors</a> https://example.com/ 
Content-Security-Policy: <a data-link-type="dfn" href="#default_src">default-src</a> https:; report-uri https://example.com/
</pre>
     


     <p>would send violation reports for <code>http</code> resources, but would not
    send violation reports for <code><a data-link-type="dfn" href="#frame_ancestors">frame-ancestors</a></code> violations.
    Note also that combining them via '<code>,</code>' into the single header</p>
     

    
     <pre>Content-Security-Policy: <a data-link-type="dfn" href="#frame_ancestors">frame-ancestors</a> https://example.com/, <a data-link-type="dfn" href="#default_src">default-src</a> https:; report-uri https://example.com/
</pre>
     


     <p>would have the same effect, as the comma splits the header during parsing.</p>
     
  
    </div>

  
    <h3 class="heading settled" data-level="10.1" id="complications"><span class="secno">10.1. </span><span class="content">Processing Complications</span><a class="self-link" href="#complications"></a></h3>


    <p>Many user agents implement some form of optimistic resource fetching algorithm
  to speed up page loads. In implementing these features, user agents MUST
  ensure that these optimizations do not alter the behavior of the page’s
  security policy.</p>


    <p>Here, we’ll note a few potential complications that could cause bugs in
  implementations:</p>

  
    <ol>
    
     <li>
      The <a data-link-type="dfn" href="#frame_ancestors">frame-ancestor</a> directive MUST take effect before a document is
      loaded into a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing context</a>, and certainly before script
      is potentially executed. One way to approach this constraint is to perform
      the ancestor check defined in <a href="#directive-frame-ancestors">§7.7 frame-ancestors</a> while parsing
      the document’s headers. This might mean that no document object is
      available at all, which can complicate checks against <code>'self'</code>,
      and <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-scheme">scheme</a>- or <a data-link-type="dfn" href="http://www.w3.org/TR/url/#concept-url-port">port</a>-relative source expressions.
    
     
    
     <li>
      Likewise, the <code>Link</code> HTTP response header could generate
      requests for stylesheet resources before a document is available. User
      agents MUST ensure that any policy contained in the response headers is
      parsed and effective <em>before</em> these requests are generated. For
      example, a response returning the following headers:

      
      <pre>Content-Security-Policy: style-src 'none'
Link: &lt;awesome.css>; rel=stylesheet
</pre>
      


      <p>MUST have the same behavior as a response returning the following headers:</p>
      

      
      <pre>Link: &lt;awesome.css>; rel=stylesheet
Content-Security-Policy: style-src 'none'
</pre>
      


      <p>namely, both must block requests for the stylesheet. To fulfil this
      requirement user agents MUST wait until all headers have been processed
      before beginning to prefetch resources.</p>
      
    
     
  
    </ol>
</section>



   <section>
  
    <h2 class="heading settled" data-level="11" id="iana-considerations"><span class="secno">11. </span><span class="content">IANA Considerations</span><a class="self-link" href="#iana-considerations"></a></h2>


    <p>The permanent message header field registry should be updated
  with the following registrations: <a data-link-type="biblio" href="#biblio-rfc3864">[RFC3864]</a></p>

  
    <section>
    
     <h3 class="heading settled" data-level="11.1" id="iana-content-security-policy"><span class="secno">11.1. </span><span class="content">Content-Security-Policy</span><a class="self-link" href="#iana-content-security-policy"></a></h3>
     

    
     <dl>
      
      <dt>Header field name
      
      
      <dd>Content-Security-Policy
      

      
      <dt>Applicable protocol
      
      
      <dd>http
      

      
      <dt>Status
      
      
      <dd>standard
      

      
      <dt>Author/Change controller
      
      
      <dd>W3C
      

      
      <dt>Specification document
      
      
      <dd>This specification (See <code><a data-link-type="dfn" href="#content_security_policy">Content-Security-Policy</a></code>
      Header Field)
      
    
     </dl>
     
  
    </section>

  
    <section>
    
     <h3 class="heading settled" data-level="11.2" id="iana-content-security-policy-report-only"><span class="secno">11.2. </span><span class="content">Content-Security-Policy-Report-Only</span><a class="self-link" href="#iana-content-security-policy-report-only"></a></h3>
     

    
     <dl>
      
      <dt>Header field name
      
      
      <dd>Content-Security-Policy-Report-Only
      

      
      <dt>Applicable protocol
      
      
      <dd>http
      

      
      <dt>Status
      
      
      <dd>standard
      

      
      <dt>Author/Change controller
      
      
      <dd>W3C
      

      
      <dt>Specification document
      
      
      <dd>This specification (See
      <code><a data-link-type="dfn" href="#content_security_policy_report_only">Content-Security-Policy-Report-Only</a></code> Header Field)
      
    
     </dl>
     
  
    </section>
</section>


   <section>
  
    <h2 class="heading settled" data-level="12" id="acknowledgements"><span class="secno">12. </span><span class="content">Acknowledgements</span><a class="self-link" href="#acknowledgements"></a></h2>


    <p>In addition to the documents in the W3C Web Application Security working
  group, the work on this document is also informed by the work of the
  <a href="https://tools.ietf.org/wg/websec/">IETF websec working group</a>,
  particularly that working group’s requirements document:
  <a href="https://tools.ietf.org/id/draft-hodges-websec-framework-reqs">draft-hodges-websec-framework-reqs</a>.</p>


    <p>A portion of the <code><a data-link-type="dfn" href="#frame_ancestors">frame-ancestors</a></code> directive was
  originally developed as <code>X-Frame-Options</code>. <a data-link-type="biblio" href="#biblio-rfc7034">[RFC7034]</a></p>


    <p>Brian Smith, Neil Matatall, Anne van Kesteren, and Sigbjørn Vik provided
  particularly insightful feedback to keep this specification sane.</p>
</section>

</main>

  <h2 class="no-ref no-num heading settled" id="conformance"><span class="content">Conformance</span><a class="self-link" href="#conformance"></a></h2>


  <h3 class="no-ref no-num heading settled" id="conventions"><span class="content">Document conventions</span><a class="self-link" href="#conventions"></a></h3>

    
  <p>Conformance requirements are expressed with a combination of
    descriptive assertions and RFC 2119 terminology. The key words "MUST",
    "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
    "RECOMMENDED", "MAY", and "OPTIONAL" in the normative parts of this
    document are to be interpreted as described in RFC 2119.
    However, for readability, these words do not appear in all uppercase
    letters in this specification.

    </p>
  <p>All of the text of this specification is normative except sections
    explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a></p>

    
  <p>Examples in this specification are introduced with the words "for example"
    or are set apart from the normative text with <code>class="example"</code>,
    like this:

    </p>
  <div class="example" id="example-f839f6c8"><a class="self-link" href="#example-f839f6c8"></a>
        
   <p>This is an example of an informative example.</p>
   
    
  </div>

    
  <p>Informative notes begin with the word "Note" and are set apart from the
    normative text with <code>class="note"</code>, like this:

    </p>
  <p class="note" role="note">Note, this is an informative note.</p>


  <h3 class="no-ref no-num heading settled" id="conformant-algorithms"><span class="content">Conformant Algorithms</span><a class="self-link" href="#conformant-algorithms"></a></h3>

    
  <p>Requirements phrased in the imperative as part of algorithms (such as
    "strip any leading space characters" or "return false and abort these
    steps") are to be interpreted with the meaning of the key word ("must",
    "should", "may", etc) used in introducing the algorithm.</p>

    
  <p>Conformance requirements phrased as algorithms or specific steps can be
    implemented in any manner, so long as the end result is equivalent. In
    particular, the algorithms defined in this specification are intended to
    be easy to understand and are not intended to be performant. Implementers
    are encouraged to optimize.</p>


  <h3 class="no-ref no-num heading settled" id="conformance-classes"><span class="content">Conformance Classes</span><a class="self-link" href="#conformance-classes"></a></h3>

    
  <p>A <dfn data-dfn-type="dfn" data-noexport="" id="conformant-user-agent">conformant user agent<a class="self-link" href="#conformant-user-agent"></a></dfn> must implement all the requirements
    listed in this specification that are applicable to user agents.</p>

    
  <p>A <dfn data-dfn-type="dfn" data-noexport="" id="conformant-server">conformant server<a class="self-link" href="#conformant-server"></a></dfn> must implement all the requirements listed
    in this specification that are applicable to servers.</p>




  <h2 class="no-num heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
  <h3 class="no-num heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3>
  <ul class="indexlist">
   <li><a href="#allowed-base-urls">allowed base URLs</a><span>, in §7.1</span>
   <li><a href="#allowed-child-sources">allowed child sources</a><span>, in §7.2</span>
   <li><a href="#allowed-connection-targets">allowed connection targets</a><span>, in §7.3</span>
   <li><a href="#allowed-font-sources">allowed font sources</a><span>, in §7.5</span>
   <li><a href="#allowed-form-actions">allowed form actions</a><span>, in §7.6</span>
   <li><a href="#allowed-frame-ancestors">allowed frame ancestors</a><span>, in §7.7</span>
   <li><a href="#allowed-frame-sources">allowed frame sources</a><span>, in §7.8</span>
   <li><a href="#allowed-image-sources">allowed image sources</a><span>, in §7.9</span>
   <li><a href="#allowed-media-sources">allowed media sources</a><span>, in §7.10</span>
   <li><a href="#allowed-object-sources">allowed object sources</a><span>, in §7.11</span>
   <li><a href="#allowed-plugin-media-types">allowed plugin media types</a><span>, in §7.12</span>
   <li><a href="#allowed-script-sources">allowed script sources</a><span>, in §7.15</span>
   <li><a href="#allowed-style-sources">allowed style sources</a><span>, in §7.16</span>
   <li><a href="#alpha">ALPHA</a><span>, in §2.4</span>
   <li><a href="#ancestor_source">ancestor-source</a><span>, in §7.7</span>
   <li><a href="#ancestor_source_list">ancestor-source-list</a><span>, in §7.7</span>
   <li><a href="#base64_value">base64-value</a><span>, in §4.2</span>
   <li><a href="#base_uri">base-uri</a><span>, in §7.1</span>
   <li>blockedURI
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-blockeduri">attribute for SecurityPolicyViolationEvent</a><span>, in §6.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-blockeduri">dict-member for SecurityPolicyViolationEventInit</a><span>, in §6.2</span>
    </ul>
   <li><a href="#callable">callable</a><span>, in §2.3</span>
   <li><a href="#callers">callers</a><span>, in §2.3</span>
   <li><a href="#child_src">child-src</a><span>, in §7.2</span>
   <li>columnNumber
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-columnnumber">attribute for SecurityPolicyViolationEvent</a><span>, in §6.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-columnnumber">dict-member for SecurityPolicyViolationEventInit</a><span>, in §6.2</span>
    </ul>
   <li><a href="#conformant-server">conformant server</a><span>, in §Unnumbered section</span>
   <li><a href="#conformant-user-agent">conformant user agent</a><span>, in §Unnumbered section</span>
   <li><a href="#connect_src">connect-src</a><span>, in §7.3</span>
   <li><a href="#content_security_policy">Content-Security-Policy</a><span>, in §3.1</span>
   <li><a href="#content_security_policy_report_only">Content-Security-Policy-Report-Only</a><span>, in §3.2</span>
   <li><a href="#content-security-policy-task-source">Content Security Policy task
          source</a><span>, in §4.4</span>
   <li><a href="#default-sources">default sources</a><span>, in §7.4</span>
   <li><a href="#default_src">default-src</a><span>, in §7.4</span>
   <li><a href="#digest-of-elements-content">digest of element’s content</a><span>, in §4.2.5</span>
   <li><a href="#digit">DIGIT</a><span>, in §2.4</span>
   <li><a href="#security-policy-directive">directive</a><span>, in §2.1</span>
   <li><a href="#security-policy-directive-name">directive name</a><span>, in §2.1</span>
   <li><a href="#directive_name">directive-name</a><span>, in §4.1</span>
   <li><a href="#directive_token">directive-token</a><span>, in §4.1</span>
   <li><a href="#directive_value">directive-value</a><span>, in §4.1</span>
   <li><a href="#security-policy-directive-value">directive value</a><span>, in §2.1</span>
   <li>documentURI
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-documenturi">attribute for SecurityPolicyViolationEvent</a><span>, in §6.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-documenturi">dict-member for SecurityPolicyViolationEventInit</a><span>, in §6.2</span>
    </ul>
   <li>effectiveDirective
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-effectivedirective">attribute for SecurityPolicyViolationEvent</a><span>, in §6.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-effectivedirective">dict-member for SecurityPolicyViolationEventInit</a><span>, in §6.2</span>
    </ul>
   <li><a href="#elements-content">element’s content</a><span>, in §4.2.5</span>
   <li><a href="#enforce">enforce</a><span>, in §5</span>
   <li><a href="#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-eventinitdict">eventInitDict</a><span>, in §6.1</span>
   <li><a href="#fire-a-violation-event">fire a violation event</a><span>, in §6.3</span>
   <li><a href="#font_src">font-src</a><span>, in §7.5</span>
   <li><a href="#form_action">form-action</a><span>, in §7.6</span>
   <li><a href="#frame_ancestors">frame-ancestors</a><span>, in §7.7</span>
   <li><a href="#frame_src">frame-src</a><span>, in §7.8</span>
   <li><a href="#generate-a-violation-report-object">generate a violation report object</a><span>, in §4.4</span>
   <li><a href="#generate-a-violation-report-object">generating a violation report object</a><span>, in §4.4</span>
   <li><a href="#globally-unique-identifier">globally unique identifier</a><span>, in §2.2</span>
   <li><a href="#hash_algo">hash-algo</a><span>, in §4.2</span>
   <li><a href="#hash_source">hash-source</a><span>, in §4.2</span>
   <li><a href="#hash_value">hash-value</a><span>, in §4.2</span>
   <li><a href="#host_char">host-char</a><span>, in §4.2</span>
   <li><a href="#host_part">host-part</a><span>, in §4.2</span>
   <li><a href="#host_source">host-source</a><span>, in §4.2</span>
   <li><a href="#http-200-response">HTTP 200 response</a><span>, in §2.2</span>
   <li><a href="#img_src">img-src</a><span>, in §7.9</span>
   <li><a href="#json-object">JSON object</a><span>, in §2.2</span>
   <li><a href="#json-stringification">JSON stringification</a><span>, in §2.2</span>
   <li><a href="#keyword_source">keyword-source</a><span>, in §4.2</span>
   <li>lineNumber
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-linenumber">attribute for SecurityPolicyViolationEvent</a><span>, in §6.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-linenumber">dict-member for SecurityPolicyViolationEventInit</a><span>, in §6.2</span>
    </ul>
   <li><a href="#match-a-media-type-list">match a media type list</a><span>, in §4.3.2</span>
   <li><a href="#match-a-source-expression">match a source expression</a><span>, in §4.2.2</span>
   <li><a href="#match-a-source-list">match a source list</a><span>, in §4.2.2</span>
   <li><a href="#media_src">media-src</a><span>, in §7.10</span>
   <li><a href="#media-type">media type</a><span>, in §4.3</span>
   <li><a href="#media_type">media-type</a><span>, in §4.3</span>
   <li><a href="#media-type-list">media type list</a><span>, in §4.3</span>
   <li><a href="#media_type_list">media-type-list</a><span>, in §4.3</span>
   <li><a href="#monitor">monitor</a><span>, in §5</span>
   <li>nonce
    <ul>
     <li><a href="#dom-htmlscriptelement-nonce">attribute for HTMLScriptElement</a><span>, in §4.2.3</span>
     <li><a href="#element-attrdef-script-nonce">element-attr for script</a><span>, in §4.2.3</span>
     <li><a href="#dom-htmlstyleelement-nonce">attribute for HTMLStyleElement</a><span>, in §4.2.3</span>
     <li><a href="#element-attrdef-style-nonce">element-attr for style</a><span>, in §4.2.3</span>
    </ul>
   <li><a href="#nonce_source">nonce-source</a><span>, in §4.2</span>
   <li><a href="#nonce_value">nonce-value</a><span>, in §4.2</span>
   <li><a href="#object_src">object-src</a><span>, in §7.11</span>
   <li><a href="#origin">origin</a><span>, in §2.2</span>
   <li>originalPolicy
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-originalpolicy">attribute for SecurityPolicyViolationEvent</a><span>, in §6.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-originalpolicy">dict-member for SecurityPolicyViolationEventInit</a><span>, in §6.2</span>
    </ul>
   <li><a href="#parse-a-media-type-list">parse a media type list</a><span>, in §4.3.1</span>
   <li><a href="#parse-a-source-list">parse a source list</a><span>, in §4.2.1</span>
   <li><a href="#parse-the-policy">parse the policy</a><span>, in §4.1.1</span>
   <li><a href="#path_part">path-part</a><span>, in §4.2</span>
   <li><a href="#plugin_types">plugin-types</a><span>, in §7.12</span>
   <li><a href="#security-policy">policy</a><span>, in §2.1</span>
   <li><a href="#policy_token">policy-token</a><span>, in §4.1</span>
   <li><a href="#port_part">port-part</a><span>, in §4.2</span>
   <li><a href="#protected-resource">protected resource</a><span>, in §2.1</span>
   <li>referrer
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-referrer">attribute for SecurityPolicyViolationEvent</a><span>, in §6.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-referrer">dict-member for SecurityPolicyViolationEventInit</a><span>, in §6.2</span>
    </ul>
   <li><a href="#report-a-violation">report a violation</a><span>, in §4.4</span>
   <li><a href="#report_uri">report-uri</a><span>, in §7.13</span>
   <li><a href="#resource-representation">representation</a><span>, in §2.2</span>
   <li><a href="#resource-representation">resource representation</a><span>, in §2.2</span>
   <li><a href="#runs-a-worker">runs a worker</a><span>, in §2.3</span>
   <li><a href="#sandbox">sandbox</a><span>, in §7.14</span>
   <li><a href="#sandbox_token">sandbox-token</a><span>, in §7.14</span>
   <li><a href="#scheme_part">scheme-part</a><span>, in §4.2</span>
   <li><a href="#scheme_source">scheme-source</a><span>, in §4.2</span>
   <li><a href="#script_src">script-src</a><span>, in §7.15</span>
   <li><a href="#security-policy">security policy</a><span>, in §2.1</span>
   <li><a href="#security-policy-directive">security policy directive</a><span>, in §2.1</span>
   <li><a href="#security-policy-directive-name">security policy directive name</a><span>, in §2.1</span>
   <li><a href="#security-policy-directive-value">security policy directive value</a><span>, in §2.1</span>
   <li><a href="#securitypolicyviolationevent">SecurityPolicyViolationEvent</a><span>, in §6.1</span>
   <li><a href="#dictdef-securitypolicyviolationeventinit">SecurityPolicyViolationEventInit</a><span>, in §6.2</span>
   <li><a href="#dom-securitypolicyviolationevent-securitypolicyviolationevent">SecurityPolicyViolationEvent(type, eventInitDict)</a><span>, in §6.1</span>
   <li><a href="#send-violation-reports">send violation reports</a><span>, in §4.4</span>
   <li><a href="#set-of-report-urls">set of report URLs</a><span>, in §7.13</span>
   <li><a href="#sha_256">SHA-256</a><span>, in §2.2</span>
   <li><a href="#sha_384">SHA-384</a><span>, in §2.2</span>
   <li><a href="#sha_512">SHA-512</a><span>, in §2.2</span>
   <li><a href="#source_expression">source-expression</a><span>, in §4.2</span>
   <li><a href="#source-expression">source expression</a><span>, in §4.2</span>
   <li><a href="#source_file">source-file</a><span>, in §4.4</span>
   <li>sourceFile
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-sourcefile">attribute for SecurityPolicyViolationEvent</a><span>, in §6.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-sourcefile">dict-member for SecurityPolicyViolationEventInit</a><span>, in §6.2</span>
    </ul>
   <li><a href="#source_list">source-list</a><span>, in §4.2</span>
   <li><a href="#source-list">source
    list</a><span>, in §4.2</span>
   <li><a href="#dom-securitypolicyviolationevent-statuscode">statusCode</a><span>, in §6.1</span>
   <li><a href="#strip-uri-for-reporting">stripped for reporting</a><span>, in §4.4</span>
   <li><a href="#strip-uri-for-reporting">strip uri for reporting</a><span>, in §4.4</span>
   <li><a href="#style_src">style-src</a><span>, in §7.16</span>
   <li><a href="#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-type">type</a><span>, in §6.1</span>
   <li><a href="#uri_reference">uri-reference</a><span>, in §7.13</span>
   <li><a href="#url">URL</a><span>, in §2.2</span>
   <li><a href="#valid-hash">valid hash</a><span>, in §4.2.5</span>
   <li><a href="#valid-nonce">valid nonce</a><span>, in §4.2.4</span>
   <li><a href="#vchar">VCHAR</a><span>, in §2.4</span>
   <li>violatedDirective
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-violateddirective">attribute for SecurityPolicyViolationEvent</a><span>, in §6.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-violateddirective">dict-member for SecurityPolicyViolationEventInit</a><span>, in §6.2</span>
    </ul>
   <li><a href="#wsp">WSP</a><span>, in §2.4</span></ul>
  <h3 class="no-num heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
  <ul class="indexlist">
   <li><a data-link-type="biblio" href="#biblio-css-images-3">[css-images-3]</a> defines the following terms:
    <ul>
     <li><a href="https://drafts.csswg.org/css-images-3/#funcdef-image-set">image-set()</a>
    </ul>
   <li><a data-link-type="biblio" href="#biblio-css-images-4">[css-images-4]</a> defines the following terms:
    <ul>
     <li><a href="https://drafts.csswg.org/css-images-4/#funcdef-image">image()</a>
    </ul>
   <li><a data-link-type="biblio" href="#biblio-webidl">[WebIDL]</a> defines the following terms:
    <ul>
     <li><a href="http://heycam.github.io/webidl/#idl-DOMString">DOMString</a>
    </ul></ul>
  <h2 class="no-num heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
  <dl>
   <dt id="biblio-abnf"><a class="self-link" href="#biblio-abnf"></a>[ABNF]
   <dd>Dave Crocker; Paul Overell. <a href="http://www.ietf.org/rfc/rfc5234.txt">Augmented BNF for Syntax Specifications: ABNF</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc5234.txt">http://www.ietf.org/rfc/rfc5234.txt</a>
   <dt id="biblio-beacon"><a class="self-link" href="#biblio-beacon"></a>[BEACON]
   <dd>Jatinder Mann; Alois Reitbauer. <a href="http://www.w3.org/TR/beacon/">Beacon</a>. WD. URL: <a href="http://www.w3.org/TR/beacon/">http://www.w3.org/TR/beacon/</a>
   <dt id="biblio-ecma-262"><a class="self-link" href="#biblio-ecma-262"></a>[ECMA-262]
   <dd>Allen Wirfs-Brock. <a href="http://www.ecma-international.org/ecma-262/6.0/">ECMA-262 6th Edition, The ECMAScript 2015 Language Specification</a>. June 2015. Standard. URL: <a href="http://www.ecma-international.org/ecma-262/6.0/">http://www.ecma-international.org/ecma-262/6.0/</a>
   <dt id="biblio-fips180"><a class="self-link" href="#biblio-fips180"></a>[FIPS180]
   <dd><a href="http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf">Secure Hash Standard</a>. URL: <a href="http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf">http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf</a>
   <dt id="biblio-html-imports"><a class="self-link" href="#biblio-html-imports"></a>[HTML-IMPORTS]
   <dd>Dmitri Glazkov; Hajime Morrita. <a href="http://www.w3.org/TR/html-imports/">HTML Imports</a>. WD. URL: <a href="http://www.w3.org/TR/html-imports/">http://www.w3.org/TR/html-imports/</a>
   <dt id="biblio-rfc3492"><a class="self-link" href="#biblio-rfc3492"></a>[RFC3492]
   <dd>Adam M. Costello. <a href="http://www.ietf.org/rfc/rfc3492.txt">Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)</a>. REC. URL: <a href="http://www.ietf.org/rfc/rfc3492.txt">http://www.ietf.org/rfc/rfc3492.txt</a>
   <dt id="biblio-rfc3864"><a class="self-link" href="#biblio-rfc3864"></a>[RFC3864]
   <dd>Graham Klyne; Mark Nottingham; Jeffrey C. Mogul. <a href="http://www.ietf.org/rfc/rfc3864.txt">Registration Procedures for Message Header Fields</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc3864.txt">http://www.ietf.org/rfc/rfc3864.txt</a>
   <dt id="biblio-rfc4627"><a class="self-link" href="#biblio-rfc4627"></a>[RFC4627]
   <dd>Douglas Crockford. <a href="http://www.ietf.org/rfc/rfc4627.txt">The 'application/json' Media Type for JavaScript Object Notation (JSON)</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc4627.txt">http://www.ietf.org/rfc/rfc4627.txt</a>
   <dt id="biblio-rfc6454"><a class="self-link" href="#biblio-rfc6454"></a>[RFC6454]
   <dd>Adam Barth. <a href="http://www.ietf.org/rfc/rfc6454.txt">The Web Origin Concept</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc6454.txt">http://www.ietf.org/rfc/rfc6454.txt</a>
   <dt id="biblio-rfc7034"><a class="self-link" href="#biblio-rfc7034"></a>[RFC7034]
   <dd>David Ross; Tobias Gondrom. <a href="http://www.ietf.org/rfc/rfc7034.txt">HTTP Header Field X-Frame-Options</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc7034.txt">http://www.ietf.org/rfc/rfc7034.txt</a>
   <dt id="biblio-rfc7230"><a class="self-link" href="#biblio-rfc7230"></a>[RFC7230]
   <dd>Roy T. Fielding; Julian F. Reschke. <a href="http://www.ietf.org/rfc/rfc7230.txt">HTTP/1.1 Message Syntax and Routing</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc7230.txt">http://www.ietf.org/rfc/rfc7230.txt</a>
   <dt id="biblio-rfc7231"><a class="self-link" href="#biblio-rfc7231"></a>[RFC7231]
   <dd>Roy T. Fielding; Julian F. Reschke. <a href="http://www.ietf.org/rfc/rfc7231.txt">HTTP/1.1 Semantics and Content</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc7231.txt">http://www.ietf.org/rfc/rfc7231.txt</a>
   <dt id="biblio-url"><a class="self-link" href="#biblio-url"></a>[URL]
   <dd>Anne van Kesteren; Sam Ruby. <a href="http://www.w3.org/TR/url/">URL</a>. WD. URL: <a href="http://www.w3.org/TR/url/">http://www.w3.org/TR/url/</a>
   <dt id="biblio-webidl"><a class="self-link" href="#biblio-webidl"></a>[WebIDL]
   <dd>Cameron McCormack. <a href="http://www.w3.org/TR/WebIDL/">Web IDL</a>. 19 April 2012. CR. URL: <a href="http://www.w3.org/TR/WebIDL/">http://www.w3.org/TR/WebIDL/</a>
   <dt id="biblio-xmlhttprequest"><a class="self-link" href="#biblio-xmlhttprequest"></a>[XMLHttpRequest]
   <dd>Anne van Kesteren; et al. <a href="http://www.w3.org/TR/XMLHttpRequest/">XMLHttpRequest Level 1</a>. 30 January 2014. WD. URL: <a href="http://www.w3.org/TR/XMLHttpRequest/">http://www.w3.org/TR/XMLHttpRequest/</a>
   <dt id="biblio-css-images-3"><a class="self-link" href="#biblio-css-images-3"></a>[CSS-IMAGES-3]
   <dd>CSS Image Values and Replaced Content Module Level 3 URL: <a href="http://www.w3.org/TR/css3-images/">http://www.w3.org/TR/css3-images/</a>
   <dt id="biblio-css-images-4"><a class="self-link" href="#biblio-css-images-4"></a>[CSS-IMAGES-4]
   <dd>CSS Image Values and Replaced Content Module Level 4 URL: <a href="http://www.w3.org/TR/css4-images/">http://www.w3.org/TR/css4-images/</a>
   <dt id="biblio-css3-fonts"><a class="self-link" href="#biblio-css3-fonts"></a>[CSS3-FONTS]
   <dd>John Daggett. <a href="http://www.w3.org/TR/css-fonts-3/">CSS Fonts Module Level 3</a>. 3 October 2013. CR. URL: <a href="http://www.w3.org/TR/css-fonts-3/">http://www.w3.org/TR/css-fonts-3/</a>
   <dt id="biblio-css4-images"><a class="self-link" href="#biblio-css4-images"></a>[CSS4-IMAGES]
   <dd>Elika Etemad; Tab Atkins Jr.. <a href="http://www.w3.org/TR/css4-images/">CSS Image Values and Replaced Content Module Level 4</a>. 11 September 2012. WD. URL: <a href="http://www.w3.org/TR/css4-images/">http://www.w3.org/TR/css4-images/</a>
   <dt id="biblio-cssom"><a class="self-link" href="#biblio-cssom"></a>[CSSOM]
   <dd>Simon Pieters; Glenn Adams. <a href="http://www.w3.org/TR/cssom/">CSS Object Model (CSSOM)</a>. 5 December 2013. WD. URL: <a href="http://www.w3.org/TR/cssom/">http://www.w3.org/TR/cssom/</a>
   <dt id="biblio-eventsource"><a class="self-link" href="#biblio-eventsource"></a>[EVENTSOURCE]
   <dd>Ian Hickson. <a href="http://www.w3.org/TR/eventsource/">Server-Sent Events</a>. 3 February 2015. REC. URL: <a href="http://www.w3.org/TR/eventsource/">http://www.w3.org/TR/eventsource/</a>
   <dt id="biblio-html5"><a class="self-link" href="#biblio-html5"></a>[HTML5]
   <dd>Ian Hickson; et al. <a href="http://www.w3.org/TR/html5/">HTML5</a>. 28 October 2014. REC. URL: <a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a>
   <dt id="biblio-rfc2119"><a class="self-link" href="#biblio-rfc2119"></a>[RFC2119]
   <dd>S. Bradner. <a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a>
   <dt id="biblio-rfc3986"><a class="self-link" href="#biblio-rfc3986"></a>[RFC3986]
   <dd>T. Berners-Lee; R. Fielding; L. Masinter. <a href="https://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>. January 2005. Internet Standard. URL: <a href="https://tools.ietf.org/html/rfc3986">https://tools.ietf.org/html/rfc3986</a>
   <dt id="biblio-rfc5988"><a class="self-link" href="#biblio-rfc5988"></a>[RFC5988]
   <dd>M. Nottingham. <a href="https://tools.ietf.org/html/rfc5988">Web Linking</a>. October 2010. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc5988">https://tools.ietf.org/html/rfc5988</a>
   <dt id="biblio-websockets"><a class="self-link" href="#biblio-websockets"></a>[WEBSOCKETS]
   <dd>Ian Hickson. <a href="http://www.w3.org/TR/websockets/">The WebSocket API</a>. 20 September 2012. CR. URL: <a href="http://www.w3.org/TR/websockets/">http://www.w3.org/TR/websockets/</a>
   <dt id="biblio-workers"><a class="self-link" href="#biblio-workers"></a>[WORKERS]
   <dd>Ian Hickson. <a href="http://www.w3.org/TR/workers/">Web Workers</a>. 1 May 2012. CR. URL: <a href="http://www.w3.org/TR/workers/">http://www.w3.org/TR/workers/</a>
   <dt id="biblio-xml11"><a class="self-link" href="#biblio-xml11"></a>[XML11]
   <dd>Tim Bray; et al. <a href="http://www.w3.org/TR/xml11/">Extensible Markup Language (XML) 1.1 (Second Edition)</a>. 16 August 2006. REC. URL: <a href="http://www.w3.org/TR/xml11/">http://www.w3.org/TR/xml11/</a>
   <dt id="biblio-xslt"><a class="self-link" href="#biblio-xslt"></a>[XSLT]
   <dd>James Clark. <a href="http://www.w3.org/TR/xslt">XSL Transformations (XSLT) Version 1.0</a>. 16 November 1999. REC. URL: <a href="http://www.w3.org/TR/xslt">http://www.w3.org/TR/xslt</a></dl>
  <h3 class="no-num heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-rfc6797"><a class="self-link" href="#biblio-rfc6797"></a>[RFC6797]
   <dd>Jeff Hodges; Collin Jackson; Adam Barth. <a href="http://www.ietf.org/rfc/rfc6797.txt">HTTP Strict Transport Security (HSTS)</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc6797.txt">http://www.ietf.org/rfc/rfc6797.txt</a>
   <dt id="biblio-uiredress"><a class="self-link" href="#biblio-uiredress"></a>[UIREDRESS]
   <dd>Giorgio Maone; et al. <a href="http://www.w3.org/TR/UISecurity/">User Interface Security Directives for Content Security Policy</a>. WD. URL: <a href="http://www.w3.org/TR/UISecurity/">http://www.w3.org/TR/UISecurity/</a></dl>
  <h2 class="no-num heading settled" id="idl-index"><span class="content">IDL Index</span><a class="self-link" href="#idl-index"></a></h2>
  <pre class="idl">partial interface <a class="idl-code" data-link-type="interface" href="http://www.w3.org/TR/html5/scripting-1.html#htmlscriptelement">HTMLScriptElement</a> {
  attribute DOMString <a class="idl-code" data-link-type="attribute" data-type="DOMString " href="#dom-htmlscriptelement-nonce">nonce</a>;
};

partial interface <a class="idl-code" data-link-type="interface" href="http://www.w3.org/TR/html5/document-metadata.html#htmlstyleelement">HTMLStyleElement</a> {
  attribute DOMString <a class="idl-code" data-link-type="attribute" data-type="DOMString " href="#dom-htmlstyleelement-nonce">nonce</a>;
};

[<a href="#dom-securitypolicyviolationevent-securitypolicyviolationevent">Constructor</a>(DOMString <a href="#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-type">type</a>, optional <a data-link-type="idl-name" href="#dictdef-securitypolicyviolationeventinit">SecurityPolicyViolationEventInit</a> <a href="#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-eventinitdict">eventInitDict</a>)]
interface <a href="#securitypolicyviolationevent">SecurityPolicyViolationEvent</a> : <a data-link-type="idl-name" href="http://www.w3.org/TR/dom/#event">Event</a> {
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-documenturi">documentURI</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-referrer">referrer</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-blockeduri">blockedURI</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-violateddirective">violatedDirective</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-effectivedirective">effectiveDirective</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-originalpolicy">originalPolicy</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-sourcefile">sourceFile</a>;
    readonly    attribute DOMString <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString " href="#dom-securitypolicyviolationevent-statuscode">statusCode</a>;
    readonly    attribute long      <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="long      " href="#dom-securitypolicyviolationevent-linenumber">lineNumber</a>;
    readonly    attribute long      <a class="idl-code" data-link-type="attribute" data-readonly="" data-type="long      " href="#dom-securitypolicyviolationevent-columnnumber">columnNumber</a>;
};

dictionary <a href="#dictdef-securitypolicyviolationeventinit">SecurityPolicyViolationEventInit</a> : <a data-link-type="idl-name" href="http://www.w3.org/TR/dom/#eventinit">EventInit</a> {
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-documenturi">documentURI</a>;
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-referrer">referrer</a>;
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-blockeduri">blockedURI</a>;
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-violateddirective">violatedDirective</a>;
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-effectivedirective">effectiveDirective</a>;
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-originalpolicy">originalPolicy</a>;
    DOMString <a class="idl-code" data-link-type="dict-member" data-type="DOMString " href="#dom-securitypolicyviolationeventinit-sourcefile">sourceFile</a>;
    long      <a class="idl-code" data-link-type="dict-member" data-type="long      " href="#dom-securitypolicyviolationeventinit-linenumber">lineNumber</a>;
    long      <a class="idl-code" data-link-type="dict-member" data-type="long      " href="#dom-securitypolicyviolationeventinit-columnnumber">columnNumber</a>;
};

</pre></body>
</html>