diff --git a/fetch.bs b/fetch.bs index 839376071..39971d6cc 100644 --- a/fetch.bs +++ b/fetch.bs @@ -16,7 +16,7 @@ Markup Shorthands: css off !Commits: @fetchstandard !Tests: web-platform-tests fetch/ (ongoing work) !Translation (non-normative): 日本語 -Translate IDs: typedefdef-bodyinit bodyinit,dictdef-requestinit requestinit,typedefdef-requestinfo requestinfo,enumdef-requesttype requesttype,enumdef-requestdestination requestdestination,enumdef-requestmode requestmode,enumdef-requestcredentials requestcredentials,enumdef-requestcache requestcache,enumdef-requestredirect requestredirect,dictdef-responseinit responseinit,enumdef-responsetype responsetype +Translate IDs: typedefdef-bodyinit bodyinit,dictdef-requestinit requestinit,typedefdef-requestinfo requestinfo,enumdef-requestdestination requestdestination,enumdef-requestmode requestmode,enumdef-requestcredentials requestcredentials,enumdef-requestcache requestcache,enumdef-requestredirect requestredirect,dictdef-responseinit responseinit,enumdef-responsetype responsetype @@ -782,17 +782,6 @@ the time being as other specifications do not require it to be. It is primarily specification device to assist defining CSP and Mixed Content. It is not exposed to JavaScript. [[!CSP]] [[!MIX]] -
A request has an associated
-type, which is
-the empty string,
-"audio
",
-"font
",
-"image
",
-"script
",
-"style
",
-"track
", or
-"video
". Unless stated otherwise it is the empty string.
-
A request has an associated
destination, which is
the empty string,
@@ -813,23 +802,33 @@ the empty string,
"worker
", or
"xslt
". Unless stated otherwise it is the empty string.
+
+
+
A request's destination is
+script-like if it is "script
",
+"serviceworker
", "sharedworker
", or "worker
".
+
+
Algorithms that use script-like should also consider
+"xslt
" as that too can cause script execution. It is not included in the list as it is
+not always relevant and might require different behavior.
+
The following table illustrates the relationship between a - request's - initiator, - type, - destination, CSP directives, and features. +
The following table illustrates the relationship between a request's + initiator, destination, CSP directives, and features.
Initiator - | Type | Destination | CSP directive | Features | ||
---|---|---|---|---|---|---|
"" - | "" | "report "
| ? | CSP, NEL reports. @@ -855,24 +854,20 @@ the empty string, | object-src
| HTML's <embed>
|
"audio "
| "audio "
| media-src
| HTML's <audio>
| |||
"font "
| "font "
| font-src
| CSS' @font-face
| |||
"image "
| "image "
| img-src
| HTML's <img src> , /favicon.ico resource,
SVG's <image> , CSS' background-image , CSS'
cursor , CSS' list-style-image , …
| |||
"script "
| "script "
| script-src
| HTML's <script> , importScripts()
@@ -889,35 +884,29 @@ the empty string,
| child-src
| Worker
| |
"style "
| "style "
| style-src
| HTML's <link rel=stylesheet> , CSS' @import
| |||
"track "
| "track "
| media-src
| HTML's <track>
| |||
"video "
| "video "
| media-src
| HTML's <video> element
| |||
"download "
| "" - | "" | ? | HTML's download="" , "Save Link As…" UI
| ||
"imageset "
| "image "
- | "image "
| img-src
| HTML's <img srcset> and <picture>
| ||
"manifest "
- | "" | "manifest "
| manifest-src
| HTML's <link rel=manifest>
@@ -1635,11 +1624,11 @@ run these steps:
Let mimeType be the result of extracting a MIME type from response's header list. - Let type be request's type. + Let destination be request's destination. If type is " If destination is script-like and one of the + following is true, then return blocked:
|