Skip to content
Permalink
Browse files

Add and populate global object's "CSP list"

Content Security Policy adds a new property to the global object that
holds the active policy objects for a context. This patch merges this
property into HTML, and initialises it whenever creating new Document
and Worker objects.

#271
  • Loading branch information...
mikewest committed Oct 21, 2015
1 parent ecce42b commit 479dfbf1ff68b746ed3f81cc7415165e3342709e
Showing with 26 additions and 3 deletions.
  1. +26 −3 source
29 source
<li><dfn data-noexport="" data-x="concept-response-header-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-header-list">header list</dfn>
<li><dfn data-noexport="" data-x="concept-response-body" data-x-href="https://fetch.spec.whatwg.org/#concept-response-body">body</dfn>
<li><dfn data-noexport="" data-x="concept-internal-response" data-x-href="https://fetch.spec.whatwg.org/#concept-internal-response">internal response</dfn>
<li><dfn data-noexport="" data-x="concept-response-csp-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</dfn>
<li><dfn data-noexport="" data-x="concept-response-https-state" data-x-href="https://fetch.spec.whatwg.org/#concept-response-https-state">HTTPS state</dfn>
</ul>
<li>
<li><dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#enforced">enforce the policy</dfn></li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#frame-ancestors"><code data-x="">frame-ancestors</code> directive</dfn></li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#parse-serialized-policy">parse a serialized Content Security Policy</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialise-global-object-csp">Initialise a global object's CSP list</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialise-document-csp">Initialise a Document's CSP list</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#report-uri"><code data-x="">report-uri</code> directive</dfn></li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#sandbox"><code data-x="">sandbox</code> directive</dfn></li>
</ul>
state</span> of the <span>browsing context</span>'s <span>active document</span>'s
<code>Window</code>.</p></li>

<li><p>Let <var>CSP list</var> be the <span data-x="concept-document-csp-list">CSP list</span>
of the <span>browsing context</span>'s <span>active document</span>.</p></li>

<li>

<p><span>Navigate</span><!--DONAV reload after d.open()--> the <span>browsing context</span> to
a new <span data-x="concept-response">response</span> whose <span
data-x="concept-response-body">body</span> is <var>source</var> and <span
data-x="concept-response-body">body</span> is <var>source</var>, <span
data-x="concept-response-csp-list">CSP list</span> is <var>CSP list</var> and <span
data-x="concept-response-https-state">HTTPS state</span> is <var>HTTPS state</var>, with
<span>replacement enabled</span> and <span>exceptions enabled</span>. The <span>source browsing
context</span> is that given to the <span data-x="an overridden reload">overridden reload</span>
};
<span>Document</span> implements <span>GlobalEventHandlers</span>;</pre>

<p>The <code>Document</code> has a <dfn data-x="concept-document-csp-list">CSP list</dfn>, which is a
list of <span>Content Security Policy</span> objects active in this context. The list is empty
unless otherwise specified.</p>


<h4><dfn>Resource metadata management</dfn></h4>
data-x="concept-response-url-list">url list</span> consists of <code>about:srcdoc</code>, <span
data-x="concept-response-header-list">header list</span> consists of
`<code data-x="">Content-Type</code>`/`<code>text/html</code>`, <span
data-x="concept-response-body">body</span> is the value of the attribute, and <span
data-x="concept-response-https-state">HTTPS state</span> is the <span
data-x="concept-response-body">body</span> is the value of the attribute, <span
data-x="concept-response-csp-list">CSP list</span> is the <span
data-x="concept-document-csp-list">CSP list</span> of the <code>iframe</code> element's <span>node
document</span>, and <span data-x="concept-response-https-state">HTTPS state</span> is the <span
data-x="concept-window-https-state">HTTPS state</span> of the <code>iframe</code> element's
<span>node document</span>'s <code>Window</code>.

state</span> to the <span data-x="concept-response-https-state">HTTPS state</span> of the
resource used to generate the document.</p></li>

<li><p>Execute the <span>Initialise a <code data-x="">Document</code>'s CSP list</span>
algorithm on the <code>Document</code> object and the resource used to generate the document.
<ref spec="CSP"></p>

<li><p>Set <span>the document's referrer</span> to the <i>address of the resource from which
Request-URIs are obtained</i> as determined when the fetch algorithm obtained the resource, if
that algorithm was used and determined such a value; otherwise, set it to the empty
"<code data-x="">deprecated</code>", or "<code data-x="">none</code>"). It is initially "<code
data-x="">none</code>".

<p>A <code>WorkerGlobalScope</code> object has an associated <dfn data-dfn-for="WorkerGlobalScope"
data-x="concept-WorkerGlobalScope-csp-list">CSP list</dfn>. It is initially an empty list.

<p>The <dfn><code data-x="dom-WorkerGlobalScope-self">self</code></dfn> attribute must return the
<code>WorkerGlobalScope</code> object itself.</p>

data-x="concept-WorkerGlobalScope-https-state">HTTPS state</span> to <var>response</var>'s <span
data-x="concept-response-https-state">HTTPS state</span>.</p></li>

<li><p>Set <var>worker global scope</var>'s <span
data-x="concept-WorkerGlobalScope-csp-list">CSP list</span> to <var>response</var>'s <span
data-x="concept-response-csp-list">CSP list</span>.</p></li>

<li><p>In the newly created execution environment, create a <span>JavaScript global
environment</span> whose <i>global object</i> is <var>worker global scope</var>. If <var>worker
global scope</var> is a <code>DedicatedWorkerGlobalScope</code> object, then this is a

0 comments on commit 479dfbf

Please sign in to comment.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.