Add and populate global object's "CSP list"

Content Security Policy adds a new property to the global object that holds the active policy objects for a context. This patch merges this property into HTML, and initialises it whenever creating new Document and Worker objects. #271
whatwg · Nov 5, 2015 · 479dfbf · 479dfbf
1 parent ecce42b
commit 479dfbf
Showing 1 changed file with 26 additions and 3 deletions.
diff --git a/source b/source
@@ -2804,6 +2804,7 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
        <li><dfn data-noexport="" data-x="concept-response-header-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-header-list">header list</dfn>
        <li><dfn data-noexport="" data-x="concept-response-body" data-x-href="https://fetch.spec.whatwg.org/#concept-response-body">body</dfn>
        <li><dfn data-noexport="" data-x="concept-internal-response" data-x-href="https://fetch.spec.whatwg.org/#concept-internal-response">internal response</dfn>
+       <li><dfn data-noexport="" data-x="concept-response-csp-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</dfn>
        <li><dfn data-noexport="" data-x="concept-response-https-state" data-x-href="https://fetch.spec.whatwg.org/#concept-response-https-state">HTTPS state</dfn>
       </ul>
      <li>
@@ -3520,6 +3521,8 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
      <li><dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#enforced">enforce the policy</dfn></li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#frame-ancestors"><code data-x="">frame-ancestors</code> directive</dfn></li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#parse-serialized-policy">parse a serialized Content Security Policy</dfn> algorithm</li>
+     <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialise-global-object-csp">Initialise a global object's CSP list</dfn> algorithm</li>
+     <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialise-document-csp">Initialise a Document's CSP list</dfn> algorithm</li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#report-uri"><code data-x="">report-uri</code> directive</dfn></li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#sandbox"><code data-x="">sandbox</code> directive</dfn></li>
     </ul>
@@ -8144,11 +8147,15 @@ interface <dfn>DOMStringMap</dfn> {
    state</span> of the <span>browsing context</span>'s <span>active document</span>'s
    <code>Window</code>.</p></li>
 
+   <li><p>Let <var>CSP list</var> be the <span data-x="concept-document-csp-list">CSP list</span>
+   of the <span>browsing context</span>'s <span>active document</span>.</p></li>
+
    <li>
 
     <p><span>Navigate</span><!--DONAV reload after d.open()--> the <span>browsing context</span> to
     a new <span data-x="concept-response">response</span> whose <span
-    data-x="concept-response-body">body</span> is <var>source</var> and <span
+    data-x="concept-response-body">body</span> is <var>source</var>, <span
+    data-x="concept-response-csp-list">CSP list</span> is <var>CSP list</var> and <span
     data-x="concept-response-https-state">HTTPS state</span> is <var>HTTPS state</var>, with
     <span>replacement enabled</span> and <span>exceptions enabled</span>. The <span>source browsing
     context</span> is that given to the <span data-x="an overridden reload">overridden reload</span>
@@ -8223,6 +8230,9 @@ partial /*sealed*/ interface <dfn>Document</dfn> {
 };
 <span>Document</span> implements <span>GlobalEventHandlers</span>;</pre>
 
+  <p>The <code>Document</code> has a <dfn data-x="concept-document-csp-list">CSP list</dfn>, which is a
+  list of <span>Content Security Policy</span> objects active in this context. The list is empty
+  unless otherwise specified.</p>
 
 
   <h4><dfn>Resource metadata management</dfn></h4>
@@ -26458,8 +26468,10 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
     data-x="concept-response-url-list">url list</span> consists of <code>about:srcdoc</code>, <span
     data-x="concept-response-header-list">header list</span> consists of
     `<code data-x="">Content-Type</code>`/`<code>text/html</code>`, <span
-    data-x="concept-response-body">body</span> is the value of the attribute, and <span
-    data-x="concept-response-https-state">HTTPS state</span> is the <span
+    data-x="concept-response-body">body</span> is the value of the attribute, <span
+    data-x="concept-response-csp-list">CSP list</span> is the <span
+    data-x="concept-document-csp-list">CSP list</span> of the <code>iframe</code> element's <span>node
+    document</span>, and <span data-x="concept-response-https-state">HTTPS state</span> is the <span
     data-x="concept-window-https-state">HTTPS state</span> of the <code>iframe</code> element's
     <span>node document</span>'s <code>Window</code>.
 
@@ -82110,6 +82122,10 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
      state</span> to the <span data-x="concept-response-https-state">HTTPS state</span> of the
      resource used to generate the document.</p></li>
 
+     <li><p>Execute the <span>Initialise a <code data-x="">Document</code>'s CSP list</span>
+     algorithm on the <code>Document</code> object and the resource used to generate the document.
+     <ref spec="CSP"></p>
+
      <li><p>Set <span>the document's referrer</span> to the <i>address of the resource from which
      Request-URIs are obtained</i> as determined when the fetch algorithm obtained the resource, if
      that algorithm was used and determined such a value; otherwise, set it to the empty
@@ -94986,6 +95002,9 @@ interface <dfn>WorkerGlobalScope</dfn> : <span>EventTarget</span> {
   "<code data-x="">deprecated</code>", or "<code data-x="">none</code>"). It is initially "<code
   data-x="">none</code>".
 
+  <p>A <code>WorkerGlobalScope</code> object has an associated <dfn data-dfn-for="WorkerGlobalScope"
+  data-x="concept-WorkerGlobalScope-csp-list">CSP list</dfn>. It is initially an empty list.
+
   <p>The <dfn><code data-x="dom-WorkerGlobalScope-self">self</code></dfn> attribute must return the
   <code>WorkerGlobalScope</code> object itself.</p>
 
@@ -95294,6 +95313,10 @@ interface <dfn>WorkerGlobalScope</dfn> : <span>EventTarget</span> {
    data-x="concept-WorkerGlobalScope-https-state">HTTPS state</span> to <var>response</var>'s <span
    data-x="concept-response-https-state">HTTPS state</span>.</p></li>
 
+   <li><p>Set <var>worker global scope</var>'s <span
+   data-x="concept-WorkerGlobalScope-csp-list">CSP list</span> to <var>response</var>'s <span
+   data-x="concept-response-csp-list">CSP list</span>.</p></li>
+
    <li><p>In the newly created execution environment, create a <span>JavaScript global
    environment</span> whose <i>global object</i> is <var>worker global scope</var>. If <var>worker
    global scope</var> is a <code>DedicatedWorkerGlobalScope</code> object, then this is a