diff --git a/source b/source index b47a1905fdc..23f8a100a18 100644 --- a/source +++ b/source @@ -2804,6 +2804,7 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
  • header list
  • body
  • internal response +
  • CSP list
  • HTTPS state
  • @@ -3520,6 +3521,8 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
  • enforce the policy
  • The frame-ancestors directive
  • The parse a serialized Content Security Policy algorithm
    • +
  • The Initialise a global object's CSP list algorithm
    • +
  • The Initialise a Document's CSP list algorithm
  • The report-uri directive
  • The sandbox directive
    • @@ -8144,11 +8147,15 @@ interface DOMStringMap { state of the browsing context's active document's Window.

    +

  • Let CSP list be the CSP list + of the browsing context's active document.

    • +

  • Navigate the browsing context to a new response whose body is source and body is source, CSP list is CSP list and HTTPS state is HTTPS state, with replacement enabled and exceptions enabled. The source browsing context is that given to the overridden reload @@ -8223,6 +8230,9 @@ partial /*sealed*/ interface Document { }; Document implements GlobalEventHandlers; +

    The Document has a CSP list, which is a + list of Content Security Policy objects active in this context. The list is empty + unless otherwise specified.

    Resource metadata management

    @@ -26458,8 +26468,10 @@ href="?audio">audio</a> test instead.)</p> data-x="concept-response-url-list">url list consists of about:srcdoc, header list consists of `Content-Type`/`text/html`, body is the value of the attribute, and HTTPS state is the body is the value of the attribute, CSP list is the CSP list of the iframe element's node + document, and HTTPS state is the HTTPS state of the iframe element's node document's Window. @@ -82110,6 +82122,10 @@ State: <OUTPUT NAME=I>1</OUTPUT> <INPUT VALUE="Increment" TYPE=BUTTON O state to the HTTPS state of the resource used to generate the document.

    • +

  • Execute the Initialise a Document's CSP list + algorithm on the Document object and the resource used to generate the document. +

    +

  • Set the document's referrer to the address of the resource from which Request-URIs are obtained as determined when the fetch algorithm obtained the resource, if that algorithm was used and determined such a value; otherwise, set it to the empty @@ -94986,6 +95002,9 @@ interface WorkerGlobalScope : EventTarget { "deprecated", or "none"). It is initially "none". +

    A WorkerGlobalScope object has an associated CSP list. It is initially an empty list. +

    The self attribute must return the WorkerGlobalScope object itself.

    @@ -95294,6 +95313,10 @@ interface WorkerGlobalScope : EventTarget { data-x="concept-WorkerGlobalScope-https-state">HTTPS state to response's HTTPS state.

    • +

  • Set worker global scope's CSP list to response's CSP list.

    • +

  • In the newly created execution environment, create a JavaScript global environment whose global object is worker global scope. If worker global scope is a DedicatedWorkerGlobalScope object, then this is a