Wire up CSP's control over the base element

Upstreaming CSP's control over the base element per https://bugzilla.mozilla.org/show_bug.cgi?id=1263286.
whatwg · Apr 15, 2016 · 7bfca70 · 7bfca70
1 parent e6500b9
commit 7bfca70
Showing 1 changed file with 20 additions and 6 deletions.
diff --git a/source b/source
@@ -3850,6 +3850,7 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-inline">Should element's inline behavior be blocked by Content Security Policy?</dfn> algorithm</li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#report-uri"><code data-x="">report-uri</code> directive</dfn></li>
      <li>The <dfn data-noexport="" data-x="csp-EnsureCSPDoesNotBlockStringCompilation" data-x-href="https://w3c.github.io/webappsec-csp/#can-compile-strings">EnsureCSPDoesNotBlockStringCompilation</dfn> abstract operation</li>
+     <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/document/#allow-base-for-document">Is base allowed for Document?</dfn> algorithm</li>
     </ul>
 
     <p>The following terms are defined in <cite>Content Security Policy: Document Features</cite>: <ref spec="CSPDOCUMENT"></p>
@@ -12074,7 +12075,7 @@ gave me some of the songs they wrote. I love sharing my music.&lt;/p>
   <p>A <code>base</code> element that is the first <code>base</code> element with an <code
   data-x="attr-base-href">href</code> content attribute in a particular <code>Document</code> has a
   <dfn>frozen base URL</dfn>. The <span>frozen base URL</span> must be <span>immediately</span> <span data-x="set the frozen
-  base URL">set</span> whenever any of the following situations occur:</p>
+  base URL">set</span> for an element whenever any of the following situations occur:</p>
 
   <ul class="brief">
 
@@ -12089,11 +12090,24 @@ gave me some of the songs they wrote. I love sharing my music.&lt;/p>
 
   </ul>
 
-  <p>To <dfn>set the frozen base URL</dfn>, <span data-x="parse a URL">parse</span> the value of the
-  element's <code data-x="attr-base-href">href</code> content attribute relative to the element's
-  <span>node document</span>; if this is successful, set the <span>frozen base URL</span> to the
-  <span>resulting URL record</span>, otherwise, set the <span>frozen base URL</span> to the
-  <span>fallback base URL</span>.</p>
+  <p>To <dfn>set the frozen base URL</dfn> for an element <var>element</var>:</p>
+
+  <ol>
+   <li><p>Let <var>document</var> be <var>element</var>'s <span>node document</span>.
+
+   <li><p><span data-x="parse a URL">Parse</span> the value of <var>element</var>'s <code
+   data-x="attr-base-href">href</code> content attribute relative to <var>document</var>.</p></li>
+
+   <li>
+    <p>If that algorithm fails or if running <span>Is base allowed for Document?</span> on the
+    <span>resulting URL record</span> and <var>document</var> returns "<code
+    data-x="">Blocked</code>", then set <var>element</var>'s <span>frozen base URL</span> to the
+    <span>fallback base URL</span>.</p>
+
+    <p>Otherwise, set <var>element</var>'s <span>frozen base URL</span> to the <var>resulting URL
+    record</var>.</p>
+   </li>
+  </ol>
 
   <p>The <dfn><code data-x="dom-base-href">href</code></dfn> IDL attribute, on getting, must return
   the result of running the following algorithm: