Skip to content
Permalink
Browse files

Call out to CSP's inline element hooks

Content Security Policy defines a "Should element's inline behavior be
blocked by Content Security Policy?" algorithm in order to handle things
like nonces, hashes, and 'unsafe-inline'. This patch adds those hooks to
the appropriate spots in HTML's 'prepare a script' and 'update a style
block' algorithms.

#271
  • Loading branch information
mikewest committed Oct 21, 2015
1 parent 68390ce commit ee3486eb129bc350b5ca684d0c91dff23453ac1a
Showing with 11 additions and 10 deletions.
  1. +11 −10 source
21 source
@@ -3523,6 +3523,7 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#parse-serialized-policy">parse a serialized Content Security Policy</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialise-global-object-csp">Initialise a global object's CSP list</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialise-document-csp">Initialise a Document's CSP list</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-inline">Should element's inline behavior be blocked by Content Security Policy?</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#report-uri"><code data-x="">report-uri</code> directive</dfn></li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#sandbox"><code data-x="">sandbox</code> directive</dfn></li>
</ul>
@@ -13191,11 +13192,6 @@ people expect to have work and what is necessary.
to determine whether or not the style specified by an element will be applied to the document. The
value is text. <ref spec="CSP"></p>

<p class="&#x0058;&#x0058;&#x0058;">The processing model for the <code
data-x="attr-style-nonce">nonce</code> attribute needs to be integrated into the <span>update a
<code>style</code> block</span> algorithm. The current definition in <ref spec="CSP"> is fairly
vague. See <a href="https://github.com/w3c/webappsec/issues/463">w3c/webappsec#463</a>.</p>

<p>The <dfn><code data-x="attr-style-scoped">scoped</code></dfn> attribute is a <span>boolean
attribute</span>. If present, it indicates that the styles are intended just for the subtree
rooted at the <code>style</code> element's parent element, as opposed to the whole
@@ -13300,6 +13296,10 @@ own thing rather than part of the extended sentence -->
<li><p>If <var>element</var> is not <span>in a <code>Document</code></span>, then abort
these steps.</p></li> <!-- http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2740 -->

<li><p>If the <span>Should element's inline behavior be blocked by Content Security
Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
<code>style</code> element, then abort these steps. <ref spec="CSP"></p></li>

<!-- note that the browsing context isn't needed: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2739 -->

<li>
@@ -59252,11 +59252,6 @@ dictionary <dfn>RelatedEventInit</dfn> : <span>EventInit</span> {
to determine whether or not the script specified by an element will be executed. The value is
text. <ref spec="CSP"></p>

<p class="&#x0058;&#x0058;&#x0058;">The processing model for the <code
data-x="attr-script-nonce">nonce</code> attribute needs to be integrated into the <span>prepare a
script</span> algorithm. The current definition in <ref spec="CSP"> is fairly vague. See
<a href="https://github.com/w3c/webappsec/issues/463">w3c/webappsec#463</a>.</p>

<p>Changing the <code data-x="attr-script-src">src</code>, <code
data-x="attr-script-type">type</code>, <code data-x="attr-script-charset">charset</code>, <code
data-x="attr-script-async">async</code>, <code data-x="attr-script-defer">defer</code>, <code
@@ -59469,6 +59464,12 @@ dictionary <dfn>RelatedEventInit</dfn> : <span>EventInit</span> {

</li>

<li id="script-processing-csp"><p>If the <code>script</code> element does not have a <code
data-x="attr-script-src">src</code> content attribute, and the <span>Should node's inline
behavior be blocked by Content Security Policy?</span> algorithm returns "<code
data-x="">Blocked</code>" when executed upon the <code>script</code> element, then the user
agent must abort these steps. The script is not executed. <ref spec="CSP"></p></li>

<li id="script-processing-for">

<p>If the <code>script</code> element has an <code data-x="attr-script-event">event</code>

0 comments on commit ee3486e

Please sign in to comment.
You can’t perform that action at this time.