From 812239958b460b33733a21d4269a67877c8c6439 Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@google.com>
Date: Thu, 14 Apr 2016 13:16:51 +0200
Subject: [PATCH 1/3] Add a |source| argument to inline behavior algorithm

To support hash-based whitelisting of inline event handlers, CSP has
added a |source| argument to the "Should |element|'s inline behavior
be blocked by Content Security Policy?" (in w3c/webappsec#13). This
patch adds the same argument to the four callsites in HTML.
---
 source | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/source b/source
index 6df46b518ea..a7239055cb8 100644
--- a/source
+++ b/source
@@ -11343,9 +11343,9 @@ Transport Protocol">HTTP&lt;/abbr> today.&lt;/p></pre> <!-- DO NOT REWRAP THIS L
 
   <p>However, if the <span>Should element's inline behavior be blocked by Content Security
   Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
-  attribute's <span>element</span> and "<code data-x="">style attribute</code>", then the style
-  rules defined in the attribute's value must not be applied to the <span>element</span>. <ref
-  spec="CSP"></p>
+  attribute's <span>element</span>, "<code data-x="">style attribute</code>", and the attribute's
+  value, then the style rules defined in the attribute's value must not be applied to the
+  <span>element</span>. <ref spec="CSP"></p>
 
   </div>
 
@@ -13861,7 +13861,8 @@ own thing rather than part of the extended sentence -->
 
    <li><p>If the <span>Should element's inline behavior be blocked by Content Security
    Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
-   <code>style</code> element and "<code data-x="">style</code>", then abort these steps.
+   <code>style</code> element, "<code data-x="">style</code>", and the value of the
+   <code>style</code> element's <code>textContent</code> IDL attribute, then abort these steps.
    <ref spec="CSP"></p></li>
 
    <!-- note that the browsing context isn't needed: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2739 -->
@@ -58629,9 +58630,9 @@ o............A....e
    <li id="script-processing-csp"><p>If the <code>script</code> element does not have a <code
    data-x="attr-script-src">src</code> content attribute, and the <span>Should element's inline
    behavior be blocked by Content Security Policy?</span> algorithm returns "<code
-   data-x="">Blocked</code>" when executed upon the <code>script</code> element and "<code
-   data-x="">script</code>", then abort these steps. The script is not executed. <ref
-   spec="CSP"></p></li>
+   data-x="">Blocked</code>" when executed upon the <code>script</code> element, "<code
+   data-x="">script</code>", and the value of the <code>script</code> element's <code>text</code>
+   IDL attribute, then abort these steps. The script is not executed. <ref spec="CSP"></p></li>
 
    <li id="script-processing-for">
 
@@ -88425,8 +88426,8 @@ dictionary <dfn>PromiseRejectionEventInit</dfn> : <span>EventInit</span> {
   <ol>
    <li><p>If the <span>Should element's inline behavior be blocked by Content Security
    Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
-   attribute's <span>element</span> and "<code data-x="">script attribute</code>", then abort these
-   steps. <ref spec="CSP"></p></li>
+   attribute's <span>element</span>, "<code data-x="">script attribute</code>", and the attribute's
+   value, then abort these steps. <ref spec="CSP"></p></li>
 
    <li><p>Set the corresponding <span data-x="event handlers">event handler</span> to an
    <span>internal raw uncompiled handler</span> consisting of the attribute's new value and the

From e7f4b4dc8d3770a28bb29318b919e11953205406 Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@google.com>
Date: Thu, 14 Apr 2016 15:40:30 +0200
Subject: [PATCH 2/3] fixup 'child text content'

---
 source | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/source b/source
index a7239055cb8..3c45ce878da 100644
--- a/source
+++ b/source
@@ -13862,7 +13862,7 @@ own thing rather than part of the extended sentence -->
    <li><p>If the <span>Should element's inline behavior be blocked by Content Security
    Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
    <code>style</code> element, "<code data-x="">style</code>", and the value of the
-   <code>style</code> element's <code>textContent</code> IDL attribute, then abort these steps.
+   <code>style</code> element's <code>child text content</code>, then abort these steps.
    <ref spec="CSP"></p></li>
 
    <!-- note that the browsing context isn't needed: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2739 -->
@@ -58631,8 +58631,8 @@ o............A....e
    data-x="attr-script-src">src</code> content attribute, and the <span>Should element's inline
    behavior be blocked by Content Security Policy?</span> algorithm returns "<code
    data-x="">Blocked</code>" when executed upon the <code>script</code> element, "<code
-   data-x="">script</code>", and the value of the <code>script</code> element's <code>text</code>
-   IDL attribute, then abort these steps. The script is not executed. <ref spec="CSP"></p></li>
+   data-x="">script</code>", and the value of the <code>script</code> element's <code>child text
+   content</code>, then abort these steps. The script is not executed. <ref spec="CSP"></p></li>
 
    <li id="script-processing-for">
 

From b4870ac3f17f4b87ef9d687b5f83465e8ecbcc83 Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@google.com>
Date: Thu, 14 Apr 2016 15:43:40 +0200
Subject: [PATCH 3/3] fixup 'style data' and slight cleanup.

---
 source | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/source b/source
index 3c45ce878da..f72cf3d1236 100644
--- a/source
+++ b/source
@@ -13861,9 +13861,8 @@ own thing rather than part of the extended sentence -->
 
    <li><p>If the <span>Should element's inline behavior be blocked by Content Security
    Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
-   <code>style</code> element, "<code data-x="">style</code>", and the value of the
-   <code>style</code> element's <code>child text content</code>, then abort these steps.
-   <ref spec="CSP"></p></li>
+   <code>style</code> element, "<code data-x="">style</code>", and the <code>style</code>
+   element's <code>style data</code>, then abort these steps. <ref spec="CSP"></p></li>
 
    <!-- note that the browsing context isn't needed: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2739 -->
 
@@ -58631,8 +58630,8 @@ o............A....e
    data-x="attr-script-src">src</code> content attribute, and the <span>Should element's inline
    behavior be blocked by Content Security Policy?</span> algorithm returns "<code
    data-x="">Blocked</code>" when executed upon the <code>script</code> element, "<code
-   data-x="">script</code>", and the value of the <code>script</code> element's <code>child text
-   content</code>, then abort these steps. The script is not executed. <ref spec="CSP"></p></li>
+   data-x="">script</code>", and the <code>script</code> element's <code>child text content</code>,
+   then abort these steps. The script is not executed. <ref spec="CSP"></p></li>
 
    <li id="script-processing-for">