Skip to content

Add 'CSP list' to global objects. #273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 5, 2015
Merged

Add 'CSP list' to global objects. #273

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 26 additions & 3 deletions source
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2804,6 +2804,7 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
<li><dfn data-noexport="" data-x="concept-response-header-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-header-list">header list</dfn>
<li><dfn data-noexport="" data-x="concept-response-body" data-x-href="https://fetch.spec.whatwg.org/#concept-response-body">body</dfn>
<li><dfn data-noexport="" data-x="concept-internal-response" data-x-href="https://fetch.spec.whatwg.org/#concept-internal-response">internal response</dfn>
<li><dfn data-noexport="" data-x="concept-response-csp-list" data-x-href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</dfn>
<li><dfn data-noexport="" data-x="concept-response-https-state" data-x-href="https://fetch.spec.whatwg.org/#concept-response-https-state">HTTPS state</dfn>
</ul>
<li>
Expand Down Expand Up @@ -3520,6 +3521,8 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
<li><dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#enforced">enforce the policy</dfn></li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#frame-ancestors"><code data-x="">frame-ancestors</code> directive</dfn></li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#parse-serialized-policy">parse a serialized Content Security Policy</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialise-global-object-csp">Initialise a global object's CSP list</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialise-document-csp">Initialise a Document's CSP list</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#report-uri"><code data-x="">report-uri</code> directive</dfn></li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#sandbox"><code data-x="">sandbox</code> directive</dfn></li>
</ul>
Expand Down Expand Up @@ -8144,11 +8147,15 @@ interface <dfn>DOMStringMap</dfn> {
state</span> of the <span>browsing context</span>'s <span>active document</span>'s
<code>Window</code>.</p></li>

<li><p>Let <var>CSP list</var> be the <span data-x="concept-document-csp-list">CSP list</span>
of the <span>browsing context</span>'s <span>active document</span>.</p></li>

<li>

<p><span>Navigate</span><!--DONAV reload after d.open()--> the <span>browsing context</span> to
a new <span data-x="concept-response">response</span> whose <span
data-x="concept-response-body">body</span> is <var>source</var> and <span
data-x="concept-response-body">body</span> is <var>source</var>, <span
data-x="concept-response-csp-list">CSP list</span> is <var>CSP list</var> and <span
data-x="concept-response-https-state">HTTPS state</span> is <var>HTTPS state</var>, with
<span>replacement enabled</span> and <span>exceptions enabled</span>. The <span>source browsing
context</span> is that given to the <span data-x="an overridden reload">overridden reload</span>
Expand Down Expand Up @@ -8223,6 +8230,9 @@ partial /*sealed*/ interface <dfn>Document</dfn> {
};
<span>Document</span> implements <span>GlobalEventHandlers</span>;</pre>

<p>The <code>Document</code> has a <dfn data-x="concept-document-csp-list">CSP list</dfn>, which is a
list of <span>Content Security Policy</span> objects active in this context. The list is empty
unless otherwise specified.</p>
Copy link
Member

@annevk annevk Nov 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs an extra newline.


Copy link
Member

@annevk annevk Nov 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The extra newline needed to go below, not above :-)

With this addressed, and squashed/rebased, I think we're good.


<h4><dfn>Resource metadata management</dfn></h4>
Expand Down Expand Up @@ -26458,8 +26468,10 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
data-x="concept-response-url-list">url list</span> consists of <code>about:srcdoc</code>, <span
data-x="concept-response-header-list">header list</span> consists of
`<code data-x="">Content-Type</code>`/`<code>text/html</code>`, <span
data-x="concept-response-body">body</span> is the value of the attribute, and <span
data-x="concept-response-https-state">HTTPS state</span> is the <span
data-x="concept-response-body">body</span> is the value of the attribute, <span
data-x="concept-response-csp-list">CSP list</span> is the <span
data-x="concept-document-csp-list">CSP list</span> of the <code>iframe</code> element's <span>node
document</span>, and <span data-x="concept-response-https-state">HTTPS state</span> is the <span
data-x="concept-window-https-state">HTTPS state</span> of the <code>iframe</code> element's
<span>node document</span>'s <code>Window</code>.

Expand Down Expand Up @@ -82110,6 +82122,10 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
state</span> to the <span data-x="concept-response-https-state">HTTPS state</span> of the
resource used to generate the document.</p></li>

<li><p>Execute the <span>Initialise a <code data-x="">Document</code>'s CSP list</span>
algorithm on the <code>Document</code> object and the resource used to generate the document.
<ref spec="CSP"></p>

<li><p>Set <span>the document's referrer</span> to the <i>address of the resource from which
Request-URIs are obtained</i> as determined when the fetch algorithm obtained the resource, if
that algorithm was used and determined such a value; otherwise, set it to the empty
Expand Down Expand Up @@ -94986,6 +95002,9 @@ interface <dfn>WorkerGlobalScope</dfn> : <span>EventTarget</span> {
"<code data-x="">deprecated</code>", or "<code data-x="">none</code>"). It is initially "<code
data-x="">none</code>".

<p>A <code>WorkerGlobalScope</code> object has an associated <dfn data-dfn-for="WorkerGlobalScope"
data-x="concept-WorkerGlobalScope-csp-list">CSP list</dfn>. It is initially an empty list.

<p>The <dfn><code data-x="dom-WorkerGlobalScope-self">self</code></dfn> attribute must return the
<code>WorkerGlobalScope</code> object itself.</p>

Expand Down Expand Up @@ -95294,6 +95313,10 @@ interface <dfn>WorkerGlobalScope</dfn> : <span>EventTarget</span> {
data-x="concept-WorkerGlobalScope-https-state">HTTPS state</span> to <var>response</var>'s <span
data-x="concept-response-https-state">HTTPS state</span>.</p></li>

<li><p>Set <var>worker global scope</var>'s <span
data-x="concept-WorkerGlobalScope-csp-list">CSP list</span> to <var>response</var>'s <span
data-x="concept-response-csp-list">CSP list</span>.</p></li>

<li><p>In the newly created execution environment, create a <span>JavaScript global
environment</span> whose <i>global object</i> is <var>worker global scope</var>. If <var>worker
global scope</var> is a <code>DedicatedWorkerGlobalScope</code> object, then this is a
Expand Down