From ee3486eb129bc350b5ca684d0c91dff23453ac1a Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@google.com>
Date: Wed, 21 Oct 2015 14:48:42 +0200
Subject: [PATCH] Call out to CSP's inline element hooks

Content Security Policy defines a "Should element's inline behavior be
blocked by Content Security Policy?" algorithm in order to handle things
like nonces, hashes, and 'unsafe-inline'. This patch adds those hooks to
the appropriate spots in HTML's 'prepare a script' and 'update a style
block' algorithms.

whatwg/html#271
---
 source | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/source b/source
index dfe695001ea..0c23f9fcd16 100644
--- a/source
+++ b/source
@@ -3523,6 +3523,7 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#parse-serialized-policy">parse a serialized Content Security Policy</dfn> algorithm</li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialise-global-object-csp">Initialise a global object's CSP list</dfn> algorithm</li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialise-document-csp">Initialise a Document's CSP list</dfn> algorithm</li>
+     <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-inline">Should element's inline behavior be blocked by Content Security Policy?</dfn> algorithm</li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#report-uri"><code data-x="">report-uri</code> directive</dfn></li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#sandbox"><code data-x="">sandbox</code> directive</dfn></li>
     </ul>
@@ -13191,11 +13192,6 @@ people expect to have work and what is necessary.
   to determine whether or not the style specified by an element will be applied to the document. The
   value is text. <ref spec="CSP"></p>
 
-  <p class="&#x0058;&#x0058;&#x0058;">The processing model for the <code
-  data-x="attr-style-nonce">nonce</code> attribute needs to be integrated into the <span>update a
-  <code>style</code> block</span> algorithm. The current definition in <ref spec="CSP"> is fairly
-  vague. See <a href="https://github.com/w3c/webappsec/issues/463">w3c/webappsec#463</a>.</p>
-
   <p>The <dfn><code data-x="attr-style-scoped">scoped</code></dfn> attribute is a <span>boolean
   attribute</span>. If present, it indicates that the styles are intended just for the subtree
   rooted at the <code>style</code> element's parent element, as opposed to the whole
@@ -13300,6 +13296,10 @@ own thing rather than part of the extended sentence -->
    <li><p>If <var>element</var> is not <span>in a <code>Document</code></span>, then abort
    these steps.</p></li> <!-- http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2740 -->
 
+   <li><p>If the <span>Should element's inline behavior be blocked by Content Security
+   Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
+   <code>style</code> element, then abort these steps. <ref spec="CSP"></p></li>
+
    <!-- note that the browsing context isn't needed: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2739 -->
 
    <li>
@@ -59252,11 +59252,6 @@ dictionary <dfn>RelatedEventInit</dfn> : <span>EventInit</span> {
   to determine whether or not the script specified by an element will be executed. The value is
   text. <ref spec="CSP"></p>
 
-  <p class="&#x0058;&#x0058;&#x0058;">The processing model for the <code
-  data-x="attr-script-nonce">nonce</code> attribute needs to be integrated into the <span>prepare a
-  script</span> algorithm. The current definition in <ref spec="CSP"> is fairly vague. See
-  <a href="https://github.com/w3c/webappsec/issues/463">w3c/webappsec#463</a>.</p>
-
   <p>Changing the <code data-x="attr-script-src">src</code>, <code
   data-x="attr-script-type">type</code>, <code data-x="attr-script-charset">charset</code>, <code
   data-x="attr-script-async">async</code>, <code data-x="attr-script-defer">defer</code>, <code
@@ -59469,6 +59464,12 @@ dictionary <dfn>RelatedEventInit</dfn> : <span>EventInit</span> {
 
    </li>
 
+   <li id="script-processing-csp"><p>If the <code>script</code> element does not have a <code
+   data-x="attr-script-src">src</code> content attribute, and the <span>Should node's inline
+   behavior be blocked by Content Security Policy?</span> algorithm returns "<code
+   data-x="">Blocked</code>" when executed upon the <code>script</code> element, then the user
+   agent must abort these steps. The script is not executed. <ref spec="CSP"></p></li>
+
    <li id="script-processing-for">
 
     <p>If the <code>script</code> element has an <code data-x="attr-script-event">event</code>