Skip to content

Call out to CSP's inline element hooks #274

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 6, 2015
+11 −10
Merged

Call out to CSP's inline element hooks #274

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 11 additions & 10 deletions source
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3523,6 +3523,7 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#parse-serialized-policy">parse a serialized Content Security Policy</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialise-global-object-csp">Initialise a global object's CSP list</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialise-document-csp">Initialise a Document's CSP list</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-inline">Should element's inline behavior be blocked by Content Security Policy?</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#report-uri"><code data-x="">report-uri</code> directive</dfn></li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#sandbox"><code data-x="">sandbox</code> directive</dfn></li>
</ul>
Expand Down Expand Up @@ -13191,11 +13192,6 @@ people expect to have work and what is necessary.
to determine whether or not the style specified by an element will be applied to the document. The
value is text. <ref spec="CSP"></p>

<p class="&#x0058;&#x0058;&#x0058;">The processing model for the <code
data-x="attr-style-nonce">nonce</code> attribute needs to be integrated into the <span>update a
<code>style</code> block</span> algorithm. The current definition in <ref spec="CSP"> is fairly
vague. See <a href="https://github.com/w3c/webappsec/issues/463">w3c/webappsec#463</a>.</p>

<p>The <dfn><code data-x="attr-style-scoped">scoped</code></dfn> attribute is a <span>boolean
attribute</span>. If present, it indicates that the styles are intended just for the subtree
rooted at the <code>style</code> element's parent element, as opposed to the whole
Expand Down Expand Up @@ -13300,6 +13296,10 @@ own thing rather than part of the extended sentence -->
<li><p>If <var>element</var> is not <span>in a <code>Document</code></span>, then abort
these steps.</p></li> <!-- http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2740 -->

<li><p>If the <span>Should element's inline behavior be blocked by Content Security
Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
<code>style</code> element, then abort these steps. <ref spec="CSP"></p></li>

<!-- note that the browsing context isn't needed: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2739 -->

<li>
Expand Down Expand Up @@ -59252,11 +59252,6 @@ dictionary <dfn>RelatedEventInit</dfn> : <span>EventInit</span> {
to determine whether or not the script specified by an element will be executed. The value is
text. <ref spec="CSP"></p>

<p class="&#x0058;&#x0058;&#x0058;">The processing model for the <code
data-x="attr-script-nonce">nonce</code> attribute needs to be integrated into the <span>prepare a
script</span> algorithm. The current definition in <ref spec="CSP"> is fairly vague. See
<a href="https://github.com/w3c/webappsec/issues/463">w3c/webappsec#463</a>.</p>

<p>Changing the <code data-x="attr-script-src">src</code>, <code
data-x="attr-script-type">type</code>, <code data-x="attr-script-charset">charset</code>, <code
data-x="attr-script-async">async</code>, <code data-x="attr-script-defer">defer</code>, <code
Expand Down Expand Up @@ -59469,6 +59464,12 @@ dictionary <dfn>RelatedEventInit</dfn> : <span>EventInit</span> {

</li>

<li id="script-processing-csp"><p>If the <code>script</code> element does not have a <code
data-x="attr-script-src">src</code> content attribute, and the <span>Should node's inline
behavior be blocked by Content Security Policy?</span> algorithm returns "<code
data-x="">Blocked</code>" when executed upon the <code>script</code> element, then the user
agent must abort these steps. The script is not executed. <ref spec="CSP"></p></li>

Copy link
Member

@annevk annevk Nov 6, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The one nitpick I have left is that you use two spaces for indentation here. I think since this <li> only contains a single child we should just inline it as done for <style> and over time align the rest of the <script> algorithm with that style.

<li id="script-processing-for">

<p>If the <code>script</code> element has an <code data-x="attr-script-event">event</code>
Expand Down