From 39470724136a366bab4e893efd889a513d61cc3e Mon Sep 17 00:00:00 2001
From: "Michael[tm] Smith" <mike@w3.org>
Date: Sun, 17 Jan 2016 10:25:58 +0900
Subject: [PATCH] No CSP report-uri|frame-ancestors|sandbox in meta

Add a normative document-conformance (authoring) requirement that a Content
Security Policy given in the value of the `content` attribute of a
meta[http-equiv="content-security-policy] element must not contain any
`report-uri`, `frame-ancestors`, or `sandbox` directives.
---
 source | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/source b/source
index a7506b500d6..6bde4b5bc28 100644
--- a/source
+++ b/source
@@ -12802,8 +12802,12 @@ people expect to have work and what is necessary.
     attribute in the <span data-x="attr-meta-http-equiv-content-security-policy">Content security
     policy state</span>, the <code data-x="attr-meta-content">content</code> attribute must have a
     value consisting of a <span data-x="Content Security Policy syntax">valid Content Security
-    Policy</span>, which will be <span data-x="enforce the policy">enforced</span> upon the current
-    document. <ref spec="CSP"></p>
+    Policy</span>, but must not contain any <code data-x="report-uri directive">report-uri</code>,
+    <code data-x="frame-ancestors directive">frame-ancestors</code>, or <code data-x="sandbox
+    directive">sandbox</code> <span data-x="Content Security Policy directive">directives</span>.
+    The <span>Content Security Policy</span> given in the <code
+    data-x="attr-meta-content">content</code> attribute will be <span
+    data-x="enforce the policy">enforced</span> upon the current document. <ref spec="CSP"></p>
 
     <div class="example">