Use request's policy container for checks (#494)

This change depends on whatwg/fetch#1231 and whatwg/html#6659 which add and populate a request's policy container. This change relies on the request's policy container CSP list (instead of the request's client's environment setting object's CSP list) for the checks. This enforces consistency, since the the request's client's environment setting object's CSP list can change during the lifetime of an asynchronous fetch (for example, when following redirects, or when doing a response check), while the request's policy container CSP list is a snapshot at request's creation time.
w3c · May 12, 2021 · 52fd711 · 52fd711
1 parent bf7e0bd
commit 52fd711
Showing 1 changed file with 14 additions and 23 deletions.
diff --git a/index.bs b/index.bs
@@ -993,11 +993,9 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
   </h4>
 
   Given a <a for="/">request</a> (|request|), this algorithm reports violations based
-  on <a for="request">client</a>'s "report only" policies.
+  on [=request/policy container=]'s [=policy container/CSP list=] "report only" policies.
 
-  1.  Let |CSP list| be |request|'s
-      <a for="request">client</a>'s <a for="environment settings object">global object</a>'s
-      <a for="global object">CSP list</a>.
+  1.  Let |CSP list| be |request|'s [=request/policy container=]'s [=policy container/CSP list=].
 
   2.  For each |policy| in |CSP list|:
 
@@ -1015,13 +1013,11 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
     Should |request| be blocked by Content Security Policy?
   </h4>
 
-  Given a <a for="/">request</a> (|request|), this algorithm returns
-  `Blocked` or `Allowed` and reports violations based on |request|'s
-  <a for="request">client</a>'s Content Security Policy.
+  Given a <a for="/">request</a> (|request|), this algorithm returns `Blocked` or `Allowed` and
+  reports violations based on |request|'s [=request/policy container=]'s
+  [=policy container/CSP list=].
 
-  1.  Let |CSP list| be |request|'s
-      <a for="request">client</a>'s <a for="environment settings object">global object</a>'s
-      <a for="global object">CSP list</a>.
+  1.  Let |CSP list| be |request|'s [=request/policy container=]'s [=policy container/CSP list=].
 
   2.  Let |result| be "`Allowed`".
 
@@ -1046,14 +1042,11 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
     Should |response| to |request| be blocked by Content Security Policy?
   </h4>
 
-  Given a <a>response</a> (|response|) and a <a for="/">request</a>
-  (|request|), this algorithm returns `Blocked` or
-  `Allowed`, and reports violations based on |request|'s
-  <a for="request">client</a>'s Content Security Policy.
+  Given a <a>response</a> (|response|) and a <a for="/">request</a> (|request|), this algorithm
+  returns `Blocked` or `Allowed`, and reports violations based on |request|'s
+  [=request/policy container=]'s [=policy container/CSP list=].
 
-  1.  Let |CSP list| be |request|'s
-      <a for="request">client</a>'s <a for="environment settings object">global object</a>'s
-      <a for="global object">CSP list</a>.
+  1.  Let |CSP list| be |request|'s [=request/policy container=]'s [=policy container/CSP list=].
 
   2.  Let |result| be "`Allowed`".
 
@@ -1223,9 +1216,8 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
   <ol class="algorithm">
     1.  Let |result| be "`Allowed`".
 
-    2.  For each |policy| in |navigation request|'s <a for="request">client</a>'s
-        <a for="environment settings object">global object</a>'s
-        <a for="global object">CSP list</a>:
+    2.  For each |policy| in |navigation request|'s <a for="request">policy container</a>'s
+        <a for="policy container">CSP list</a>:
 
         1.  For each |directive| in |policy|:
 
@@ -1320,9 +1312,8 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
             5.  If |policy|'s <a for="policy">disposition</a> is "`enforce`", then
                 set |result| to "`Blocked`".
 
-    3.  For each |policy| in |navigation request|'s <a for="request">client</a>'s
-        <a for="environment settings object">global object</a>'s
-        <a for="global object">CSP list</a>:
+    3.  For each |policy| in |navigation request|'s <a for="request">policy container</a>'s
+        <a for="policy container">CSP list</a>:
 
         Note: Some directives in the |navigation request|'s context (like <a>navigate-to</a>)
         need the |response| before acting on the navigation.