Skip to content

Commit

Permalink
Meta: align with Fetch
Browse files Browse the repository at this point in the history
Network scheme is now reduced to HTTP(S) scheme and request's keepalive flag was renamed to keepalive.

See whatwg/fetch#1166 for context.
  • Loading branch information
annevk committed Feb 10, 2021
1 parent 483800d commit 6938eb9
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 28 deletions.
44 changes: 22 additions & 22 deletions index.html
Original file line number Diff line number Diff line change
Expand Up @@ -1321,9 +1321,9 @@
}
}
</style>
<meta content="Bikeshed version eb6d17d1, updated Tue Oct 20 23:26:51 2020 -0700" name="generator">
<meta content="Bikeshed version 89ebb6ab, updated Fri Oct 9 15:32:07 2020 -0700" name="generator">
<link href="https://www.w3.org/TR/CSP3/" rel="canonical">
<meta content="9a4070d6a19b99e7a10e1864906794d0f9002b29" name="document-revision">
<meta content="483800de36fc72f4184c71b8576109a14311dd83" name="document-revision">
<style>
ul.toc ul ul ul {
margin: 0 0 0 2em;
Expand Down Expand Up @@ -1920,7 +1920,7 @@
<div class="head">
<p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
<h1>Content Security Policy Level 3</h1>
<h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2021-01-11">11 January 2021</time></span></h2>
<h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="2021-02-10">10 February 2021</time></span></h2>
<div data-fill-with="spec-metadata">
<dl>
<dt>This version:
Expand Down Expand Up @@ -2424,8 +2424,8 @@ <h3 class="heading settled" data-level="1.3" id="changes-from-level-2"><span cla
hashes. Details in <a href="#unsafe-hashes-usage">§ 8.3 Usage of "'unsafe-hashes'"</a>.</p>
<li data-md>
<p>The <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression">source expression</a> matching has been changed to require explicit presence
of any non-<a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#network-scheme" id="ref-for-network-scheme">network scheme</a>, rather than <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#local-scheme" id="ref-for-local-scheme">local scheme</a>,
unless that non-<a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#network-scheme" id="ref-for-network-scheme①">network scheme</a> is the same as the scheme of protected resource,
of any non-<a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#http-scheme" id="ref-for-http-scheme">HTTP(S) scheme</a>, rather than <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#local-scheme" id="ref-for-local-scheme">local scheme</a>,
unless that non-<a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#http-scheme" id="ref-for-http-scheme①">HTTP(S) scheme</a> is the same as the scheme of protected resource,
as described in <a href="#match-url-to-source-expression">§ 6.6.2.6 Does url match expression in origin with redirect count?</a>.</p>
<li data-md>
<p>Hash-based source expressions may now match external scripts if the <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script①">script</a></code> element that triggers the request specifies a set of integrity
Expand Down Expand Up @@ -3602,7 +3602,7 @@ <h3 class="heading settled algorithm" data-algorithm="Report a violation" data-l
<dt data-md><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-credentials-mode" id="ref-for-concept-request-credentials-mode">credentials mode</a>
<dd data-md>
<p>"<code>same-origin</code>"</p>
<dt data-md><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#request-keepalive-flag" id="ref-for-request-keepalive-flag">keepalive flag</a>
<dt data-md><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#request-keepalive-flag" id="ref-for-request-keepalive-flag">keepalive</a>
<dd data-md>
<p>"<code>true</code>"</p>
<dt data-md><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-header-list" id="ref-for-concept-request-header-list">header list</a>
Expand Down Expand Up @@ -5225,11 +5225,11 @@ <h5 class="heading settled algorithm" data-algorithm="Does url match expression
the following conditions is met:</p>
<ol>
<li data-md>
<p><var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme③">scheme</a> is a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#network-scheme" id="ref-for-network-scheme②">network scheme</a>.</p>
<p><var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme③">scheme</a> is an <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#http-scheme" id="ref-for-http-scheme②">HTTP(S) scheme</a>.</p>
<li data-md>
<p><var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme④">scheme</a> is the same as <var>origin</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-scheme" id="ref-for-concept-origin-scheme">scheme</a>.</p>
</ol>
<p class="note" role="note"><span>Note:</span> This logic means that in order to allow a resource from a non-<a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#network-scheme" id="ref-for-network-scheme③">network scheme</a>,
<p class="note" role="note"><span>Note:</span> This logic means that in order to allow a resource from a non-<a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#http-scheme" id="ref-for-http-scheme③">HTTP(S) scheme</a>,
it has to be either explicitly specified (e.g. <code>default-src * data: custom-scheme-1: custom-scheme-2:</code>),
or the protected resource must be loaded from the same scheme.</p>
<li data-md>
Expand Down Expand Up @@ -6875,6 +6875,14 @@ <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="c
Integration with Fetch </a> <a href="#ref-for-concept-http-fetch①">(2)</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="term-for-http-scheme">
<a href="https://fetch.spec.whatwg.org/#http-scheme">https://fetch.spec.whatwg.org/#http-scheme</a><b>Referenced in:</b>
<ul>
<li><a href="#ref-for-http-scheme">1.3. Changes from Level 2</a> <a href="#ref-for-http-scheme①">(2)</a>
<li><a href="#ref-for-http-scheme②">6.6.2.6.
Does url match expression in origin with redirect count? </a> <a href="#ref-for-http-scheme③">(2)</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="term-for-concept-http-network-fetch">
<a href="https://fetch.spec.whatwg.org/#concept-http-network-fetch">https://fetch.spec.whatwg.org/#concept-http-network-fetch</a><b>Referenced in:</b>
<ul>
Expand Down Expand Up @@ -6946,14 +6954,6 @@ <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="c
Integration with Fetch </a>
</ul>
</aside>
<aside class="dfn-panel" data-for="term-for-network-scheme">
<a href="https://fetch.spec.whatwg.org/#network-scheme">https://fetch.spec.whatwg.org/#network-scheme</a><b>Referenced in:</b>
<ul>
<li><a href="#ref-for-network-scheme">1.3. Changes from Level 2</a> <a href="#ref-for-network-scheme①">(2)</a>
<li><a href="#ref-for-network-scheme②">6.6.2.6.
Does url match expression in origin with redirect count? </a> <a href="#ref-for-network-scheme③">(2)</a>
</ul>
</aside>
<aside class="dfn-panel" data-for="term-for-concept-request-origin">
<a href="https://fetch.spec.whatwg.org/#concept-request-origin">https://fetch.spec.whatwg.org/#concept-request-origin</a><b>Referenced in:</b>
<ul>
Expand Down Expand Up @@ -8358,16 +8358,16 @@ <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span cla
<li><span class="dfn-paneled" id="term-for-concept-fetch">fetch</span>
<li><span class="dfn-paneled" id="term-for-concept-response-header-list">header list <small>(for response)</small></span>
<li><span class="dfn-paneled" id="term-for-concept-http-fetch">http fetch</span>
<li><span class="dfn-paneled" id="term-for-http-scheme">http(s) scheme</span>
<li><span class="dfn-paneled" id="term-for-concept-http-network-fetch">http-network fetch</span>
<li><span class="dfn-paneled" id="term-for-concept-request-initiator">initiator</span>
<li><span class="dfn-paneled" id="term-for-concept-request-integrity-metadata">integrity metadata</span>
<li><span class="dfn-paneled" id="term-for-request-keepalive-flag">keepalive flag</span>
<li><span class="dfn-paneled" id="term-for-request-keepalive-flag">keepalive</span>
<li><span class="dfn-paneled" id="term-for-local-scheme">local scheme</span>
<li><span class="dfn-paneled" id="term-for-concept-main-fetch">main fetch</span>
<li><span class="dfn-paneled" id="term-for-concept-request-method">method</span>
<li><span class="dfn-paneled" id="term-for-concept-request-mode">mode</span>
<li><span class="dfn-paneled" id="term-for-concept-network-error">network error</span>
<li><span class="dfn-paneled" id="term-for-network-scheme">network scheme</span>
<li><span class="dfn-paneled" id="term-for-concept-request-origin">origin</span>
<li><span class="dfn-paneled" id="term-for-concept-request-parser-metadata">parser metadata</span>
<li><span class="dfn-paneled" id="term-for-concept-request-redirect-count">redirect count</span>
Expand Down Expand Up @@ -8574,7 +8574,7 @@ <h2 class="no-num no-ref heading settled" id="references"><span class="content">
<h3 class="no-num no-ref heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
<dl>
<dt id="biblio-css-cascade-5">[CSS-CASCADE-5]
<dd>CSS Cascading and Inheritance Level 5 URL: <a href="https://www.w3.org/TR/css-cascade-5/">https://www.w3.org/TR/css-cascade-5/</a>
<dd>Elika Etemad; Miriam Suzanne; Tab Atkins Jr.. <a href="https://www.w3.org/TR/css-cascade-5/">CSS Cascading and Inheritance Level 5</a>. 19 January 2021. WD. URL: <a href="https://www.w3.org/TR/css-cascade-5/">https://www.w3.org/TR/css-cascade-5/</a>
<dt id="biblio-cssom">[CSSOM]
<dd>Simon Pieters; Glenn Adams. <a href="https://www.w3.org/TR/cssom-1/">CSS Object Model (CSSOM)</a>. 17 March 2016. WD. URL: <a href="https://www.w3.org/TR/cssom-1/">https://www.w3.org/TR/cssom-1/</a>
<dt id="biblio-dom">[DOM]
Expand Down Expand Up @@ -8633,15 +8633,15 @@ <h3 class="no-num no-ref heading settled" id="normative"><span class="content">N
<h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
<dl>
<dt id="biblio-appmanifest">[APPMANIFEST]
<dd>Marcos Caceres; et al. <a href="https://www.w3.org/TR/appmanifest/">Web App Manifest</a>. 19 October 2020. WD. URL: <a href="https://www.w3.org/TR/appmanifest/">https://www.w3.org/TR/appmanifest/</a>
<dd>Marcos Caceres; et al. <a href="https://www.w3.org/TR/appmanifest/">Web App Manifest</a>. 22 January 2021. WD. URL: <a href="https://www.w3.org/TR/appmanifest/">https://www.w3.org/TR/appmanifest/</a>
<dt id="biblio-beacon">[BEACON]
<dd>Ilya Grigorik; et al. <a href="https://www.w3.org/TR/beacon/">Beacon</a>. 13 April 2017. CR. URL: <a href="https://www.w3.org/TR/beacon/">https://www.w3.org/TR/beacon/</a>
<dt id="biblio-csp2">[CSP2]
<dd>Mike West; Adam Barth; Daniel Veditz. <a href="https://www.w3.org/TR/CSP2/">Content Security Policy Level 2</a>. 15 December 2016. REC. URL: <a href="https://www.w3.org/TR/CSP2/">https://www.w3.org/TR/CSP2/</a>
<dt id="biblio-css-abuse">[CSS-ABUSE]
<dd>Chris Evans. <a href="https://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html">Generic cross-browser cross-domain theft</a>. 28 December 2009. URL: <a href="https://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html">https://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html</a>
<dt id="biblio-eventsource">[EVENTSOURCE]
<dd>Ian Hickson. <a href="https://www.w3.org/TR/eventsource/">Server-Sent Events</a>. 3 February 2015. REC. URL: <a href="https://www.w3.org/TR/eventsource/">https://www.w3.org/TR/eventsource/</a>
<dd>Ian Hickson. <a href="https://www.w3.org/TR/eventsource/">Server-Sent Events</a>. 28 January 2021. REC. URL: <a href="https://www.w3.org/TR/eventsource/">https://www.w3.org/TR/eventsource/</a>
<dt id="biblio-filedescriptor-2015">[FILEDESCRIPTOR-2015]
<dd>filedescriptor. <a href="https://blog.innerht.ml/csp-2015/#danglingmarkupinjection">CSP 2015</a>. 23 November 2015. URL: <a href="https://blog.innerht.ml/csp-2015/#danglingmarkupinjection">https://blog.innerht.ml/csp-2015/#danglingmarkupinjection</a>
<dt id="biblio-h5sc3">[H5SC3]
Expand All @@ -8657,7 +8657,7 @@ <h3 class="no-num no-ref heading settled" id="informative"><span class="content"
<dt id="biblio-upgrade-insecure-requests">[UPGRADE-INSECURE-REQUESTS]
<dd>Mike West. <a href="https://www.w3.org/TR/upgrade-insecure-requests/">Upgrade Insecure Requests</a>. 8 October 2015. CR. URL: <a href="https://www.w3.org/TR/upgrade-insecure-requests/">https://www.w3.org/TR/upgrade-insecure-requests/</a>
<dt id="biblio-websockets">[WEBSOCKETS]
<dd>Ian Hickson. <a href="https://www.w3.org/TR/websockets/">The WebSocket API</a>. 20 September 2012. CR. URL: <a href="https://www.w3.org/TR/websockets/">https://www.w3.org/TR/websockets/</a>
<dd>Ian Hickson. <a href="https://www.w3.org/TR/websockets/">The WebSocket API</a>. 28 January 2021. NOTE. URL: <a href="https://www.w3.org/TR/websockets/">https://www.w3.org/TR/websockets/</a>
<dt id="biblio-xhr">[XHR]
<dd>Anne van Kesteren. <a href="https://xhr.spec.whatwg.org/">XMLHttpRequest Standard</a>. Living Standard. URL: <a href="https://xhr.spec.whatwg.org/">https://xhr.spec.whatwg.org/</a>
<dt id="biblio-xslt">[XSLT]
Expand Down
11 changes: 5 additions & 6 deletions index.src.html
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ <h1>Content Security Policy Level 3</h1>
text: main fetch
text: http-network fetch
text: http fetch
text: keepalive flag
text: response; for: /
spec:url
type: dfn
Expand Down Expand Up @@ -347,8 +346,8 @@ <h3 id="changes-from-level-2">Changes from Level 2</h3>
hashes. Details in [[#unsafe-hashes-usage]].

9. The <a>source expression</a> matching has been changed to require explicit presence
of any non-<a>network scheme</a>, rather than <a>local scheme</a>,
unless that non-<a>network scheme</a> is the same as the scheme of protected resource,
of any non-<a>HTTP(S) scheme</a>, rather than <a>local scheme</a>,
unless that non-<a>HTTP(S) scheme</a> is the same as the scheme of protected resource,
as described in [[#match-url-to-source-expression]].

10. Hash-based source expressions may now match external scripts if the
Expand Down Expand Up @@ -1833,7 +1832,7 @@ <h3 id="report-violation" algorithm>
:: ""
: <a for="request">credentials mode</a>
:: "`same-origin`"
: <a for="request">keepalive flag</a>
: <a for="request">keepalive</a>
:: "`true`"
: <a for="request">header list</a>
:: A header list containing a single header whose name is
Expand Down Expand Up @@ -4085,11 +4084,11 @@ <h5 id="match-url-to-source-expression" algorithm>
1. If |expression| is the string "*", return "`Matches`" if one or more of
the following conditions is met:

1. |url|'s <a for="url">scheme</a> is a <a>network scheme</a>.
1. |url|'s <a for="url">scheme</a> is an <a>HTTP(S) scheme</a>.

2. |url|'s <a for="url">scheme</a> is the same as |origin|'s <a for="origin">scheme</a>.

Note: This logic means that in order to allow a resource from a non-<a>network scheme</a>,
Note: This logic means that in order to allow a resource from a non-<a>HTTP(S) scheme</a>,
it has to be either explicitly specified (e.g.
`default-src * data: custom-scheme-1: custom-scheme-2:`),
or the protected resource must be loaded from the same scheme.
Expand Down

0 comments on commit 6938eb9

Please sign in to comment.