From 6b7810061b297603fae00eea95f65055b9afdd78 Mon Sep 17 00:00:00 2001
From: Antonio Sartori Let CSP list be element's shadow-including root's CSP
- list.about:blank
frame-ancestors
directivesandbox
directive
If CSP list contains a header-delivered Content Security Policy, and @@ -6869,11 +6868,13 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
As each Document
's CSP
- list is append-only, user agents can optimize away the contains a header-delivered
- Content Security Policy check by, for example, holding a flag on the Document
,
- set during Document
- creation and initialization.
As each Document
's policy container's CSP list is append-only, user agents can optimize away
+ the contains a header-delivered Content Security Policy check by, for example,
+ holding a flag on the CSP list, set when creating the policy container from the
+ fetch response.
The cloning steps for elements that
include HTMLOrSVGElement
must set the
@@ -9178,11 +9179,6 @@ partial interface Document {
The Document
has an embedder
policy (an embedder policy).
The Document
has a CSP list, which is a CSP list
- containing all of the Content Security Policy objects active for the document. The
- list is empty unless otherwise specified.
The Document
has a permissions policy, which
is a permissions policy, which is initially
@@ -30325,12 +30321,9 @@ interface HTMLIFrameElement : HTMLElement {
data-x="concept-response">response whose url
list consists of about:srcdoc
, header list consists of `Content-Type
`/`text/html
`, Content-Type`/`text/html
`, and body is the value of element's srcdoc
attribute, and CSP list is a clone
- of element's node document's CSP list.
The resulting Document
must be considered an iframe
srcdoc
document.
If creator is non-null, then set document's policy - container to a clone of creator's policy container.
If creator is non-null, then set document's policy container to a clone of creator's policy container.
Append a new session history entry to browsingContext's
session history whose URL is about:blank
@@ -82853,12 +82848,17 @@ interface BarProp {
A policy container is a struct containing policies that apply to a - document. It has the following items:
+Document
or global object. It has the following items:
- There are no items at the moment. Each item has to define a default value for creating a new - policy container.
-A CSP list, which is a CSP list. It is initially empty.
Each item has to define a default value for creating a new policy container.
+ +Move other policies into the policy container.
To clone a policy container from a given policy container policy container:
@@ -82866,16 +82866,36 @@ interface BarProp {Let clone be a new policy container.
For each item of policy container, set the - corresponding item of clone to an equal - value.
For each policy in policy container's CSP list, insert a copy of policy into + clone's CSP list.
Return clone.
To create a policy container for - a fetch response from a given URL response URL and header list header list:
+To determine whether a URL URL requires storing the policy + container in history:
+ +If URL's scheme is "blob
", return false.
If URL is "about:srcdoc
", return false.
If URL is local, return true.
Return false.
To create a policy container + from a fetch response from a given response + response:
If response URL's scheme is "BarProp {
data-x="blob-url-entry-environment">environment's policy
container.
Let result be a new policy container.
Otherwise, let result be a new policy container.
For each item of result, set item to be the result of parsing header list into item.
Set result's CSP list to the + result of parsing a response's Content Security Policies + given response.
Return result.
To determine navigationParams - policy container from a given URL response url and four optional + policy container from a given URL response URL and four optional policy containers history policy container, - initiator policy container, parent policy container and response policy - container:
+ initiator policy container, parent policy container, and response + policy container:If history policy container is not null, then assert that response - url is local and return a clone of history policy container.
If history policy container is not null, then:
+ +Assert: response URL requires storing the policy container in + history.
Return a clone of history policy + container.
If response url is about:srcdoc
, then assert that parent
- policy container is not null and return a clone of parent policy container.
If response URL is about:srcdoc
, then:
Assert: parent policy container is not null.
Return a clone of parent policy + container.
If response url is local and initiator
+ If response URL is local and initiator
policy container is not null, then return a clone of initiator policy container. Otherwise, return a new policy container.
To determine a worker's policy
- container from a given URL response url, a set of
- Document
and WorkerGlobalScope
objects worker owner set and a
- header list header list:
To initialize a worker global scope's policy
+ container given a WorkerGlobalScope
worker global scope and a response response:
TODO: FILL.
If worker global scope's url
+ is local but not "blob
":
Assert that worker global scope's owner set contains exactly one + element.
Set worker global scope's policy container to a clone of worker global scope's owner + set's unique element's relevant settings object's policy container.
Otherwise, set worker global scope's policy container to the result of + creating a policy container from a fetch response given response.
Let initiatorPolicyContainer be a clone of the source browsing - context's active document's policy container, if any.
Cancel any preexisting but not yet mature attempt to navigate browsingContext, including canceling any instances of the Location { // but see also determining navigationParams policy container given resource's url, historyPolicyContainer, initiatorPolicyContainer, parent browsing - context's active document's current policy container (if - any) and null.
Let navigationParams be a new navigation params whose request is null, Location { // but see also URL and response's header list.
If browsingContext is a top-level browsing context, then:
@@ -85814,9 +85865,7 @@ interface Location { // but see also unsafe-none".Initialize a Document
's CSP list given
- document, navigationParams's response, and navigationParams's request.
If navigationParams's request is @@ -86013,10 +86062,10 @@ new PaymentRequest(…); // Allowed to use more discussion on this.
If newDocument's URL is local, let newEntry's policy container be navigationParams's policy container.
If newDocument's URL + requires storing the policy container in history, let newEntry's + policy container be navigationParams's + policy container.
Insert newEntry into sessionHistory after its current entry.
If newDocument's URL is local, let newEntry's policy container be navigationParams's policy container.
If newDocument's URL + requires storing the policy container in history, let newEntry's + policy container be navigationParams's + policy container.
Append newEntry to sessionHistory.
To check a navigation response's adherence to `X-Frame-Options
`, given
- a response response, a browsing
- context browsingContext, and an origin
+ navigationParams navigationParams, a
+ browsing context browsingContext, and an origin
destinationOrigin:
For each policy of response's CSP list:
+For each policy of navigationParams' + policy container's CSP list:
If policy's disposition is not " Let rawXFrameOptions be the result of getting, decoding, and splitting
- `BeforeUnloadEvent : Event {
` from navigationParams's response's header list.X-Frame-Options
` from response's X-Frame-Options
Let xFrameOptions be a new set.
A WorkerGlobalScope
object has an associated CSP list, which is a CSP list containing all of the Content Security
- Policy objects active for the worker. It is initially an empty list.
A WorkerGlobalScope
object has an associated module map. It is a module map,
initially empty.
Set worker global scope's policy container to the result of - determining a worker's policy - container given url, worker global scope's owner set - and response's header - list.
Initialize worker global scope's + policy container given worker global scope, and response.
Set worker global scope's referrer policy to the result of @@ -99821,9 +99863,6 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope { issue #207 for more details.
Initialize a global object's CSP list given worker global scope - and response.
Asynchronously complete the perform the fetch steps with response.
Initialize a global object's CSP list given workletGlobalScope. -
For each moduleURL of worklet's added modules list: