diff --git a/index.bs b/index.bs
index fe9cd3d851..d5072ebcde 100644
--- a/index.bs
+++ b/index.bs
@@ -31,6 +31,7 @@ spec:html
text: fallback base url
text: duplicate-attribute
text: origin; for: /
+ text: policy container; for: /
type: element
text: a
text: link
@@ -131,9 +132,7 @@ spec: SHA2; urlPrefix: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pd
spec: HTML; urlPrefix: https://html.spec.whatwg.org/
type: dfn
- for: WorkerGlobalScope
- text: owner set; url: concept-WorkerGlobalScope-owner-set
- text: process the iframe attributes; url: process-the-iframe-attributes
+ text: initialise-the-document-object
spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
type: grammar
@@ -393,8 +392,7 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
A policy defines allowed
and restricted behaviors, and may be applied to a {{Document}}, {{WorkerGlobalScope}}, or
- {{WorkletGlobalScope}} as described in [[#initialize-global-object-csp]] and in
- [[#initialize-document-csp]].
+ {{WorkletGlobalScope}}.
Each policy has an associated directive set, which is an ordered
set of directives that define the policy's implications when applied.
@@ -412,8 +410,6 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
local scheme documents/workers that have inherited their policy but
have an opaque origin. Most of the time this will simply be the
environment settings object's [=environment settings object/origin=].
- The [[#initialize-document-csp]] algorithm describes situations in which
- a policy is inherited.
Multiple [=/policies=] can be applied to a single resource, and are collected into a [=list=] of
[=/policies=] known as a CSP list.
@@ -565,9 +561,9 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
algorithm returns "`Allowed`" unless otherwise specified.
5. An initialization, which takes a {{Document}}
- or global object, a response, and a policy
- as arguments. This algorithm is executed during [[#initialize-document-csp]],
- and has no effect unless otherwise specified.
+ or global object and a policy as arguments. This
+ algorithm is executed during [[#initialize-document-csp]], and has no effect unless
+ otherwise specified.
6. A pre-navigation check, which takes a
request, a navigation type string ("`form-submission`"
@@ -1125,11 +1121,10 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
Integration with HTML
- 1. The {{Document}}, {{WorkerGlobalScope}}, and {{WorkletGlobalScope}} objects have a
- `CSP list`, which holds all the policy objects which are
- active for a given context. This list is empty unless otherwise specified,
- and is populated via the [[#initialize-global-object-csp]] and
- [[#initialize-document-csp]] algorithms.
+ 1. The [=policy container=] has a CSP list, which holds
+ all the policy objects which are active for a given context. This
+ list is empty unless otherwise specified, and is populated from the response
+ or inherited following the rules of the [=policy container=].
2. A global object's CSP list
is the result of executing [[#get-csp-of-object]] with the global object
@@ -1139,130 +1134,56 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
global object by inserting it into the global object's
CSP list.
- 4. [[#initialize-global-object-csp]] is called during the run a worker
- algorithm in order to bind a set of policy objects associated
- with a response {{WorkerGlobalScope}} or {{WorkletGlobalScope}}.
-
- 5. [[#initialize-document-csp]] is called during the initializing a
- new `Document` object algorithm in order to bind a set of policy
- objects associated with a response to a newly created {{Document}}.
+ 4. [[#initialize-document-csp]] is called during the initializing a new `Document` object
+ algorithm.
- 6. [[#should-block-inline]] is called during the prepare a script and
+ 5. [[#should-block-inline]] is called during the prepare a script and
update a `style` block algorithms in order to determine whether or
not an inline script or style block is allowed to execute/render.
- 7. [[#should-block-inline]] is called during handling of inline event
+ 6. [[#should-block-inline]] is called during handling of inline event
handlers (like `onclick`) and inline `style` attributes in order to
determine whether or not they ought to be allowed to execute/render.
- 8. policy is enforced during processing of the <{meta}>
+ 7. policy is enforced during processing of the <{meta}>
element's <{meta/http-equiv}>.
- 9. A {{Document}}'s embedding document is the {{Document}}
+ 8. A {{Document}}'s embedding document is the {{Document}}
through which the {{Document}}'s
browsing context is nested.
- 10. HTML populates each request's cryptographic nonce
+ 9. HTML populates each request's cryptographic nonce
metadata and parser metadata with relevant data from the
elements responsible for resource loading.
ISSUE(whatwg/html#968): Stylesheet loading is not yet integrated with
Fetch in WHATWG's HTML.
- 11. [[#allow-base-for-document]] is called during <{base}>'s set the frozen
+ 10. [[#allow-base-for-document]] is called during <{base}>'s set the frozen
base URL algorithm to ensure that the <{base/href}> attribute's value
is valid.
- 12. [[#should-block-navigation-request]] is called during the process a
+ 11. [[#should-block-navigation-request]] is called during the process a
navigate fetch algorithm, and [[#should-block-navigation-response]]
is called during the process a navigate response algorithm to
apply directive's navigation checks, as well as inline checks for
navigations to `javascript:` URLs.
- Initialize a `Document`'s `CSP list`
+ Initialize a `Document`'s `CSPs`
- Given a {{Document}} (|document|), a response (|response|), and a
- request or `null` (|request|) the user agent performs the following
- steps in order to initialize |document|'s CSP list:
-
- 1. If |request| is not `null` and |response|'s url's
- scheme is either a local scheme or `javascript`:
-
- 1. For each |policy| in |request|'s client's
- global object's
- CSP list:
-
- 1. Insert a copy of |policy| into |document|'s
- CSP list.
-
- Note: For iframe srcdoc Documents,
- |request| will be `null`, but |response| will contain a copy of the
- embedding document's CSP list in its
- CSP list, as specified in process the iframe attributes.
- As such iframe srcdoc Documents
- inherit their embedding document's CSP list.
-
- Note: Since [=policy/self-origin=] is also copied, any `'self'`
- checks will be using the source browsing context's origin. This is
- done for the purpose of making `'self'` make sense in documents
- with opaque origins. The `'self'` keyword is used
- in the [[#match-url-to-source-expression]] algorithm.
-
- Note: We do all this to ensure that a page cannot bypass its policy
- by embedding a frame or popping up a new window containing content it
- controls (`blob:` resources, or `document.write()`).
+ Given a {{Document}} (|document|), the user agent performs the following
+ steps in order to initialize |document|'s CSPs:
- 2. For each |policy| in |response|'s CSP list, insert
- |policy| into |document|'s CSP list.
-
- 3. For each |policy| in |document|'s CSP list:
+ 1. For each |policy| in |document|'s [=document/policy-container=]'s
+ [=policy-container/csp-list=] CSP list:
1. For each |directive| in |policy|:
1. Execute |directive|'s initialization
- algorithm on |document| and |response|.
-
-
- Initialize a global object's `CSP list`
-
-
- Given a global object (|global|), and a response
- (|response|), the user agent performs the following steps in order
- to initialize |global|'s CSP list:
-
- 1. If |response|'s url's scheme is a
- local scheme, or if |global| is a {{DedicatedWorkerGlobalScope}}:
-
- 1. Let |owners| be an empty list.
-
- 2. Add each of the items in |global|'s [=WorkerGlobalScope/owner set=] to |owners|.
-
- 4. For each |owner| in |owners|:
-
- 1. For each |policy| in |owner|'s CSP list:
-
- 1. Insert a copy of |policy| into |global|'s
- CSP list.
-
- Note: local scheme includes `about:`, and this algorithm will
- therefore copy the embedding document's policies for an iframe
- `srcdoc` `Document`.
-
- 2. If |global| is a {{SharedWorkerGlobalScope}} or {{ServiceWorkerGlobalScope}}:
-
- 1. For each |policy| in |response|'s
- CSP list, insert |policy| into
- |global|'s CSP list.
-
- 3. If |global| is a {{WorkletGlobalScope}}:
-
- 1. Let |owner| be |global|'s [=WorkletGlobalScope/owner document=].
-
- 2. For each |policy| in |owner|'s CSP list:
-
- 1. Insert a copy of |policy| into |global|'s CSP list.
+ algorithm on |document|.
Retrieve the CSP list of an |object|
@@ -1270,16 +1191,13 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
To obtain |object|'s CSP list:
- 1. If |object| is a {{Document}} return |object|'s CSP list.
-
- 2. If |object| is a {{Window}} return |object|'s associated `Document`'s
- CSP list.
+ 1. If |object| is a {{Document}} return |object|'s [=policy container/CSP list=].
- 3. If |object| is a {{WorkerGlobalScope}}, return |object|'s CSP list.
+ 2. If |object| is a {{Window}} or a {{WorkerGlobalScope}} or a {{WorkletGlobalScope}},
+ return environment settings object's [=environment settings object/policy
+ container=].
- 4. If |object| is a {{WorkletGlobalScope}}, return |object|'s CSP list.
-
- 5. Return `null`.
+ 3. Return `null`.
Should |element|'s inline |type| behavior be blocked by Content Security Policy?
@@ -3423,18 +3341,16 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
according to the `sandbox` values present in its policies, as
follows:
- Given a {{Document}} or global object (|context|), a response
- (|response|), and a policy (|policy|):
-
- 1. Assert: |response| is unused.
+ Given a {{Document}} or global object (|context|) and a policy
+ (|policy|):
- 2. If |policy|'s disposition is not "`enforce`", or
+ 1. If |policy|'s disposition is not "`enforce`", or
|context| is not a {{Document}}, then abort this algorithm.
Note: This will need to change if we allow Workers to be sandboxed,
which seems like a pretty reasonable thing to do.
- 3. Parse a sandboxing directive using this directive's
+ 2. Parse a sandboxing directive using this directive's
value as the input, and |context|'s forced
sandboxing flag set as the output.
@@ -4748,8 +4664,7 @@ spec: INFRA; urlPrefix: https://infra.spec.whatwg.org/
CSP Inheriting to avoid bypasses
- As described in [[#initialize-document-csp]] and [[#initialize-global-object-csp]],
- documents loaded from local schemes will inherit a copy of the
+ Documents loaded from local schemes will inherit a copy of the
policies in the source browsing context. The goal is to ensure that a page can't
bypass its policy by embedding a frame or opening a new window containing
content that is entirely under its control (`srcdoc` documents, `blob:` or `data:`