WD.html

<!doctype html><html lang="en">
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
  <title>Content Security Policy Level 3</title>
  <meta content="WD" name="w3c-status">
  <link href="https://www.w3.org/StyleSheets/TR/2016/W3C-WD" rel="stylesheet" type="text/css">
  <meta content="Bikeshed 1.0.0" name="generator">
<style>
  ul.toc ul ul ul {
    margin: 0 0 0 2em;
  }
  ul.toc ul ul ul span.secno {
    margin-left: -9em;
  }

  a[href^="http:"]:after {
    color: red;
    content: "🔓";
  }
</style>
<style>/* style-md-lists */

            /* This is a weird hack for me not yet following the commonmark spec
               regarding paragraph and lists. */
            [data-md] > :first-child {
                margin-top: 0;
            }
            [data-md] > :last-child {
                margin-bottom: 0;
            }</style>
<style>/* style-selflinks */

            .heading, .issue, .note, .example, li, dt {
                position: relative;
            }
            a.self-link {
                position: absolute;
                top: 0;
                left: calc(-1 * (3.5rem - 26px));
                width: calc(3.5rem - 26px);
                height: 2em;
                text-align: center;
                border: none;
                transition: opacity .2s;
                opacity: .5;
            }
            a.self-link:hover {
                opacity: 1;
            }
            .heading > a.self-link {
                font-size: 83%;
            }
            li > a.self-link {
                left: calc(-1 * (3.5rem - 26px) - 2em);
            }
            dfn > a.self-link {
                top: auto;
                left: auto;
                opacity: 0;
                width: 1.5em;
                height: 1.5em;
                background: gray;
                color: white;
                font-style: normal;
                transition: opacity .2s, background-color .2s, color .2s;
            }
            dfn:hover > a.self-link {
                opacity: 1;
            }
            dfn > a.self-link:hover {
                color: black;
            }

            a.self-link::before            { content: "¶"; }
            .heading > a.self-link::before { content: "§"; }
            dfn > a.self-link::before      { content: "#"; }</style>
<style>/* style-counters */

            body {
                counter-reset: example figure issue;
            }
            .issue {
                counter-increment: issue;
            }
            .issue:not(.no-marker)::before {
                content: "Issue " counter(issue);
            }

            .example {
                counter-increment: example;
            }
            .example:not(.no-marker)::before {
                content: "Example " counter(example);
            }
            .invalid.example:not(.no-marker)::before,
            .illegal.example:not(.no-marker)::before {
                content: "Invalid Example" counter(example);
            }

            figcaption {
                counter-increment: figure;
            }
            figcaption:not(.no-marker)::before {
                content: "Figure " counter(figure) " ";
            }</style>
<style>/* style-autolinks */

            .css.css, .property.property, .descriptor.descriptor {
                color: #005a9c;
                font-size: inherit;
                font-family: inherit;
            }
            .css::before, .property::before, .descriptor::before {
                content: "‘";
            }
            .css::after, .property::after, .descriptor::after {
                content: "’";
            }
            .property, .descriptor {
                /* Don't wrap property and descriptor names */
                white-space: nowrap;
            }
            .type { /* CSS value <type> */
                font-style: italic;
            }
            pre .property::before, pre .property::after {
                content: "";
            }
            [data-link-type="property"]::before,
            [data-link-type="propdesc"]::before,
            [data-link-type="descriptor"]::before,
            [data-link-type="value"]::before,
            [data-link-type="function"]::before,
            [data-link-type="at-rule"]::before,
            [data-link-type="selector"]::before,
            [data-link-type="maybe"]::before {
                content: "‘";
            }
            [data-link-type="property"]::after,
            [data-link-type="propdesc"]::after,
            [data-link-type="descriptor"]::after,
            [data-link-type="value"]::after,
            [data-link-type="function"]::after,
            [data-link-type="at-rule"]::after,
            [data-link-type="selector"]::after,
            [data-link-type="maybe"]::after {
                content: "’";
            }

            [data-link-type].production::before,
            [data-link-type].production::after,
            .prod [data-link-type]::before,
            .prod [data-link-type]::after {
                content: "";
            }

            [data-link-type=element],
            [data-link-type=element-attr] {
                font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
                font-size: .9em;
            }
            [data-link-type=element]::before { content: "<" }
            [data-link-type=element]::after  { content: ">" }

            [data-link-type=biblio] {
                white-space: pre;
            }</style>
<style>/* style-dfn-panel */

        .dfn-panel {
            position: absolute;
            z-index: 35;
            height: auto;
            width: -webkit-fit-content;
            width: fit-content;
            max-width: 300px;
            max-height: 500px;
            overflow: auto;
            padding: 0.5em 0.75em;
            font: small Helvetica Neue, sans-serif, Droid Sans Fallback;
            background: #DDDDDD;
            color: black;
            border: outset 0.2em;
        }
        .dfn-panel:not(.on) { display: none; }
        .dfn-panel * { margin: 0; padding: 0; text-indent: 0; }
        .dfn-panel > b { display: block; }
        .dfn-panel a { color: black; }
        .dfn-panel a:not(:hover) { text-decoration: none !important; border-bottom: none !important; }
        .dfn-panel > b + b { margin-top: 0.25em; }
        .dfn-panel ul { padding: 0; }
        .dfn-panel li { list-style: inside; }
        .dfn-panel.activated {
            display: inline-block;
            position: fixed;
            left: .5em;
            bottom: 2em;
            margin: 0 auto;
            max-width: calc(100vw - 1.5em - .4em - .5em);
            max-height: 30vh;
        }

        .dfn-paneled { cursor: pointer; }
        </style>
<style>/* style-syntax-highlighting */
pre.idl.highlight { color: #708090; }
        .highlight:not(.idl) { background: hsl(24, 20%, 95%); }
        code.highlight { padding: .1em; border-radius: .3em; }
        pre.highlight, pre > code.highlight { display: block; padding: 1em; margin: .5em 0; overflow: auto; border-radius: 0; }
        .highlight .c { color: #708090 } /* Comment */
        .highlight .k { color: #990055 } /* Keyword */
        .highlight .l { color: #000000 } /* Literal */
        .highlight .n { color: #0077aa } /* Name */
        .highlight .o { color: #999999 } /* Operator */
        .highlight .p { color: #999999 } /* Punctuation */
        .highlight .cm { color: #708090 } /* Comment.Multiline */
        .highlight .cp { color: #708090 } /* Comment.Preproc */
        .highlight .c1 { color: #708090 } /* Comment.Single */
        .highlight .cs { color: #708090 } /* Comment.Special */
        .highlight .kc { color: #990055 } /* Keyword.Constant */
        .highlight .kd { color: #990055 } /* Keyword.Declaration */
        .highlight .kn { color: #990055 } /* Keyword.Namespace */
        .highlight .kp { color: #990055 } /* Keyword.Pseudo */
        .highlight .kr { color: #990055 } /* Keyword.Reserved */
        .highlight .kt { color: #990055 } /* Keyword.Type */
        .highlight .ld { color: #000000 } /* Literal.Date */
        .highlight .m { color: #000000 } /* Literal.Number */
        .highlight .s { color: #a67f59 } /* Literal.String */
        .highlight .na { color: #0077aa } /* Name.Attribute */
        .highlight .nc { color: #0077aa } /* Name.Class */
        .highlight .no { color: #0077aa } /* Name.Constant */
        .highlight .nd { color: #0077aa } /* Name.Decorator */
        .highlight .ni { color: #0077aa } /* Name.Entity */
        .highlight .ne { color: #0077aa } /* Name.Exception */
        .highlight .nf { color: #0077aa } /* Name.Function */
        .highlight .nl { color: #0077aa } /* Name.Label */
        .highlight .nn { color: #0077aa } /* Name.Namespace */
        .highlight .py { color: #0077aa } /* Name.Property */
        .highlight .nt { color: #669900 } /* Name.Tag */
        .highlight .nv { color: #222222 } /* Name.Variable */
        .highlight .ow { color: #999999 } /* Operator.Word */
        .highlight .mb { color: #000000 } /* Literal.Number.Bin */
        .highlight .mf { color: #000000 } /* Literal.Number.Float */
        .highlight .mh { color: #000000 } /* Literal.Number.Hex */
        .highlight .mi { color: #000000 } /* Literal.Number.Integer */
        .highlight .mo { color: #000000 } /* Literal.Number.Oct */
        .highlight .sb { color: #a67f59 } /* Literal.String.Backtick */
        .highlight .sc { color: #a67f59 } /* Literal.String.Char */
        .highlight .sd { color: #a67f59 } /* Literal.String.Doc */
        .highlight .s2 { color: #a67f59 } /* Literal.String.Double */
        .highlight .se { color: #a67f59 } /* Literal.String.Escape */
        .highlight .sh { color: #a67f59 } /* Literal.String.Heredoc */
        .highlight .si { color: #a67f59 } /* Literal.String.Interpol */
        .highlight .sx { color: #a67f59 } /* Literal.String.Other */
        .highlight .sr { color: #a67f59 } /* Literal.String.Regex */
        .highlight .s1 { color: #a67f59 } /* Literal.String.Single */
        .highlight .ss { color: #a67f59 } /* Literal.String.Symbol */
        .highlight .vc { color: #0077aa } /* Name.Variable.Class */
        .highlight .vg { color: #0077aa } /* Name.Variable.Global */
        .highlight .vi { color: #0077aa } /* Name.Variable.Instance */
        .highlight .il { color: #000000 } /* Literal.Number.Integer.Long */
        </style>
 <body class="h-entry">
  <div class="head">
   <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
   <h1>Content Security Policy Level 3</h1>
   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">W3C Working Draft, <time class="dt-updated" datetime="2016-08-01">1 August 2016</time></span></h2>
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="https://www.w3.org/TR/2016/WD-CSP3-20160801/">https://www.w3.org/TR/2016/WD-CSP3-20160801/</a>
     <dt>Latest published version:
     <dd><a href="https://www.w3.org/TR/CSP3/">https://www.w3.org/TR/CSP3/</a>
     <dt>Editor's Draft:
     <dd><a href="https://w3c.github.io/webappsec-csp/">https://w3c.github.io/webappsec-csp/</a>
     <dt>Previous Versions:
     <dd><a href="https://www.w3.org/TR/2016/WD-CSP3-20160621/" rel="previous">https://www.w3.org/TR/2016/WD-CSP3-20160621/</a>
     <dt>Version History:
     <dd><a href="https://github.com/w3c/webappsec-csp/commits/master/index.src.html">https://github.com/w3c/webappsec-csp/commits/master/index.src.html</a>
     <dt>Feedback:
     <dd><span><a href="mailto:public-webappsec@w3.org?subject=%5BCSP3%5D%20YOUR%20TOPIC%20HERE">public-webappsec@w3.org</a> with subject line “<kbd>[CSP3] <i data-lt="">… message topic …</i></kbd>” (<a href="https://lists.w3.org/Archives/Public/public-webappsec/" rel="discussion">archives</a>)</span>
     <dt class="editor">Editor:
     <dd class="editor p-author h-card vcard" data-editor-id="56384"><a class="p-name fn u-email email" href="mailto:mkwst@google.com">Mike West</a> (<span class="p-org org">Google Inc.</span>)
     <dt>Participate:
     <dd><span><a href="https://github.com/w3c/webappsec-csp/issues/new">File an issue</a> (<a href="https://github.com/w3c/webappsec-csp/issues">open issues</a>)</span>
    </dl>
   </div>
   <div data-fill-with="warning"></div>
   <p class="copyright" data-fill-with="copyright"><a href="https://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2016 <a href="https://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="https://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="https://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="https://www.keio.ac.jp/">Keio</a>, <a href="http://ev.buaa.edu.cn/">Beihang</a>). W3C <a href="https://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="https://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="https://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply. </p>
   <hr title="Separator for header">
  </div>
  <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>
  <div class="p-summary" data-fill-with="abstract">
   <p>This document defines a mechanism by which web developers can control the

resources which a particular page can fetch or execute, as well as a number
of security-relevant policy decisions.</p>
  </div>
  <h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>
  <div data-fill-with="status">
   <p> <em>This section describes the status of this document at the time of
  its publication. Other documents may supersede this document. A list of
  current W3C publications and the latest revision of this technical report
  can be found in the <a href="https://www.w3.org/TR/">W3C technical reports
  index at https://www.w3.org/TR/.</a></em> </p>
   <p> This document was published by the <a href="https://www.w3.org/2011/webappsec/">Web Application Security Working Group</a> as a Working Draft. This document is intended to become a W3C Recommendation. </p>
   <p> The (<a href="https://lists.w3.org/Archives/Public/public-webappsec/">archived</a>) public mailing list <a href="mailto:public-webappsec@w3.org?Subject=%5BCSP3%5D%20PUT%20SUBJECT%20HERE">public-webappsec@w3.org</a> (see <a href="https://www.w3.org/Mail/Request">instructions</a>)
	is preferred for discussion of this specification.
	When sending e-mail,
	please put the text “CSP3” in the subject,
	preferably like this:
	“[CSP3] <em>…summary of comment…</em>” </p>
   <p> Publication as a Working Draft does not imply endorsement by the W3C
  Membership. This is a draft document and may be updated, replaced or
  obsoleted by other documents at any time. It is inappropriate to cite this
  document as other than work in progress. </p>
   <p> This document was produced by the <a href="https://www.w3.org/2011/webappsec/">Web Application Security Working Group</a>. </p>
   <p> This document was produced by a group operating under
	the <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent Policy</a>.
	W3C maintains a <a href="https://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the group;
	that page also includes instructions for disclosing a patent.
	An individual who has actual knowledge of a patent which the individual believes contains <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a> must disclose the information in accordance with <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the W3C Patent Policy</a>. </p>
   <p> This document is governed by the <a href="https://www.w3.org/2015/Process-20150901/" id="w3c_process_revision">1 September 2015 W3C Process Document</a>. </p>
   <p></p>
  </div>
  <div data-fill-with="at-risk"></div>
  <nav data-fill-with="table-of-contents" id="toc">
   <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
   <ol class="toc" role="directory">
    <li>
     <a href="#intro"><span class="secno">1</span> <span class="content">Introduction</span></a>
     <ol class="toc">
      <li>
       <a href="#examples"><span class="secno">1.1</span> <span class="content">Examples</span></a>
       <ol class="toc">
        <li><a href="#example-basic"><span class="secno">1.1.1</span> <span class="content">Control Execution</span></a>
       </ol>
      <li><a href="#goals"><span class="secno">1.2</span> <span class="content">Goals</span></a>
      <li><a href="#changes-from-level-2"><span class="secno">1.3</span> <span class="content">Changes from Level 2</span></a>
     </ol>
    <li>
     <a href="#framework"><span class="secno">2</span> <span class="content">Framework</span></a>
     <ol class="toc">
      <li>
       <a href="#framework-policy"><span class="secno">2.1</span> <span class="content">Policies</span></a>
       <ol class="toc">
        <li><a href="#parse-serialized-policy"><span class="secno">2.1.1</span> <span class="content"> Parse a <var>serialized CSP</var> as <var>disposition</var> </span></a>
        <li><a href="#parse-serialized-policy-list"><span class="secno">2.1.2</span> <span class="content"> Parse a serialized CSP <var>list</var> as <var>disposition</var> </span></a>
       </ol>
      <li>
       <a href="#framework-directives"><span class="secno">2.2</span> <span class="content">Directives</span></a>
       <ol class="toc">
        <li><a href="#framework-directive-source-list"><span class="secno">2.2.1</span> <span class="content">Source Lists</span></a>
       </ol>
      <li>
       <a href="#framework-violation"><span class="secno">2.3</span> <span class="content">Violations</span></a>
       <ol class="toc">
        <li><a href="#create-violation-for-global"><span class="secno">2.3.1</span> <span class="content"> Create a violation object for <var>global</var>, <var>policy</var>, and <var>directive</var> </span></a>
        <li><a href="#create-violation-for-request"><span class="secno">2.3.2</span> <span class="content"> Create a violation object for <var>request</var>, <var>policy</var>, and <var>directive</var> </span></a>
       </ol>
     </ol>
    <li>
     <a href="#policy-delivery"><span class="secno">3</span> <span class="content"> Policy Delivery </span></a>
     <ol class="toc">
      <li><a href="#csp-header"><span class="secno">3.1</span> <span class="content"> The <code>Content-Security-Policy</code> HTTP Response Header Field </span></a>
      <li><a href="#cspro-header"><span class="secno">3.2</span> <span class="content"> The <code>Content-Security-Policy-Report-Only</code> HTTP Response Header Field </span></a>
      <li><a href="#meta-element"><span class="secno">3.3</span> <span class="content"> The <code>&lt;meta></code> element </span></a>
     </ol>
    <li>
     <a href="#integrations"><span class="secno">4</span> <span class="content">Integrations</span></a>
     <ol class="toc">
      <li>
       <a href="#fetch-integration"><span class="secno">4.1</span> <span class="content"> Integration with Fetch </span></a>
       <ol class="toc">
        <li><a href="#set-response-csp-list"><span class="secno">4.1.1</span> <span class="content"> Set <var>response</var>’s <code>CSP list</code> </span></a>
        <li><a href="#report-for-request"><span class="secno">4.1.2</span> <span class="content"> Report Content Security Policy violations for <var>request</var> </span></a>
        <li><a href="#should-block-request"><span class="secno">4.1.3</span> <span class="content"> Should <var>request</var> be blocked by Content Security Policy? </span></a>
        <li><a href="#should-block-response"><span class="secno">4.1.4</span> <span class="content"> Should <var>response</var> to <var>request</var> be blocked by Content
    Security Policy? </span></a>
       </ol>
      <li>
       <a href="#html-integration"><span class="secno">4.2</span> <span class="content"> Integration with HTML </span></a>
       <ol class="toc">
        <li><a href="#initialize-document-csp"><span class="secno">4.2.1</span> <span class="content"> Initialize a <code>Document</code>'s <code>CSP list</code> </span></a>
        <li><a href="#initialize-global-object-csp"><span class="secno">4.2.2</span> <span class="content"> Initialize a global object’s <code>CSP list</code> </span></a>
        <li><a href="#should-block-inline"><span class="secno">4.2.3</span> <span class="content"> Should <var>element</var>’s inline <var>type</var> behavior be blocked by Content Security Policy? </span></a>
       </ol>
      <li>
       <a href="#ecma-integration"><span class="secno">4.3</span> <span class="content">Integration with ECMAScript</span></a>
       <ol class="toc">
        <li><a href="#can-compile-strings"><span class="secno">4.3.1</span> <span class="content"> EnsureCSPDoesNotBlockStringCompilation(<var>callerRealm</var>, <var>calleeRealm</var>) </span></a>
       </ol>
     </ol>
    <li>
     <a href="#reporting"><span class="secno">5</span> <span class="content"> Reporting </span></a>
     <ol class="toc">
      <li><a href="#violation-events"><span class="secno">5.1</span> <span class="content"> Violation DOM Events </span></a>
      <li><a href="#deprecated-serialize-violation"><span class="secno">5.2</span> <span class="content"> Obtain the deprecated serialization of <var>violation</var> </span></a>
      <li><a href="#report-violation"><span class="secno">5.3</span> <span class="content"> Report a <var>violation</var> </span></a>
     </ol>
    <li>
     <a href="#csp-directives"><span class="secno">6</span> <span class="content"> Content Security Policy Directives </span></a>
     <ol class="toc">
      <li>
       <a href="#directives-fetch"><span class="secno">6.1</span> <span class="content"> Fetch Directives </span></a>
       <ol class="toc">
        <li>
         <a href="#directive-child-src"><span class="secno">6.1.1</span> <span class="content"><code>child-src</code></span></a>
         <ol class="toc">
          <li><a href="#child-src-algorithms"><span class="secno">6.1.1.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#directive-connect-src"><span class="secno">6.1.2</span> <span class="content"><code>connect-src</code></span></a>
         <ol class="toc">
          <li><a href="#connect-src-algorithms"><span class="secno">6.1.2.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#directive-default-src"><span class="secno">6.1.3</span> <span class="content"><code>default-src</code></span></a>
         <ol class="toc">
          <li><a href="#default-src-algorithms"><span class="secno">6.1.3.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#directive-font-src"><span class="secno">6.1.4</span> <span class="content"><code>font-src</code></span></a>
         <ol class="toc">
          <li><a href="#font-src-algorithms"><span class="secno">6.1.4.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#directive-frame-src"><span class="secno">6.1.5</span> <span class="content"><code>frame-src</code></span></a>
         <ol class="toc">
          <li><a href="#frame-src-algorithms"><span class="secno">6.1.5.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#directive-img-src"><span class="secno">6.1.6</span> <span class="content"><code>img-src</code></span></a>
         <ol class="toc">
          <li><a href="#img-src-algorithms"><span class="secno">6.1.6.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#directive-manifest-src"><span class="secno">6.1.7</span> <span class="content"><code>manifest-src</code></span></a>
         <ol class="toc">
          <li><a href="#manifest-src-algorithms"><span class="secno">6.1.7.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#directive-media-src"><span class="secno">6.1.8</span> <span class="content"><code>media-src</code></span></a>
         <ol class="toc">
          <li><a href="#media-src-algorithms"><span class="secno">6.1.8.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#directive-object-src"><span class="secno">6.1.9</span> <span class="content"><code>object-src</code></span></a>
         <ol class="toc">
          <li><a href="#object-src-algorithms"><span class="secno">6.1.9.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#directive-script-src"><span class="secno">6.1.10</span> <span class="content"><code>script-src</code></span></a>
         <ol class="toc">
          <li><a href="#script-src-algorithms"><span class="secno">6.1.10.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#directive-style-src"><span class="secno">6.1.11</span> <span class="content"><code>style-src</code></span></a>
         <ol class="toc">
          <li><a href="#style-src-algorithms"><span class="secno">6.1.11.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#directive-worker-src"><span class="secno">6.1.12</span> <span class="content"><code>worker-src</code></span></a>
         <ol class="toc">
          <li><a href="#worker-src-algorithms"><span class="secno">6.1.12.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#fetch-directive-matching-url"><span class="secno">6.1.13</span> <span class="content">URL Matching Algorithms</span></a>
         <ol class="toc">
          <li><a href="#does-request-violate-policy"><span class="secno">6.1.13.1</span> <span class="content"> Does <var>request</var> violate <var>policy</var>? </span></a>
          <li><a href="#match-nonce-to-source-list"><span class="secno">6.1.13.2</span> <span class="content"> Does <var>nonce</var> match <var>source list</var>? </span></a>
          <li><a href="#match-url-to-source-list"><span class="secno">6.1.13.3</span> <span class="content"> Does <var>url</var> match <var>source list</var>? </span></a>
          <li><a href="#match-url-to-source-expression"><span class="secno">6.1.13.4</span> <span class="content"> Does <var>url</var> match <var>expression</var> in <var>origin</var> with <var>redirect count</var>? </span></a>
          <li><a href="#effective-directive-for-a-request"><span class="secno">6.1.13.5</span> <span class="content"> Get the effective directive for <var>request</var> </span></a>
         </ol>
        <li>
         <a href="#fetch-directive-matching-element"><span class="secno">6.1.14</span> <span class="content">Element Matching Algorithms</span></a>
         <ol class="toc">
          <li><a href="#match-element-to-source-list"><span class="secno">6.1.14.1</span> <span class="content"> Does <var>element</var> match source <var>list</var> for <var>type</var> and <var>source</var>? </span></a>
         </ol>
       </ol>
      <li>
       <a href="#directives-document"><span class="secno">6.2</span> <span class="content"> Document Directives </span></a>
       <ol class="toc">
        <li>
         <a href="#directive-base-uri"><span class="secno">6.2.1</span> <span class="content"><code>base-uri</code></span></a>
         <ol class="toc">
          <li><a href="#allow-base-for-document"><span class="secno">6.2.1.1</span> <span class="content"> Is <var>base</var> allowed for <var>document</var>? </span></a>
         </ol>
        <li><a href="#directive-plugin-types"><span class="secno">6.2.2</span> <span class="content"><code>plugin-types</code></span></a>
        <li>
         <a href="#directive-sandbox"><span class="secno">6.2.3</span> <span class="content"><code>sandbox</code></span></a>
         <ol class="toc">
          <li><a href="#sandbox-algorithms"><span class="secno">6.2.3.1</span> <span class="content">Algorithms</span></a>
         </ol>
        <li>
         <a href="#directive-disown-opener"><span class="secno">6.2.4</span> <span class="content"><code>disown-opener</code></span></a>
         <ol class="toc">
          <li><a href="#disown-opener-algorithms"><span class="secno">6.2.4.1</span> <span class="content">Algorithms</span></a>
         </ol>
       </ol>
      <li>
       <a href="#directives-navigation"><span class="secno">6.3</span> <span class="content"> Navigation Directives </span></a>
       <ol class="toc">
        <li><a href="#directive-form-action"><span class="secno">6.3.1</span> <span class="content"><code>form-action</code></span></a>
        <li>
         <a href="#directive-frame-ancestors"><span class="secno">6.3.2</span> <span class="content"><code>frame-ancestors</code></span></a>
         <ol class="toc">
          <li><a href="#frame-ancestors-algorithms"><span class="secno">6.3.2.1</span> <span class="content">Algorithms</span></a>
         </ol>
       </ol>
      <li>
       <a href="#directives-reporting"><span class="secno">6.4</span> <span class="content"> Reporting Directives </span></a>
       <ol class="toc">
        <li><a href="#directive-report-uri"><span class="secno">6.4.1</span> <span class="content"><code>report-uri</code></span></a>
        <li><a href="#directive-report-to"><span class="secno">6.4.2</span> <span class="content"><code>report-to</code></span></a>
       </ol>
      <li><a href="#directives-elsewhere"><span class="secno">6.5</span> <span class="content"> Directives Defined in Other Documents </span></a>
     </ol>
    <li>
     <a href="#security-considerations"><span class="secno">7</span> <span class="content">Security Considerations</span></a>
     <ol class="toc">
      <li><a href="#security-nonces"><span class="secno">7.1</span> <span class="content">Nonce Reuse</span></a>
     </ol>
    <li>
     <a href="#authoring-considerations"><span class="secno">8</span> <span class="content">Authoring Considerations</span></a>
     <ol class="toc">
      <li><a href="#multiple-policies"><span class="secno">8.1</span> <span class="content"> The effect of multiple policies </span></a>
      <li><a href="#strict-dynamic-usage"><span class="secno">8.2</span> <span class="content"> Usage of "<code>'strict-dynamic'</code>" </span></a>
      <li><a href="#unsafe-hashed-attributes-usage"><span class="secno">8.3</span> <span class="content"> Usage of "<code>'unsafe-hashed-attributes'</code>" </span></a>
      <li><a href="#external-hash"><span class="secno">8.4</span> <span class="content"> Whitelisting external JavaScript with hashes </span></a>
     </ol>
    <li>
     <a href="#implementation-considerations"><span class="secno">9</span> <span class="content">Implementation Considerations</span></a>
     <ol class="toc">
      <li><a href="#extensions"><span class="secno">9.1</span> <span class="content">Vendor-specific Extensions and Addons</span></a>
     </ol>
    <li>
     <a href="#iana-considerations"><span class="secno">10</span> <span class="content">IANA Considerations</span></a>
     <ol class="toc">
      <li><a href="#iana-registry"><span class="secno">10.1</span> <span class="content"> Directive Registry </span></a>
      <li>
       <a href="#iana-headers"><span class="secno">10.2</span> <span class="content"> Headers </span></a>
       <ol class="toc">
        <li><a href="#iana-csp"><span class="secno">10.2.1</span> <span class="content">Content-Security-Policy</span></a>
        <li><a href="#iana-cspro"><span class="secno">10.2.2</span> <span class="content">Content-Security-Policy-Report-Only</span></a>
       </ol>
     </ol>
    <li><a href="#acknowledgements"><span class="secno">11</span> <span class="content">Acknowledgements</span></a>
    <li>
     <a href="#conformance"><span class="secno"></span> <span class="content">Conformance</span></a>
     <ol class="toc">
      <li><a href="#conventions"><span class="secno"></span> <span class="content">Document conventions</span></a>
      <li><a href="#conformant-algorithms"><span class="secno"></span> <span class="content">Conformant Algorithms</span></a>
     </ol>
    <li>
     <a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
     <ol class="toc">
      <li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a>
      <li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
     </ol>
    <li>
     <a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ol class="toc">
      <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ol>
    <li><a href="#idl-index"><span class="secno"></span> <span class="content">IDL Index</span></a>
    <li><a href="#issues-index"><span class="secno"></span> <span class="content">Issues Index</span></a>
   </ol>
  </nav>
  <main>
   <section>
    <h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#intro"></a></h2>
    <p><em>This section is not normative.</em></p>
    <p>This document defines <dfn data-dfn-type="dfn" data-export="" id="content-security-policy">Content Security Policy<a class="self-link" href="#content-security-policy"></a></dfn> (CSP), a tool
  which developers can use to lock down their applications in various ways,
  mitigating the risk of content injection vulnerabilities such as cross-site scripting, and
  reducing the privilege with which their applications execute.</p>
    <p>CSP is not intended as a first line of defense against content injection
  vulnerabilities. Instead, CSP is best used as defense-in-depth. It reduces
  the harm that a malicious injection can cause, but it is not a replacement for
  careful input validation and output encoding.</p>
    <p>This document is an iteration on Content Security Policy Level 2, with the
  goal of more clearly explaining the interactions between CSP, HTML, and Fetch
  on the one hand, and providing clear hooks for modular extensibility on the
  other. Ideally, this will form a stable core upon which we can build new
  functionality.</p>
    <h3 class="heading settled" data-level="1.1" id="examples"><span class="secno">1.1. </span><span class="content">Examples</span><a class="self-link" href="#examples"></a></h3>
    <h4 class="heading settled" data-level="1.1.1" id="example-basic"><span class="secno">1.1.1. </span><span class="content">Control Execution</span><a class="self-link" href="#example-basic"></a></h4>
    <div class="example" id="example-1451d1f8">
     <a class="self-link" href="#example-1451d1f8"></a> MegaCorp Inc’s developers want to protect themselves against cross-site
    scripting attacks. They can mitigate the risk of script injection by
    ensuring that their trusted CDN is the only origin from which script can
    load and execute. Moreover, they wish to ensure that no plugins can
    execute in their pages' contexts. The following policy has that effect: 
<pre>Content-Security-Policy: script-src https://cdn.example.com/scripts/; object-src 'none'
</pre>
    </div>
    <h3 class="heading settled" data-level="1.2" id="goals"><span class="secno">1.2. </span><span class="content">Goals</span><a class="self-link" href="#goals"></a></h3>
    <p>Content Security Policy aims to do to a few related things:</p>
    <ol>
     <li data-md="">
      <p>Mitigate the risk of content-injection attacks by giving developers
  fairly granular control over</p>
      <ul>
       <li data-md="">
        <p>The resources which can be requested (and subsequently embedded or
  executed) on behalf of a specific <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> or <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/workers/#worker">Worker</a></code></p>
       <li data-md="">
        <p>The execution of inline script</p>
       <li data-md="">
        <p>Dynamic code execution (via <code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262#sec-eval-x">eval()</a></code> and similar constructs)</p>
       <li data-md="">
        <p>The application of inline style</p>
      </ul>
     <li data-md="">
      <p>Mitigate the risk of attacks which require a resource to be embedded
  in a malicious context (the "Pixel Perfect" attack described in <a data-link-type="biblio" href="#biblio-timing">[TIMING]</a>, for example) by giving developers granular control over the
  origins which can embed a given resource.</p>
     <li data-md="">
      <p>Provide a policy framework which allows developers to reduce the privilege
  of their applications.</p>
     <li data-md="">
      <p>Provide a reporting mechanism which allows developers to detect flaws
  being exploited in the wild.</p>
    </ol>
    <h3 class="heading settled" data-level="1.3" id="changes-from-level-2"><span class="secno">1.3. </span><span class="content">Changes from Level 2</span><a class="self-link" href="#changes-from-level-2"></a></h3>
    <p>This document describes an evolution of the Content Security Policy Level 2
  specification <a data-link-type="biblio" href="#biblio-csp2">[CSP2]</a>. The following is a high-level overview of the changes:</p>
    <ol>
     <li data-md="">
      <p>The specification has been rewritten from the ground up in terms of the <a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a> specification, which should make it simpler to integrate CSP’s
  requirements and restrictions with other specifications (and with
  Service Workers in particular).</p>
     <li data-md="">
      <p>The <code>frame-src</code> directive, which was deprecated in CSP Level
  2, has been undeprecated, and a <code>worker-src</code> directive added. Both defer
  to <code>child-src</code> if not present (which defers to <code>default-src</code> in turn).</p>
     <li data-md="">
      <p>The URL matching algorithm now treats insecure schemes and ports as
  matching their secure variants. That is, the source expression <code>http://example.com:80</code> will match both <code>http://example.com:80</code> and <code>https://example.com:443</code>.</p>
      <p>Likewise, <code>'self'</code> now matches <code>https:</code> and <code>wss:</code> variants of the page’s
  origin, even on pages whose scheme is <code>http</code>.</p>
     <li data-md="">
      <p>Violation reports generated from inline script or style will now report
  "<code>inline</code>" as the blocked resource. Likewise, blocked <code>eval()</code> execution
  will report "<code>eval</code>" as the blocked resource.</p>
     <li data-md="">
      <p>The <code>manifest-src</code> directive has been added.</p>
     <li data-md="">
      <p>The <code>report-uri</code> directive is deprecated in favor of the new <code>report-to</code> directive, which relies on <a data-link-type="biblio" href="#biblio-oob-reporting">[OOB-REPORTING]</a> as infrastructure.</p>
     <li data-md="">
      <p>The <code>'strict-dynamic'</code> source expression will now allow script which
  executes on a page to load more script via non-<a data-link-type="dfn" href="https://www.w3.org/TR/html5/scripting-1.html#parser-inserted">parser-inserted</a> <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements. Details are in <a href="#strict-dynamic-usage">§8.2 Usage of "'strict-dynamic'"</a>.</p>
     <li data-md="">
      <p>The <code>'unsafe-hashed-attributes'</code> source expression will now allow event
  handlers and style attributes to match hash source expressions. Details
  in <a href="#unsafe-hashed-attributes-usage">§8.3 Usage of "'unsafe-hashed-attributes'"</a>.</p>
     <li data-md="">
      <p>The <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-1">source expression</a> matching has been changed to require explicit whitelisting
  of any non-<a data-link-type="dfn" href="https://url.spec.whatwg.org/#network-scheme">network scheme</a>, rather than <a data-link-type="dfn" href="https://url.spec.whatwg.org/#local-scheme">local scheme</a>, as described
  in <a href="#match-url-to-source-expression">§6.1.13.4 Does url match expression in origin with redirect count?</a>.</p>
     <li data-md="">
      <p>Hash-based source expressions may now whitelist external scripts if the <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> element that triggers the request specifies a set of integrity
  metadata which is whitelisted by the current policy. Details in <a href="#external-hash">§8.4 Whitelisting external JavaScript with hashes</a>.</p>
     <li data-md="">
      <p>The <a data-link-type="dfn" href="#disown-opener" id="ref-for-disown-opener-1"><code>disown-opener</code></a> directive ensures that a resource can’t be opened
  in such a way as to give another browsing context control over its contents.</p>
    </ol>
   </section>
   <section>
    <h2 class="heading settled" data-level="2" id="framework"><span class="secno">2. </span><span class="content">Framework</span><a class="self-link" href="#framework"></a></h2>
    <h3 class="heading settled" data-level="2.1" id="framework-policy"><span class="secno">2.1. </span><span class="content">Policies</span><a class="self-link" href="#framework-policy"></a></h3>
    <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="policy">policy</dfn> defines a set of allowed and
  restricted behaviors, and may be applied to a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/browsers.html#dom-window">Window</a></code> or <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope">WorkerGlobalScope</a></code> as described in <a href="#initialize-global-object-csp">§4.2.2 Initialize a global object’s CSP list</a>.</p>
    <p>Each policy has an associated <dfn class="dfn-paneled" data-dfn-for="policy" data-dfn-type="dfn" data-export="" id="policy-directive-set">directive set</dfn>, which
  is a set of <a data-link-type="dfn" href="#directives" id="ref-for-directives-1">directives</a> that define the policy’s implications when
  applied.</p>
    <p>Each policy has an associated <dfn class="dfn-paneled" data-dfn-for="policy" data-dfn-type="dfn" data-export="" id="policy-disposition">disposition</dfn>, which is
  either "<code>enforce</code>" or "<code>report</code>".</p>
    <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="serialized-csp">serialized CSP</dfn> is an ASCII string, consisting of a
  semicolon-delimited series of <a data-link-type="dfn" href="#serialized-directive" id="ref-for-serialized-directive-1">serialized directives</a>, adhering to the
  following ABNF grammar <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a>:</p>
<pre><dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-serialized-policy">serialized-policy</dfn> = <a data-link-type="grammar" href="#grammardef-serialized-directive" id="ref-for-grammardef-serialized-directive-1">serialized-directive</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">OWS</a> ";" [ <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">OWS</a> <a data-link-type="grammar" href="#grammardef-serialized-directive" id="ref-for-grammardef-serialized-directive-2">serialized-directive</a> ] )
                    ; <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">OWS</a> is defined in section 3.2.3 of RFC 7230
</pre>
    <h4 class="heading settled dfn-paneled algorithm" data-algorithm="Parse a serialized CSP as disposition" data-dfn-type="dfn" data-level="2.1.1" data-lt="parse a serialized CSP" data-noexport="" id="parse-serialized-policy"><span class="secno">2.1.1. </span><span class="content"> Parse a <var>serialized CSP</var> as <var>disposition</var> </span></h4>
    <p>Given a <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp-1">serialized CSP</a> (<var>serialized CSP</var>), and a <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition-1">disposition</a> (<var>disposition</var>), this algorithm will return a <a data-link-type="dfn" href="#policy" id="ref-for-policy-1">policy</a> object. If the string cannot be parsed, the resulting <a data-link-type="dfn" href="#policy" id="ref-for-policy-2">policy</a>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set-1">directive set</a> will be empty.</p>
    <ol>
     <li data-md="">
      <p>Let <var>policy</var> be a new <a data-link-type="dfn" href="#policy" id="ref-for-policy-3">policy</a> with an empty <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set-2">directive set</a>, and a <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition-2">disposition</a> of <var>disposition</var>.</p>
     <li data-md="">
      <p>For each <var>token</var> returned by <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#strictly-split-a-string">strictly splitting</a> <var>serialized
  CSP</var> on the U+003B SEMICOLON character (<code>;</code>):</p>
      <ol>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#strip-leading-and-trailing-whitespace">Strip leading and trailing whitespace</a> from <var>token</var>.</p>
       <li data-md="">
        <p>If <var>token</var> is an empty string, skip the remaining substeps
  and continue to the next item.</p>
       <li data-md="">
        <p>Let <var>directive name</var> be the result of <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#collect-a-sequence-of-characters">collecting a sequence of
  characters</a> from <var>token</var> which are not <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#space-characters">space
  characters</a>.</p>
       <li data-md="">
        <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set-3">directive set</a> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-2">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-1">name</a> is <var>directive
  name</var>, skip the remaining substeps and continue to the next item.</p>
        <p>The user agent SHOULD notify developers that a directive was ignored.
  A console warning might be appropriate, for example.</p>
       <li data-md="">
        <p>Let <var>directive value</var> be the result of <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-spaces">splitting <var>token</var> on
  spaces</a>.</p>
       <li data-md="">
        <p>Let <var>directive</var> be a new <a data-link-type="dfn" href="#directives" id="ref-for-directives-3">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-2">name</a> is <var>directive name</var>, and <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-1">value</a> is <var>directive value</var>.</p>
       <li data-md="">
        <p>Add <var>directive</var> to <var>policy</var>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set-4">directive set</a>.</p>
      </ol>
     <li data-md="">
      <p>Return <var>policy</var>.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Parse a serialized CSP list as disposition" data-level="2.1.2" id="parse-serialized-policy-list"><span class="secno">2.1.2. </span><span class="content"> Parse a serialized CSP <var>list</var> as <var>disposition</var> </span><a class="self-link" href="#parse-serialized-policy-list"></a></h4>
    <p>Given a string (<var>list</var>) and a <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition-3">disposition</a> (<var>disposition</var>)
  which contains a comma-delimited series of <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp-2">serialized CSP</a> strings, the
  following algorithm will return a list of <a data-link-type="dfn" href="#policy" id="ref-for-policy-4">policy</a> objects:</p>
    <ol>
     <li data-md="">
      <p>Let <var>policies</var> be an empty list.</p>
     <li data-md="">
      <p>For each <var>token</var> returned by <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-commas">splitting <var>list</var> on commas</a>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>policy</var> be the result of executing <a href="#parse-serialized-policy" id="ref-for-parse-serialized-policy-1">§2.1.1 Parse a serialized CSP as disposition</a> on <var>token</var> with <var>disposition</var>.</p>
       <li data-md="">
        <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set-5">directive set</a> is empty, skip the
  remaining substeps, and continue to the next item.</p>
       <li data-md="">
        <p>Add <var>policy</var> to <var>policies</var>.</p>
      </ol>
     <li data-md="">
      <p>Return <var>policies</var>.</p>
    </ol>
    <h3 class="heading settled" data-level="2.2" id="framework-directives"><span class="secno">2.2. </span><span class="content">Directives</span><a class="self-link" href="#framework-directives"></a></h3>
    <p>Each <a data-link-type="dfn" href="#policy" id="ref-for-policy-5">policy</a> contain a set of <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="directives">directives</dfn>, each of which controls
  a specific behavior. The directives defined in this document are described in
  detail in <a href="#csp-directives">§6 Content Security Policy Directives</a>.</p>
    <p>Each <a data-link-type="dfn" href="#directives" id="ref-for-directives-4">directive</a> is a <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-name">name</dfn> / <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-value">value</dfn> pair. The <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-3">name</a> is a
  non-empty string, and the <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-2">value</a> is a set of non-empty strings. The <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-3">value</a> set MAY be empty.</p>
    <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="serialized-directive">serialized directive</dfn> is an ASCII string, consisting of one or more
  whitespace-delimited tokens, and adhering to the following ABNF <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a>:</p>
<pre><dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-serialized-directive">serialized-directive</dfn> = <a data-link-type="grammar" href="#grammardef-directive-name" id="ref-for-grammardef-directive-name-1">directive-name</a> [ <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">RWS</a> <a data-link-type="grammar" href="#grammardef-directive-value" id="ref-for-grammardef-directive-value-1">directive-value</a> ]
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-directive-name">directive-name</dfn>       = 1*( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">ALPHA</a> / <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">DIGIT</a> / "-" )
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-directive-value">directive-value</dfn>      = *( %x09 / %x20-%x2B / %x2D-%x3A / %x3C-%7E )
                       ; Directive values may contain whitespace and <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">VCHAR</a> characters,
                       ; excluding ";" and ","

; <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">RWS</a> is defined in section 3.2.3 of RFC7230. <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">ALPHA</a>, <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">DIGIT</a>, and
; <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">VCHAR</a> are defined in Appendix B.1 of RFC 5234.
</pre>
    <p><a data-link-type="dfn" href="#directives" id="ref-for-directives-5">Directives</a> have five associated algorithms:</p>
    <ol>
     <li data-md="">
      <p>A <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-pre-request-check">pre-request check</dfn>, which takes a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-6">policy</a> as an argument, and is executed during <a href="#should-block-request">§4.1.3 Should request be blocked by Content Security Policy?</a>. This algorithm returns "<code>Allowed</code>" unless
  otherwise specified.</p>
     <li data-md="">
      <p>A <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-post-request-check">post-request check</dfn>, which takes a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a>, a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a>, and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-7">policy</a> as arguments, and
  is executed during <a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a>. This algorithm returns
  "<code>Allowed</code>" unless otherwise specified.</p>
     <li data-md="">
      <p>A <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-response-check">response check</dfn>, which takes a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a>, a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a>, and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-8">policy</a> as arguments, and
  is executed during <a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a>. This algorithm returns
  "<code>Allowed</code>" unless otherwise specified.</p>
     <li data-md="">
      <p>An <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-inline-check">inline check</dfn>, which takes an <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/dom/#interface-element">Element</a></code> a
  type string, and a soure string as arguments, and is executed during <a href="#should-block-inline">§4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?</a>. This algorithm returns "<code>Allowed</code>" unless
  otherwise specified.</p>
     <li data-md="">
      <p>An <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-initialization">initialization</dfn>, which takes a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> or <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a>, a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a>, and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-9">policy</a> as
  arguments. This algorithm is executed during <a href="#initialize-document-csp">§4.2.1 Initialize a Document's CSP list</a>,
  and has no effect unless otherwise specified.</p>
    </ol>
    <h4 class="heading settled" data-level="2.2.1" id="framework-directive-source-list"><span class="secno">2.2.1. </span><span class="content">Source Lists</span><a class="self-link" href="#framework-directive-source-list"></a></h4>
    <p>Many <a data-link-type="dfn" href="#directives" id="ref-for-directives-6">directives</a>' <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-4">values</a> consist of <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="source-lists">source lists</dfn>: sets
  of tokens which identify content that can be fetched and potentially embedded
  or executed. These tokens represent one of the following types of <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="source expression" id="source-expression">source
  expression</dfn>:</p>
    <ol>
     <li data-md="">
      <p>Keywords such as <a data-link-type="grammar" href="#grammardef-none" id="ref-for-grammardef-none-1"><code>'none'</code></a> and <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-1"><code>'self'</code></a> (which match nothing and the current
  URL’s origin, respectively)</p>
     <li data-md="">
      <p>Serialized URLs such as <code>https://example.com/path/to/file.js</code> (which matches a specific file) or <code>https://example.com/</code> (which matches everything on that origin)</p>
     <li data-md="">
      <p>Schemes such as <code>https:</code> (which matches any resource having
  the specified scheme)</p>
     <li data-md="">
      <p>Hosts such as <code>example.com</code> (which matches any resource on
  the host, regardless of scheme) or <code>*.example.com</code> (which
  matches any resource on the host or any of its subdomains (and any of
  its subdomains' subdomains, and so on))</p>
     <li data-md="">
      <p>Nonces such as <code>'nonce-qwertyu12345'</code> (which can match specific
  elements on a page)</p>
     <li data-md="">
      <p>Digests such as <code>'sha256-abcd...'</code> (which can match specific
  elements on a page)</p>
    </ol>
    <p>A <dfn data-dfn-type="dfn" data-export="" id="serialized-source-list">serialized source list<a class="self-link" href="#serialized-source-list"></a></dfn> is an ASCII string, consisting of a
  space-delimited series of <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-2">source expressions</a>, adhering to the
  following ABNF grammar <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a>:</p>
<pre><dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-serialized-source-list">serialized-source-list</dfn> = ( <a data-link-type="grammar" href="#grammardef-source-expression" id="ref-for-grammardef-source-expression-1">source-expression</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">RWS</a> <a data-link-type="grammar" href="#grammardef-source-expression" id="ref-for-grammardef-source-expression-2">source-expression</a> ) ) / "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-none">'none'</dfn>"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-source-expression">source-expression</dfn>      = <a data-link-type="grammar" href="#grammardef-scheme-source" id="ref-for-grammardef-scheme-source-1">scheme-source</a> / <a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source-1">host-source</a> / <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source-1">keyword-source</a>
                         / <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source-1">nonce-source</a> / <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source-1">hash-source</a>

; Schemes: "https:" / "custom-scheme:" / "another.custom-scheme:"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-scheme-source">scheme-source</dfn> = <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part-1">scheme-part</a> ":"

; Hosts: "example.com" / "*.example.com" / "https://*.example.com:12/path/to/file.js"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-host-source">host-source</dfn> = [ <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part-2">scheme-part</a> "://" ] <a data-link-type="grammar" href="#grammardef-host-part" id="ref-for-grammardef-host-part-1">host-part</a> [ <a data-link-type="grammar" href="#grammardef-port-part" id="ref-for-grammardef-port-part-1">port-part</a> ] [ <a data-link-type="grammar" href="#grammardef-path-part" id="ref-for-grammardef-path-part-1">path-part</a> ]
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-scheme-part">scheme-part</dfn> = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-3.1">scheme</a> 
              ; <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-3.1">scheme</a> is defined in section 3.1 of RFC 3986.
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-host-part">host-part</dfn>   = "*" / [ "*." ] 1*<a data-link-type="grammar" href="#grammardef-host-char" id="ref-for-grammardef-host-char-1">host-char</a> *( "." 1*<a data-link-type="grammar" href="#grammardef-host-char" id="ref-for-grammardef-host-char-2">host-char</a> )
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-host-char">host-char</dfn>   = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">ALPHA</a> / <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">DIGIT</a> / "-"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-port-part">port-part</dfn>   = ":" ( 1*<a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">DIGIT</a> / "*" )
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-path-part">path-part</dfn>   = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-3.3">path</a>
              ; <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-3.3">path</a> is defined in section 3.3 of RFC 3986.
   
; Keywords:
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-keyword-source">keyword-source</dfn> = "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-self">'self'</dfn>" / "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-unsafe-inline">'unsafe-inline'</dfn>" / "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-unsafe-eval">'unsafe-eval'</dfn>" / "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-strict-dynamic">'strict-dynamic'</dfn>" / "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-unsafe-hashed-attributes">'unsafe-hashed-attributes'</dfn>"

; Nonces: 'nonce-[nonce goes here]'
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-nonce-source">nonce-source</dfn>  = "'nonce-" <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value-1">base64-value</a> "'"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-base64-value">base64-value</dfn>  = 1*( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">ALPHA</a> / <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1">DIGIT</a> / "+" / "/" / "-" / "_" )*2( "=" ) 

; Digests: 'sha256-[digest goes here]'
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-hash-source">hash-source</dfn>    = "'" <a data-link-type="grammar" href="#grammardef-hash-algorithm" id="ref-for-grammardef-hash-algorithm-1">hash-algorithm</a> "-" <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value-2">base64-value</a> "'"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-hash-algorithm">hash-algorithm</dfn> = "sha256" / "sha384" / "sha512"
</pre>
    <p>The <a data-link-type="grammar" href="#grammardef-host-char" id="ref-for-grammardef-host-char-3">host-char</a> production intentionally contains only ASCII
  characters; internationalized domain names cannot be entered directly as part
  of a <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp-3">serialized CSP</a>, but instead MUST be Punycode-encoded <a data-link-type="biblio" href="#biblio-rfc3492">[RFC3492]</a>. For example, the domain <code>üüüüüü.de</code> MUST be represented as <code>xn--tdaaaaaa.de</code>.</p>
    <p class="note" role="note">Note: Though IP address do match the grammar above, only <code>127.0.0.1</code> will actually match a URL when used in a source
  expression (see <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> for details). The security
  properties of IP addresses are suspect, and authors ought to prefer hostnames
  whenever possible.</p>
    <p>A <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url">URL</a></code> <dfn data-dfn-type="dfn" data-export="" id="matches-a-source-list">matches a source list<a class="self-link" href="#matches-a-source-list"></a></dfn> if the algorithm in <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> returns <code>Matches</code>.</p>
    <h3 class="heading settled" data-level="2.3" id="framework-violation"><span class="secno">2.3. </span><span class="content">Violations</span><a class="self-link" href="#framework-violation"></a></h3>
    <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="violation">violation</dfn> represents an action or resource which goes against the
  set of <a data-link-type="dfn" href="#policy" id="ref-for-policy-10">policy</a> objects associated with a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a>.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation-1">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-global-object">global object</dfn>, which
  is the <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a> whose <a data-link-type="dfn" href="#policy" id="ref-for-policy-11">policy</a> has been violated.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation-2">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-url">url</dfn> which is its <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object-1">global object</a>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url">URL</a></code>.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation-3">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-status">status</dfn> which is a
  non-negative integer representing the HTTP status code of the resource for
  which the global object was instantiated.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation-4">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-resource">resource</dfn>, which is
  either <code>null</code>, "<code>inline</code>", "<code>eval</code>", or a <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url">URL</a></code>. It represents the resource
  which violated the policy.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation-5">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-referrer">referrer</dfn>, which is either <code>null</code>, or a <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url">URL</a></code>. It represents the referrer of the resource whose policy
  was violated.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation-6">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-policy">policy</dfn>, which is the <a data-link-type="dfn" href="#policy" id="ref-for-policy-12">policy</a> that has been violated.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation-7">violation</a> has an <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-effective-directive">effective directive</dfn> which is a non-empty string representing the <a data-link-type="dfn" href="#directives" id="ref-for-directives-7">directive</a> whose
  enforcement caused the violation.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation-8">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-source-file">source file</dfn>, which is
  either <code>null</code> or a <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url">URL</a></code>.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation-9">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-line-number">line number</dfn>, which is
  a non-negative integer.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation-10">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-column-number">column number</dfn>, which
  is a non-negative integer.</p>
    <h4 class="heading settled algorithm" data-algorithm="Create a violation object for global, policy, and directive" data-level="2.3.1" id="create-violation-for-global"><span class="secno">2.3.1. </span><span class="content"> Create a violation object for <var>global</var>, <var>policy</var>, and <var>directive</var> </span><a class="self-link" href="#create-violation-for-global"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a> (<var>global</var>), a <a data-link-type="dfn" href="#policy" id="ref-for-policy-13">policy</a> (<var>policy</var>), and a
  string (<var>directive</var>), the following algorithm creates a new <a data-link-type="dfn" href="#violation" id="ref-for-violation-11">violation</a> object, and populates it with an initial set of data:</p>
    <ol>
     <li data-md="">
      <p>Let <var>violation</var> be a new <a data-link-type="dfn" href="#violation" id="ref-for-violation-12">violation</a> whose <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object-2">global
  object</a> is <var>global</var>, <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy-1">policy</a> is <var>policy</var>, <a data-link-type="dfn" href="#violation-effective-directive" id="ref-for-violation-effective-directive-1">effective directive</a> is <var>directive</var>, and <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource-1">resource</a> is <code>null</code>.</p>
     <li data-md="">
      <p>If the user agent is currently executing script, and can extract a source
  file’s URL, line number, and column number from the <var>global</var>, set <var>violation</var>’s <a data-link-type="dfn" href="#violation-source-file" id="ref-for-violation-source-file-1">source file</a>, <a data-link-type="dfn" href="#violation-line-number" id="ref-for-violation-line-number-1">line
  number</a>, and <a data-link-type="dfn" href="#violation-column-number" id="ref-for-violation-column-number-1">column number</a> accordingly.</p>
      <p class="issue" id="issue-c404edb5"><a class="self-link" href="#issue-c404edb5"></a> Is this kind of thing specified anywhere? I didn’t see anything
  that looked useful in <a data-link-type="biblio" href="#biblio-ecma262">[ECMA262]</a>.</p>
     <li data-md="">
      <p>If <var>global</var> is a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/browsers.html#dom-window">Window</a></code> object, set <var>violation</var>’s <a data-link-type="dfn" href="#violation-referrer" id="ref-for-violation-referrer-1">referrer</a> to <var>global</var>’s <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/browsers.html#dom-document-2">document</a></code>'s <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#dom-document-referrer">referrer</a></code>.</p>
     <li data-md="">
      <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-status" id="ref-for-violation-status-1">status</a> to the HTTP status code
  for the resource associated with <var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object-3">global
  object</a>.</p>
      <p class="issue" id="issue-99576800"><a class="self-link" href="#issue-99576800"></a> How, exactly, do we get the status code? We don’t actually store it
  anywhere.</p>
     <li data-md="">
      <p>Return <var>violation</var>.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Create a violation object for request, policy, and directive" data-level="2.3.2" id="create-violation-for-request"><span class="secno">2.3.2. </span><span class="content"> Create a violation object for <var>request</var>, <var>policy</var>, and <var>directive</var> </span><a class="self-link" href="#create-violation-for-request"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="#policy" id="ref-for-policy-14">policy</a> (<var>policy</var>), and a string
  (<var>directive</var>), the following algorithm creates a new <a data-link-type="dfn" href="#violation" id="ref-for-violation-13">violation</a> object,
  and populates it with an initial set of data:</p>
    <ol>
     <li data-md="">
      <p>Let <var>violation</var> be the result of executing <a href="#create-violation-for-global">§2.3.1 Create a violation object for global, policy, and directive</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#concept-settings-object-global">global object</a>, <var>policy</var>, and <var>directive</var>.</p>
     <li data-md="">
      <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource-2">resource</a> to <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a>.</p>
      <p class="note" role="note">Note: We use <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a>, and <em>not</em> its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-current-url">current url</a>, as the latter might contain information
  about redirect targets to which the page MUST NOT be given access.</p>
     <li data-md="">
      <p>Return <var>violation</var>.</p>
    </ol>
   </section>
   <section>
    <h2 class="heading settled" data-level="3" id="policy-delivery"><span class="secno">3. </span><span class="content"> Policy Delivery </span><a class="self-link" href="#policy-delivery"></a></h2>
    <p>A server MAY declare a <a data-link-type="dfn" href="#policy" id="ref-for-policy-15">policy</a> for a particular <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc7231#section-3">resource
  representation</a> via an HTTP response header field whose value is a <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp-4">serialized CSP</a>. This mechanism is defined in detail in <a href="#csp-header">§3.1 The Content-Security-Policy HTTP Response Header Field</a> and <a href="#cspro-header">§3.2 The Content-Security-Policy-Report-Only HTTP Response Header Field</a>, and the integration with Fetch
  and HTML is described in <a href="#fetch-integration">§4.1 Integration with Fetch</a> and <a href="#html-integration">§4.2 Integration with HTML</a>.</p>
    <p>A <a data-link-type="dfn" href="#policy" id="ref-for-policy-16">policy</a> may also be declared inline in an HTML document via a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element’s <code><a data-link-type="element-sub" href="https://www.w3.org/TR/html5/document-metadata.html#attr-meta-http-equiv">http-equiv</a></code> attribute, as described in <a href="#meta-element">§3.3 The &lt;meta> element</a>.</p>
    <h3 class="heading settled" data-level="3.1" id="csp-header"><span class="secno">3.1. </span><span class="content"> The <code>Content-Security-Policy</code> HTTP Response Header Field </span><a class="self-link" href="#csp-header"></a></h3>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="header-content-security-policy"><code>Content-Security-Policy</code></dfn> HTTP response header field
  is the preferred mechanism for delivering a policy from a server to a client.
  The header’s value is represented by the following ABNF <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a>:</p>
<pre>Content-Security-Policy = 1#<a data-link-type="grammar" href="#grammardef-serialized-policy" id="ref-for-grammardef-serialized-policy-1">serialized-policy</a>
</pre>
    <div class="example" id="example-30ac7d45">
     <a class="self-link" href="#example-30ac7d45"></a> 
<pre><a data-link-type="dfn" href="#header-content-security-policy" id="ref-for-header-content-security-policy-1">Content-Security-Policy</a>: script-src 'self';
                         report-to csp-reporting-endpoint
</pre>
    </div>
    <p>A server MAY send different <code>Content-Security-Policy</code> header field
  values with different <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc7231#section-3">representations</a> of the same resource.</p>
    <p>A server SHOULD NOT send more than one HTTP response header field named
  "<code>Content-Security-Policy</code>" with a given <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc7231#section-3">resource
  representation</a>.</p>
    <p>When the user agent receives a <code>Content-Security-Policy</code> header field, it
  MUST <a data-link-type="dfn" href="#parse-serialized-policy" id="ref-for-parse-serialized-policy-2">parse</a> and <a data-link-type="dfn" href="#enforced" id="ref-for-enforced-1">enforce</a> each <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp-5">serialized CSP</a> it contains as described in <a href="#fetch-integration">§4.1 Integration with Fetch</a>, <a href="#html-integration">§4.2 Integration with HTML</a>.</p>
    <h3 class="heading settled" data-level="3.2" id="cspro-header"><span class="secno">3.2. </span><span class="content"> The <code>Content-Security-Policy-Report-Only</code> HTTP Response Header Field </span><a class="self-link" href="#cspro-header"></a></h3>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="header-content-security-policy-report-only"><code>Content-Security-Policy-Report-Only</code></dfn> HTTP response
  header field allows web developers to experiment with policies by monitoring
  (but not enforcing) their effects. The header’s value is represented by the
  following ABNF <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a>:</p>
<pre>Content-Security-Policy-Report-Only = 1#<a data-link-type="grammar" href="#grammardef-serialized-policy" id="ref-for-grammardef-serialized-policy-2">serialized-policy</a>
</pre>
    <p>This header field allows developers to piece together their security policy in
  an iterative fashion, deploying a report-only policy based on their best
  estimate of how their site behaves, watching for violation reports, and then
  moving to an enforced policy once they’ve gained confidence in that behavior.</p>
    <div class="example" id="example-d1b5cb79">
     <a class="self-link" href="#example-d1b5cb79"></a> 
<pre><a data-link-type="dfn" href="#header-content-security-policy-report-only" id="ref-for-header-content-security-policy-report-only-1">Content-Security-Policy-Report-Only</a>: script-src 'self';
                                     report-to csp-reporting-endpoint
</pre>
    </div>
    <p>A server MAY send different <code>Content-Security-Policy-Report-Only</code> header field values with different <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc7231#section-3">representations</a> of the same
  resource.</p>
    <p>A server SHOULD NOT send more than one HTTP response header field named
  "<code>Content-Security-Policy-Report-Only</code>" with a given <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc7231#section-3">resource
  representation</a>.</p>
    <p>When the user agent receives a <code>Content-Security-Policy-Report-Only</code> header
  field, it MUST <a data-link-type="dfn" href="#parse-serialized-policy" id="ref-for-parse-serialized-policy-3">parse</a> and <a data-link-type="dfn" href="#monitored" id="ref-for-monitored-1">monitor</a> each <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp-6">serialized CSP</a> it contains as described in <a href="#fetch-integration">§4.1 Integration with Fetch</a> and <a href="#html-integration">§4.2 Integration with HTML</a>.</p>
    <p class="note" role="note">Note: The <a data-link-type="dfn" href="#header-content-security-policy-report-only" id="ref-for-header-content-security-policy-report-only-2"><code>Content-Security-Policy-Report-Only</code></a> header is <strong>not</strong> supported inside a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element.</p>
    <h3 class="heading settled" data-level="3.3" id="meta-element"><span class="secno">3.3. </span><span class="content"> The <code>&lt;meta></code> element </span><a class="self-link" href="#meta-element"></a></h3>
    <p>A <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> may deliver a policy via one or more HTML <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> elements
  whose <code><a data-link-type="element-sub" href="https://www.w3.org/TR/html5/document-metadata.html#attr-meta-http-equiv">http-equiv</a></code> attributes are an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive
  match</a> for the string "<code>Content-Security-Policy</code>". For example:</p>
    <div class="example" id="example-cff5e786">
     <a class="self-link" href="#example-cff5e786"></a> 
<pre>&lt;meta http-equiv="Content-Security-Policy" content="script-src 'self'">
</pre>
    </div>
    <p>Implementation details can be found in HTML’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/#attr-meta-http-equiv-content-security-policy"><code>Content-Security-Policy</code> <code>http-equiv</code> processing instructions</a> <a data-link-type="biblio" href="#biblio-html">[HTML]</a>.</p>
    <p class="note" role="note">Note: The <a data-link-type="dfn" href="#header-content-security-policy-report-only" id="ref-for-header-content-security-policy-report-only-3"><code>Content-Security-Policy-Report-Only</code></a> header is <em>not</em> supported inside a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element. Neither are the <code>report-uri</code>, <code>frame-ancestors</code>, and <code>sandbox</code> directives.</p>
    <p>Authors are <em>strongly encouraged</em> to place <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> elements as early
  in the document as possible, because policies in <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> elements are not
  applied to content which precedes them. In particular, note that resources
  fetched or prefetched using the <code>Link</code> HTTP response header
  field, and resources fetched or prefetched using <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-link-element">link</a></code> and <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements which precede a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code>-delivered policy will not be blocked.</p>
    <p class="note" role="note">Note: A policy specified via a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element will be enforced along with
  any other policies active for the protected resource, regardless
  of where they’re specified. The general impact of enforcing multiple
  policies is described in <a href="#multiple-policies">§8.1 The effect of multiple policies</a>.</p>
    <p class="note" role="note">Note: Modifications to the <code><a data-link-type="element-sub" href="https://www.w3.org/TR/html5/document-metadata.html#attr-meta-content">content</a></code> attribute of a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element
  after the element has been parsed will be ignored.</p>
   </section>
   <section>
    <h2 class="heading settled" data-level="4" id="integrations"><span class="secno">4. </span><span class="content">Integrations</span><a class="self-link" href="#integrations"></a></h2>
    <p><em>This section is non-normative.</em></p>
    <p>This document defines a set of algorithms which are used in other
  specifications in order to implement the functionality. These
  integrations are outlined here for clarity, but those external
  documents are the normative references which ought to be consulted for
  detailed information.</p>
    <h3 class="heading settled" data-level="4.1" id="fetch-integration"><span class="secno">4.1. </span><span class="content"> Integration with Fetch </span><a class="self-link" href="#fetch-integration"></a></h3>
    <p>A number of <a data-link-type="dfn" href="#directives" id="ref-for-directives-8">directives</a> control resource loading in one way or
  another. This specification provides algorithms which allow Fetch to make
  decisions about whether or not a particular <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> should be blocked
  or allowed, and about whether a particular <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> should be replaced
  with a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-network-error">network error</a>.</p>
    <ol>
     <li data-md="">
      <p><a href="#should-block-request">§4.1.3 Should request be blocked by Content Security Policy?</a> is called as part of step #5 of its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#main-fetch">Main
  Fetch</a> algorithm.</p>
     <li data-md="">
      <p><a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a> is called as part of step #13 of its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#main-fetch">Main
  Fetch</a> algorithm.</p>
    </ol>
    <p>A <a data-link-type="dfn" href="#policy" id="ref-for-policy-17">policy</a> is generally enforced upon a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a>, but the
  user agent needs to <a data-link-type="dfn" href="#parse-serialized-policy" id="ref-for-parse-serialized-policy-4">parse</a> any policy
  delivered via an HTTP response header field before any <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a> is created in order to handle directives that require knowledge of a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a>’s details. To that end:</p>
    <ol>
     <li data-md="">
      <p>A <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> has an associated <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</a> which
  contains any policy objects delivered in the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list">header list</a>.</p>
     <li data-md="">
      <p><a href="#set-response-csp-list">§4.1.1 Set response’s CSP list</a> is called in the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#http-fetch">HTTP fetch</a> and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#http-network-fetch">HTTP-network fetch</a> algorithms.</p>
      <p class="note" role="note">Note: These two calls should ensure that a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</a> is set, regardless of how the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> is created. If we hit the network (via <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#http-network-fetch">HTTP-network
  fetch</a>, then we parse the policy before we handle the <code>Set-Cookie</code> header. If we get a response from a Service Worker (via <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#http-fetch">HTTP fetch</a>,
  we’ll process its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</a> before handing the
  response back to our caller.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Set response’s CSP list" data-level="4.1.1" id="set-response-csp-list"><span class="secno">4.1.1. </span><span class="content"> Set <var>response</var>’s <code>CSP list</code> </span><a class="self-link" href="#set-response-csp-list"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), this algorithm evaluates its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list">header list</a> for <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp-7">serialized CSP</a> values, and
  populates its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</a> accordingly:</p>
    <ol>
     <li data-md="">
      <p>Set <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</a> to the
  empty list.</p>
     <li data-md="">
      <p>Let <var>policies</var> be the result of executing <a href="#parse-serialized-policy-list">§2.1.2 Parse a serialized CSP list as disposition</a> on the result of <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-header-parse">parsing</a> <code>Content-Security-Policy</code> in <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list">header list</a>, with a disposition
  of "<code>enforce</code>".</p>
     <li data-md="">
      <p>Append to <var>policies</var> the result of executing <a href="#parse-serialized-policy-list">§2.1.2 Parse a serialized CSP list as disposition</a> on the result of <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-header-parse">parsing</a> <code>Content-Security-Policy-Report-Only</code> in <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list">header list</a>, with a disposition of "<code>report</code>".</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>policies</var>:</p>
      <ol>
       <li data-md="">
        <p>Insert <var>policy</var> into <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</a>.</p>
      </ol>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Report Content Security Policy violations for request" data-level="4.1.2" id="report-for-request"><span class="secno">4.1.2. </span><span class="content"> Report Content Security Policy violations for <var>request</var> </span><a class="self-link" href="#report-for-request"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), this algorithm reports violations based
  on <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>’s "report only" policies.</p>
    <ol>
     <li data-md="">
      <p>Let <var>CSP list</var> be <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#concept-settings-object-global">global object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list-1">CSP list</a>.</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>CSP list</var>:</p>
      <ol>
       <li data-md="">
        <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition-4">disposition</a> is "<code>enforce</code>",
  then skip to the next <var>policy</var>.</p>
       <li data-md="">
        <p>Let <var>violates</var> be the result of executing <a href="#does-request-violate-policy">§6.1.13.1 Does request violate policy?</a> on <var>request</var> and <var>policy</var>.</p>
       <li data-md="">
        <p>If <var>violates</var> is not "<code>Does Not Violate</code>", then execute <a href="#report-violation">§5.3 Report a violation</a> on the result of executing <a href="#create-violation-for-request">§2.3.2 Create a violation object for request, policy, and directive</a> on <var>request</var>, <var>policy</var>, and <var>violates</var>.</p>
      </ol>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Should request be blocked by Content Security Policy?" data-level="4.1.3" id="should-block-request"><span class="secno">4.1.3. </span><span class="content"> Should <var>request</var> be blocked by Content Security Policy? </span><a class="self-link" href="#should-block-request"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), this algorithm returns <code>Blocked</code> or <code>Allowed</code> and reports violations based on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>’s Content Security Policy.</p>
    <ol>
     <li data-md="">
      <p>Let <var>CSP list</var> be <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#concept-settings-object-global">global object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list-2">CSP list</a>.</p>
     <li data-md="">
      <p>Let <var>result</var> be "<code>Allowed</code>".</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>CSP list</var>:</p>
      <ol>
       <li data-md="">
        <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition-5">disposition</a> is "<code>report</code>",
  then skip to the next <var>policy</var>.</p>
       <li data-md="">
        <p>Let <var>violates</var> be the result of executing <a href="#does-request-violate-policy">§6.1.13.1 Does request violate policy?</a> on <var>request</var> and <var>policy</var>.</p>
       <li data-md="">
        <p>If <var>violates</var> is not "<code>Does Not Violate</code>", then:</p>
        <ol>
         <li data-md="">
          <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on the result of executing <a href="#create-violation-for-request">§2.3.2 Create a violation object for request, policy, and directive</a> on <var>request</var>, <var>policy</var>, and <var>violates</var>.</p>
         <li data-md="">
          <p>Set <var>result</var> to "<code>Blocked</code>".</p>
        </ol>
      </ol>
     <li data-md="">
      <p>Return <var>result</var>.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Should response to request be blocked by Content
    Security Policy?" data-level="4.1.4" id="should-block-response"><span class="secno">4.1.4. </span><span class="content"> Should <var>response</var> to <var>request</var> be blocked by Content
    Security Policy? </span><a class="self-link" href="#should-block-response"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>) and a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), this algorithm returns <code>Blocked</code> or <code>Allowed</code>, and reports violations based on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>’s Content Security Policy.</p>
    <ol>
     <li data-md="">
      <p>Let <var>CSP list</var> be <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#concept-settings-object-global">global object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list-3">CSP list</a>.</p>
     <li data-md="">
      <p>Let <var>result</var> be "<code>Allowed</code>".</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>CSP list</var>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>directive</var> in <var>policy</var>:</p>
        <ol>
         <li data-md="">
          <p>If the result of executing <var>directive</var>’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-1">post-request check</a> is "<code>Blocked</code>", then:</p>
          <ol>
           <li data-md="">
            <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on the result of executing <a href="#create-violation-for-request">§2.3.2 Create a violation object for request, policy, and directive</a> on <var>request</var>, <var>policy</var>, and <var>directive</var>.</p>
           <li data-md="">
            <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition-6">disposition</a> is "<code>enforce</code>",
  then set <var>result</var> to "<code>Blocked</code>".</p>
          </ol>
        </ol>
      </ol>
      <p class="note" role="note">Note: This portion of the check verifies that the page can load the
  response. That is, that a Service Worker hasn’t substituted a file which
  would violate the page’s CSP.</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</a>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>directive</var> in <var>policy</var>:</p>
        <ol>
         <li data-md="">
          <p>If the result of executing <var>directive</var>’s <a data-link-type="dfn" href="#directive-response-check" id="ref-for-directive-response-check-1">response check</a> on <var>request</var>, <var>response</var>,
  and <var>policy</var> is "<code>Blocked</code>", then:</p>
          <ol>
           <li data-md="">
            <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on the result of executing <a href="#create-violation-for-request">§2.3.2 Create a violation object for request, policy, and directive</a> on <var>request</var>, <var>policy</var>, and <var>directive</var>.</p>
           <li data-md="">
            <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition-7">disposition</a> is "<code>enforce</code>",
  then set <var>result</var> to "<code>Blocked</code>".</p>
          </ol>
        </ol>
      </ol>
      <p class="note" role="note">Note: This portion of the check allows policies delivered with the
  response to determine whether the response is allowed to be delivered.</p>
     <li data-md="">
      <p>Return <var>result</var>.</p>
    </ol>
    <h3 class="heading settled" data-level="4.2" id="html-integration"><span class="secno">4.2. </span><span class="content"> Integration with HTML </span><a class="self-link" href="#html-integration"></a></h3>
    <ol>
     <li data-md="">
      <p>The <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> and <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope">WorkerGlobalScope</a></code> objects have a <dfn class="dfn-paneled" data-dfn-for="global object" data-dfn-type="dfn" data-noexport="" id="global-object-csp-list">CSP list</dfn>,
  which holds all the <a data-link-type="dfn" href="#policy" id="ref-for-policy-18">policy</a> objects which are active for a given
  context. This list is empty unless otherwise specified, and is populated
  via the <a href="#initialize-global-object-csp">§4.2.2 Initialize a global object’s CSP list</a> algorithm.</p>
      <p class="issue" id="issue-a794766b"><a class="self-link" href="#issue-a794766b"></a> This concept is missing from W3C’s Workers. <a href="https://github.com/w3c/html/issues/187">&lt;https://github.com/w3c/html/issues/187></a></p>
     <li data-md="">
      <p>A <a data-link-type="dfn" href="#policy" id="ref-for-policy-19">policy</a> is <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="enforced">enforced</dfn> or <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="monitored">monitored</dfn> for a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a> by inserting it into the <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list-4">CSP list</a>.</p>
     <li data-md="">
      <p><a href="#initialize-global-object-csp">§4.2.2 Initialize a global object’s CSP list</a> is called during the <a data-link-type="dfn" href="https://html.spec.whatwg.org/#initialising-a-new-document-object">initialising a
  new <code>Document</code> object</a> and <a data-link-type="dfn" href="https://html.spec.whatwg.org/#run-a-worker">run a worker</a> algorithms in order to
  bind a set of <a data-link-type="dfn" href="#policy" id="ref-for-policy-20">policy</a> objects associated with a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> to a
  newly created <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a>.</p>
     <li data-md="">
      <p><a href="#should-block-inline">§4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?</a> is called during the <a data-link-type="dfn" href="https://www.w3.org/TR/html5/scripting-1.html#prepare-a-script">prepare a script</a> and <a data-link-type="dfn" href="https://html.spec.whatwg.org/#update-a-style-block">update a <code>style</code> block</a> algorithms in order to determine whether or
  not an inline script or style block is allowed to execute/render.</p>
     <li data-md="">
      <p><a href="#should-block-inline">§4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?</a> is called during handling of inline event
  handlers (like <code>onclick</code>) and inline <code>style</code> attributes in order to
  determine whether or not they ought to be allowed to execute/render.</p>
     <li data-md="">
      <p><a data-link-type="dfn" href="#policy" id="ref-for-policy-21">Policy</a> is <a data-link-type="dfn" href="#enforced" id="ref-for-enforced-2">enforced</a> during processing of the <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element’s <code><a data-link-type="element-sub" href="https://www.w3.org/TR/html5/document-metadata.html#attr-meta-http-equiv">http-equiv</a></code>.</p>
     <li data-md="">
      <p>A <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="embedding-document">embedding document</dfn> is the <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#browsing-context-nested-through">through which</a> the <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#browsing-context">browsing context</a> is nested.</p>
     <li data-md="">
      <p>HTML populates each <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata">cryptographic nonce
  metadata</a> and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-parser-metadata">parser metadata</a> with relevant data from the
  elements responsible for resource loading.</p>
      <p class="issue" id="issue-aa77c60b"><a class="self-link" href="#issue-aa77c60b"></a> Stylesheet loading is not yet integrated with
  Fetch in W3C’s HTML. <a href="https://github.com/whatwg/html/issues/198">&lt;https://github.com/whatwg/html/issues/198></a></p>
      <p class="issue" id="issue-25da4fba"><a class="self-link" href="#issue-25da4fba"></a> Stylesheet loading is not yet integrated with
  Fetch in WHATWG’s HTML. <a href="https://github.com/whatwg/html/issues/968">&lt;https://github.com/whatwg/html/issues/968></a></p>
     <li data-md="">
      <p><a href="#allow-base-for-document">§6.2.1.1 Is base allowed for document?</a> is called during <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-base-element">base</a></code>'s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/document-metadata.html#set-the-frozen-base-url">set the frozen
  base URL</a> algorithm to ensure that the <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/semantics.html#attr-base-href">href</a></code> attribute’s value
  is valid.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Initialize a Document&apos;s CSP list" data-level="4.2.1" id="initialize-document-csp"><span class="secno">4.2.1. </span><span class="content"> Initialize a <code>Document</code>'s <code>CSP list</code> </span><a class="self-link" href="#initialize-document-csp"></a></h4>
    <p>Given a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> (<var>document</var>), and a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), the
  user agent performs the following steps in order to initialize <var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/dom.html#concept-document-csp-list">CSP list</a>:</p>
    <ol>
     <li data-md="">
      <p>If <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#local-scheme">local scheme</a>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>documents</var> be an empty list.</p>
       <li data-md="">
        <p>If <var>document</var> has an <a data-link-type="dfn" href="#embedding-document" id="ref-for-embedding-document-1">embedding document</a> (<var>embedding</var>), then add <var>embedding</var> to <var>documents</var>.</p>
       <li data-md="">
        <p>If <var>document</var> has an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#opener-browsing-context">opener browsing context</a>, then add its <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#active-document">active document</a> to <var>documents</var>.</p>
       <li data-md="">
        <p>For each <var>doc</var> in <var>documents</var>:</p>
        <ol>
         <li data-md="">
          <p>For each <var>policy</var> in <var>doc</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/dom.html#concept-document-csp-list">CSP list</a>:</p>
          <ol>
           <li data-md="">
            <p>Insert an alias to <var>policy</var> in <var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/dom.html#concept-document-csp-list">CSP list</a>.</p>
          </ol>
        </ol>
      </ol>
      <p class="note" role="note">Note: <a data-link-type="dfn" href="https://url.spec.whatwg.org/#local-scheme">local scheme</a> includes <code>about:</code>, and this algorithm will
  therefore alias the <a data-link-type="dfn" href="#embedding-document" id="ref-for-embedding-document-2">embedding document</a>’s policies for <a data-link-type="dfn" href="https://www.w3.org/TR/html5/embedded-content-0.html#an-iframe-srcdoc-document">an iframe <code>srcdoc</code> <code>Document</code></a>.</p>
      <p class="note" role="note">Note: We do all this to ensure that a page cannot bypass its <a data-link-type="dfn" href="#policy" id="ref-for-policy-22">policy</a> by embedding a frame or popping up a new window containing content it
  controls (<code>blob:</code> resources, or <code>document.write()</code>).</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</a>, insert <var>policy</var> into <var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/dom.html#concept-document-csp-list">CSP list</a>.</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/dom.html#concept-document-csp-list">CSP list</a>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>directive</var> in <var>policy</var>:</p>
        <ol>
         <li data-md="">
          <p>Execute <var>directive</var>’s <a data-link-type="dfn" href="#directive-initialization" id="ref-for-directive-initialization-1">initialization</a> algorithm on <var>document</var> and <var>response</var>.</p>
        </ol>
      </ol>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Initialize a global object’s CSP list" data-level="4.2.2" id="initialize-global-object-csp"><span class="secno">4.2.2. </span><span class="content"> Initialize a global object’s <code>CSP list</code> </span><a class="self-link" href="#initialize-global-object-csp"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a> (<var>global</var>), and a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), the user agent performs the following steps in order
  to initialize <var>global</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list-5">CSP list</a>:</p>
    <ol>
     <li data-md="">
      <p>If <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#local-scheme">local scheme</a>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>documents</var> be an empty list.</p>
       <li data-md="">
        <p>Add each of <var>global</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/#the-workers-documents">document</a>s to <var>documents</var>.</p>
       <li data-md="">
        <p>For each <var>document</var> in <var>documents</var>:</p>
        <ol>
         <li data-md="">
          <p>For each <var>policy</var> in <var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global
  object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list-6">CSP list</a>:</p>
          <ol>
           <li data-md="">
            <p>Insert an alias to <var>policy</var> in <var>global</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list-7">CSP list</a>.</p>
          </ol>
        </ol>
      </ol>
      <p class="note" role="note">Note: <a data-link-type="dfn" href="https://url.spec.whatwg.org/#local-scheme">local scheme</a> includes <code>about:</code>, and this algorithm will
  therefore alias the <a data-link-type="dfn" href="#embedding-document" id="ref-for-embedding-document-3">embedding document</a>’s policies for <a data-link-type="dfn" href="https://www.w3.org/TR/html5/embedded-content-0.html#an-iframe-srcdoc-document">an iframe <code>srcdoc</code> <code>Document</code></a>.</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list">CSP list</a>, insert <var>policy</var> into <var>global</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list-8">CSP list</a>.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Should element’s inline type behavior be blocked by Content Security Policy?" data-level="4.2.3" id="should-block-inline"><span class="secno">4.2.3. </span><span class="content"> Should <var>element</var>’s inline <var>type</var> behavior be blocked by Content Security Policy? </span><a class="self-link" href="#should-block-inline"></a></h4>
    <p>Given an <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/dom/#interface-element">Element</a></code> (<var>element</var>), a string (<var>type</var>), and a string (<var>source</var>)
  this algorithm returns "<code>Allowed</code>" if the element is allowed to have inline
  definition of a particular type of behavior (script execution, style
  application, event handlers, etc.), and "<code>Blocked</code>" otherwise:</p>
    <ol>
     <li data-md="">
      <p>Let <var>result</var> be "<code>Allowed</code>".</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>element</var>’s <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list-9">CSP list</a>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>directive</var> in <var>policy</var>:</p>
        <ol>
         <li data-md="">
          <p>If <var>directive</var>’s <a data-link-type="dfn" href="#directive-inline-check" id="ref-for-directive-inline-check-1">inline check</a> returns
  "<code>Allowed</code>" when executed upon <var>element</var>, <var>type</var>, and <var>source</var>,
  skip to the next <var>directive</var>.</p>
         <li data-md="">
          <p>Otherwise, let <var>violation</var> be the result of executing <a href="#create-violation-for-global">§2.3.1 Create a violation object for global, policy, and directive</a> on the <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#incumbent-settings-object">incumbent settings
  object</a>, <var>policy</var>, and "<code>style-src</code>" if <var>type</var> is "<code>style</code>" or
  "<code>style-attribute</code>", or "<code>script-src</code>" otherwise.</p>
         <li data-md="">
          <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource-3">resource</a> to "<code>inline</code>".</p>
         <li data-md="">
          <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on <var>violation</var>.</p>
         <li data-md="">
          <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition-8">disposition</a> is "<code>enforce</code>", then
  set <var>result</var> to "<code>Blocked</code>".</p>
        </ol>
      </ol>
     <li data-md="">
      <p>Return <var>result</var>.</p>
    </ol>
    <h3 class="heading settled" data-level="4.3" id="ecma-integration"><span class="secno">4.3. </span><span class="content">Integration with ECMAScript</span><a class="self-link" href="#ecma-integration"></a></h3>
    <p>ECMAScript defines a <code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262#sec-hostensurecancompilestrings">HostEnsureCanCompileStrings()</a></code> abstract operation
  which allows the host environment to block the compilation of strings into
  ECMAScript code. This document defines an implementation of that abstract
  operation thich examines the relevant <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list-10">CSP list</a> to determine whether such compilation ought to be blocked.</p>
    <h4 class="heading settled algorithm" data-algorithm="EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm)" data-dfn-type="dfn" data-level="4.3.1" data-lt="EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm)" data-noexport="" id="can-compile-strings"><span class="secno">4.3.1. </span><span class="content"> EnsureCSPDoesNotBlockStringCompilation(<var>callerRealm</var>, <var>calleeRealm</var>) </span><a class="self-link" href="#can-compile-strings"></a></h4>
    <p>Given two <a data-link-type="dfn" href="https://tc39.github.io/ecma262#realm">realms</a> (<var>callerRealm</var> and <var>calleeRealm</var>), this algorithm
  returns normally if string compilation is allowed, and throws an "<code>EvalError</code>"
  if not:</p>
    <ol>
     <li data-md="">
      <p>Let <var>globals</var> be a list containing <var>callerRealm</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/#concept-realm-global-object">global object</a> and <var>calleeRealm</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/#concept-realm-global-object">global object</a>.</p>
     <li data-md="">
      <p>For each <var>global</var> in <var>globals</var>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>policy</var> in <var>global</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list-11">CSP list</a>:</p>
        <ol>
         <li data-md="">
          <p>Let <var>source-list</var> be null.</p>
         <li data-md="">
          <p>If <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-9">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-4">name</a> is "<code>script-src</code>", then set <var>source-list</var> to that <a data-link-type="dfn" href="#directives" id="ref-for-directives-10">directive</a>’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-5">value</a>.</p>
          <p>Otherwise if <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-11">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-5">name</a> is "<code>default-src</code>", then set <var>source-list</var> to that directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-6">value</a>.</p>
         <li data-md="">
          <p>If <var>source-list</var> is non-null, and does not contain a <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-3">source
  expression</a> which is an <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#ascii-case-insensitive">ASCII case-insensitive</a> match for the
  string "<a data-link-type="grammar" href="#grammardef-unsafe-eval" id="ref-for-grammardef-unsafe-eval-1"><code>'unsafe-eval'</code></a>", then throw an <code>EvalError</code> exception.</p>
        </ol>
      </ol>
    </ol>
   </section>
   <section>
    <h2 class="heading settled" data-level="5" id="reporting"><span class="secno">5. </span><span class="content"> Reporting </span><a class="self-link" href="#reporting"></a></h2>
    <p>When one or more of a <a data-link-type="dfn" href="#policy" id="ref-for-policy-23">policy</a>’s directives is violated, a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="violation report" id="violation-report">violation
  report</dfn> may be generated and sent out to a reporting endpoint associated
  with the <a data-link-type="dfn" href="#policy" id="ref-for-policy-24">policy</a>.</p>
    <h3 class="heading settled" data-level="5.1" id="violation-events"><span class="secno">5.1. </span><span class="content"> Violation DOM Events </span><a class="self-link" href="#violation-events"></a></h3>
<pre class="idl highlight def">[<a class="nv idl-code" data-link-type="constructor" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-securitypolicyviolationevent">Constructor</a>(<span class="kt">DOMString</span> <a class="nv idl-code" data-link-type="argument" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-type">type</a>, <span class="kt">optional</span> <a class="n" data-link-type="idl-name" href="https://w3c.github.io/webappsec-csp/#dictdef-securitypolicyviolationeventinit">SecurityPolicyViolationEventInit</a> <a class="nv idl-code" data-link-type="argument" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-eventinitdict">eventInitDict</a>)]
<span class="kt">interface</span> <dfn class="nv dfn-paneled idl-code" data-dfn-type="interface" data-export="" id="securitypolicyviolationevent">SecurityPolicyViolationEvent</dfn> : <a class="n" data-link-type="idl-name" href="https://dom.spec.whatwg.org/#event">Event</a> {
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-documenturi">documentURI</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-referrer">referrer</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-blockeduri">blockedURI</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-violateddirective">violatedDirective</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-effectivedirective">effectiveDirective</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-originalpolicy">originalPolicy</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-sourcefile">sourceFile</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">unsigned</span> <span class="kt">short</span> <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="unsigned short" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-statuscode">statusCode</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">long</span>           <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="long" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-linenumber">lineNumber</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">long</span>           <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="long" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-columnnumber">columnNumber</a>;
};

<span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="https://w3c.github.io/webappsec-csp/#dictdef-securitypolicyviolationeventinit">SecurityPolicyViolationEventInit</a> : <a class="n" data-link-type="idl-name" href="https://dom.spec.whatwg.org/#dictdef-eventinit">EventInit</a> {
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-documenturi">documentURI</a>;
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-referrer">referrer</a>;
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-blockeduri">blockedURI</a>;
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-violateddirective">violatedDirective</a>;
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-effectivedirective">effectiveDirective</a>;
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-originalpolicy">originalPolicy</a>;
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-sourcefile">sourceFile</a>;
    <span class="kt">unsigned</span> <span class="kt">short</span> <a class="nv idl-code" data-link-type="dict-member" data-type="unsigned short " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-statuscode">statusCode</a>;
    <span class="kt">long</span>           <a class="nv idl-code" data-link-type="dict-member" data-type="long           " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-linenumber">lineNumber</a>;
    <span class="kt">long</span>           <a class="nv idl-code" data-link-type="dict-member" data-type="long           " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-columnnumber">columnNumber</a>;
};
</pre>
    <h3 class="heading settled" data-level="5.2" id="deprecated-serialize-violation"><span class="secno">5.2. </span><span class="content"> Obtain the deprecated serialization of <var>violation</var> </span><a class="self-link" href="#deprecated-serialize-violation"></a></h3>
    <p>Given a <a data-link-type="dfn" href="#violation" id="ref-for-violation-14">violation</a> (<var>violation</var>), this algorithm returns a JSON text
  string representation of the violation, suitable for submission to a reporting
  endpoint associated with the deprecated <a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri-1"><code>report-uri</code></a> directive.</p>
    <ol>
     <li data-md="">
      <p>Let <var>object</var> be a new JavaScript object with properties initialized as
  follows:</p>
      <dl>
       <dt data-md="">
        <p>"<code>document-uri</code>"</p>
       <dd data-md="">
        <p>The result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-serializer">URL serializer</a> on <var>violation</var>’s <a data-link-type="dfn" href="#violation-url" id="ref-for-violation-url-1">url</a>, with the <code>exclude fragment</code> flag set.</p>
       <dt data-md="">
        <p>"<code>referrer</code>"</p>
       <dd data-md="">
        <p>The result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-serializer">URL serializer</a> on <var>violation</var>’s <a data-link-type="dfn" href="#violation-referrer" id="ref-for-violation-referrer-2">referrer</a>, with the <code>exclude fragment</code> flag set.</p>
       <dt data-md="">
        <p>"<code>blocked-uri</code>"</p>
       <dd data-md="">
        <p>The result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-serializer">URL serializer</a> on <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource-4">resource</a>, with the <code>exclude fragment</code> flag set.</p>
       <dt data-md="">
        <p>"<code>effective-directive</code>"</p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-effective-directive" id="ref-for-violation-effective-directive-2">effective directive</a></p>
       <dt data-md="">
        <p>"<code>violated-directive</code>"</p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-effective-directive" id="ref-for-violation-effective-directive-3">effective directive</a></p>
       <dt data-md="">
        <p>"<code>original-policy</code>"</p>
       <dd data-md="">
        <p>The <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp-8">serialization</a> of <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy-2">policy</a></p>
       <dt data-md="">
        <p>"<code>status-code</code>"</p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-status" id="ref-for-violation-status-2">status</a></p>
      </dl>
     <li data-md="">
      <p>If <var>violation</var>’s <a data-link-type="dfn" href="#violation-source-file" id="ref-for-violation-source-file-2">source file</a> is not <code>null</code>:</p>
      <ol>
       <li data-md="">
        <p>Set <var>object</var>’s "<code>source-file</code>" property to the result of executing
  the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-serializer">URL serializer</a> on <var>violation</var>’s <a data-link-type="dfn" href="#violation-source-file" id="ref-for-violation-source-file-3">source
  file</a>, with the <code>exclude fragment</code> flag set.</p>
       <li data-md="">
        <p>Set <var>object</var>’s "<code>line-number</code>" property to <var>violation</var>’s <a data-link-type="dfn" href="#violation-line-number" id="ref-for-violation-line-number-2">line number</a>.</p>
       <li data-md="">
        <p>Set <var>object</var>’s "<code>column-number</code>" property to <var>violation</var>’s <a data-link-type="dfn" href="#violation-column-number" id="ref-for-violation-column-number-2">column number</a>.</p>
      </ol>
     <li data-md="">
      <p>Return the result of executing <code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262#sec-json.stringify">JSON.stringify()</a></code> on <var>object</var>.</p>
    </ol>
    <h3 class="heading settled" data-level="5.3" id="report-violation"><span class="secno">5.3. </span><span class="content"> Report a <var>violation</var> </span><a class="self-link" href="#report-violation"></a></h3>
    <p>Given a <a data-link-type="dfn" href="#violation" id="ref-for-violation-15">violation</a> (<var>violation</var>), this algorithm reports it to the
  endpoint specified in <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy-3">policy</a>, and
  fires a <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent-1">SecurityPolicyViolationEvent</a></code> at <var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object-4">global object</a>.</p>
    <ol>
     <li data-md="">
      <p><a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#concept-event-fire">Fire</a> a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#concept-event-trusted">trusted</a> event with the name <code>securitypolicyviolation</code> that uses the <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent-2">SecurityPolicyViolationEvent</a></code> interface, with its
  attributes initialized as follows:</p>
      <dl>
       <dt data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-documenturi">documentURI</a></code></p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-url" id="ref-for-violation-url-2">url</a></p>
       <dt data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-referrer">referrer</a></code></p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-referrer" id="ref-for-violation-referrer-3">referrer</a></p>
       <dt data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-blockeduri">blockedURI</a></code></p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource-5">resource</a></p>
       <dt data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-effectivedirective">effectiveDirective</a></code></p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-effective-directive" id="ref-for-violation-effective-directive-4">effective directive</a></p>
       <dt data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-violateddirective">violatedDirective</a></code></p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-effective-directive" id="ref-for-violation-effective-directive-5">effective directive</a></p>
       <dt data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-originalpolicy">originalPolicy</a></code></p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy-4">policy</a></p>
       <dt data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-sourcefile">sourceFile</a></code></p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-source-file" id="ref-for-violation-source-file-4">source file</a></p>
       <dt data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-statuscode">statusCode</a></code></p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-status" id="ref-for-violation-status-3">status</a></p>
       <dt data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-linenumber">lineNumber</a></code></p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-line-number" id="ref-for-violation-line-number-3">line number</a></p>
       <dt data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-columnnumber">columnNumber</a></code></p>
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-column-number" id="ref-for-violation-column-number-3">column number</a></p>
      </dl>
      <p class="note" role="note">Note: Both <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-effectivedirective">effectiveDirective</a></code> and <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-violateddirective">violatedDirective</a></code> are the same value.
  This is intentional to maintain backwards compatibility.</p>
     <li data-md="">
      <p>If <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy-5">policy</a>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set-6">directive
  set</a> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-12">directive</a> named "<a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri-2"><code>report-uri</code></a>"
  (<var>directive</var>):</p>
      <ol>
       <li data-md="">
        <p>If <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy-6">policy</a>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set-7">directive set</a> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-13">directive</a> named
  "<a data-link-type="dfn" href="#report-to" id="ref-for-report-to-1"><code>report-to</code></a>", skip the remaining substeps.</p>
       <li data-md="">
        <p>Let <var>endpoint</var> be the result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-parser">URL parser</a> on <var>directive</var>’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-7">value</a>.</p>
       <li data-md="">
        <p>If <var>endpoint</var> is not a valid URL, skip the remaining substeps.</p>
       <li data-md="">
        <p>Let <var>request</var> be a new <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a>, initialized as follows:</p>
        <dl>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-method">method</a></p>
         <dd data-md="">
          <p>"<code>POST</code>"</p>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a></p>
         <dd data-md="">
          <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-url" id="ref-for-violation-url-3">url</a></p>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-origin">origin</a></p>
         <dd data-md="">
          <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object-5">global object</a>’s <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6454#section-3.2">origin</a></p>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-window">window</a></p>
         <dd data-md="">
          <p>"<code>no-window</code>"</p>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a></p>
         <dd data-md="">
          <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object-6">global object</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#relevant-settings-object-for-a-global-object">relevant
  settings object</a></p>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a></p>
         <dd data-md="">
          <p>""</p>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a></p>
         <dd data-md="">
          <p>""</p>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a></p>
         <dd data-md="">
          <p>""</p>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-cache-mode">cache mode</a></p>
         <dd data-md="">
          <p>"<code>no-cache</code>"</p>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-credentials-mode">credentials mode</a></p>
         <dd data-md="">
          <p>"<code>same-origin</code>"</p>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-header-list">header list</a></p>
         <dd data-md="">
          <p>A header list containing a single header whose name is
  "<code>Content-Type</code>", and value is "<code>application/csp-report</code>"</p>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-body">body</a></p>
         <dd data-md="">
          <p>The result of executing <a href="#deprecated-serialize-violation">§5.2 Obtain the deprecated serialization of violation</a> on <var>violation</var></p>
         <dt data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-redirect-mode">redirect mode</a></p>
         <dd data-md="">
          <p>"<code>error</code>"</p>
        </dl>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-fetch">Fetch</a> <var>request</var>. The result will be ignored.</p>
      </ol>
      <p class="note" role="note">Note: All of this should be considered deprecated. It sends a single
  request per violation, which simply isn’t scalable. As soon as this
  behavior can be removed from user agents, it will be.</p>
      <p class="note" role="note">Note: <code>report-uri</code> only takes effect if <code>report-to</code> is not present. That'
  is, the latter overrides the former, allowing for backwards compatibility
  with browsers that don’t support the new mechanism.</p>
     <li data-md="">
      <p>If <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy-7">policy</a>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set-8">directive
  set</a> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-14">directive</a> named "<a data-link-type="dfn" href="#report-to" id="ref-for-report-to-2"><code>report-to</code></a>"
  (<var>directive</var>):</p>
      <ol>
       <li data-md="">
        <p>Let <var>group</var> be <var>directive</var>’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-8">value</a>.</p>
       <li data-md="">
        <p>Let <var>settings object</var> be <var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object-7">global
  object</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#relevant-settings-object-for-a-global-object">relevant settings object</a>.</p>
       <li data-md="">
        <p>Execute <a data-link-type="biblio" href="#biblio-oob-reporting">[OOB-REPORTING]</a>'s <a data-link-type="dfn" href="https://w3c.github.io/reporting/#queue-report">Queue <var>data</var> as <var>type</var> for <var>endpoint group</var> on <var>settings</var></a> algorithm with the
  following arguments:</p>
        <dl>
         <dt data-md="">
          <p><var>data</var></p>
         <dd data-md="">
          <p><var>violation</var></p>
         <dt data-md="">
          <p><var>type</var></p>
         <dd data-md="">
          <p>"CSP"</p>
         <dt data-md="">
          <p><var>endpoint group</var></p>
         <dd data-md="">
          <p><var>group</var></p>
         <dt data-md="">
          <p><var>settings</var></p>
         <dd data-md="">
          <p><var>settings object</var></p>
        </dl>
      </ol>
    </ol>
   </section>
   <section>
    <h2 class="heading settled" data-level="6" id="csp-directives"><span class="secno">6. </span><span class="content"> Content Security Policy Directives </span><a class="self-link" href="#csp-directives"></a></h2>
    <p>This specification defines a number of types of <a data-link-type="dfn" href="#directives" id="ref-for-directives-15">directives</a> which allow
  developers to control certain aspects of their sites' behavior. This document
  defines directives which govern resource fetching (in <a href="#directives-fetch">§6.1 Fetch Directives</a>),
  directives which govern the state of a document (in <a href="#directives-document">§6.2 Document Directives</a>),
  directives which govern aspects of navigation (in <a href="#directives-navigation">§6.3 Navigation Directives</a>),
  and directives which govern reporting (in <a href="#directives-reporting">§6.4 Reporting Directives</a>). These
  form the core of Content Security Policy; other directives are defined in a
  modular fashion in ancillary documents (see <a href="#directives-elsewhere">§6.5 Directives Defined in Other Documents</a> for
  examples).</p>
    <p>To mitigate the risk of cross-site scripting attacks, web developers SHOULD
  include directives that regulate sources of script and plugins. They can do
  so by including:</p>
    <ul>
     <li data-md="">
      <p>Both the <a data-link-type="dfn" href="#script-src" id="ref-for-script-src-1">script-src</a> and <a data-link-type="dfn" href="#object-src" id="ref-for-object-src-1">object-src</a> directives, or</p>
     <li data-md="">
      <p>a <a data-link-type="dfn" href="#default-src" id="ref-for-default-src-1">default-src</a> directive</p>
    </ul>
    <p>In either case, developers SHOULD NOT include either <a data-link-type="grammar" href="#grammardef-unsafe-inline" id="ref-for-grammardef-unsafe-inline-1"><code>'unsafe-inline'</code></a>, or <code>data:</code> as valid
  sources in their policies. Both enable XSS attacks by allowing code to be
  included directly in the document itself; they are best avoided completely.</p>
    <h3 class="heading settled" data-level="6.1" id="directives-fetch"><span class="secno">6.1. </span><span class="content"> Fetch Directives </span><a class="self-link" href="#directives-fetch"></a></h3>
    <p><dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="fetch-directives">Fetch directives</dfn> control the locations from which certain resourc
  types may be loaded. For instance, <a data-link-type="dfn" href="#script-src" id="ref-for-script-src-2">script-src</a> allows developers to
  whitelist trusted sources of script to execute on a page, while <a data-link-type="dfn" href="#font-src" id="ref-for-font-src-1">font-src</a> controls the sources of web fonts.</p>
    <h4 class="heading settled" data-level="6.1.1" id="directive-child-src"><span class="secno">6.1.1. </span><span class="content"><code>child-src</code></span><a class="self-link" href="#directive-child-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="child-src">child-src</dfn> directive governs the creation of <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing
  contexts</a> (e.g. <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code> and <code><a data-link-type="element" href="https://www.w3.org/TR/html5/obsolete.html#frame">frame</a></code> navigations) and Worker execution
  contexts. The syntax for the directive’s name and value is described by the
  following ABNF:</p>
<pre>directive-name  = "child-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-1">serialized-source-list</a>
</pre>
    <p>This directive controls <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">requests</a> which will populate a frame or a
  worker. More formally, <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">requests</a> falling into one of the
  following categories:</p>
    <ul>
     <li data-md="">
      <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is "<code>document</code>", and whose <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context">target browsing context</a> is a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing
 context</a> (e.g. requests which will populate an <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code> or <code><a data-link-type="element" href="https://www.w3.org/TR/html5/obsolete.html#frame">frame</a></code> element)</p>
     <li data-md="">
      <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is either "<code>serviceworker</code>",
 "<code>sharedworker</code>", or "<code>worker</code>" (which are fed to the <a data-link-type="dfn" href="https://html.spec.whatwg.org/#run-a-worker">run a worker</a> algorithm for <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/service-workers/#service-worker-interface">ServiceWorker</a></code>, <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#sharedworker">SharedWorker</a></code>, and <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/workers/#worker">Worker</a></code>,
 respectively).</p>
    </ul>
    <div class="example" id="example-1cff8d33">
     <a class="self-link" href="#example-1cff8d33"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#child-src" id="ref-for-child-src-1">child-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will all return network errors, as the URLs
    provided do not match <code>child-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-1">source list</a>:</p>
<pre>&lt;iframe src="https://not-example.com">&lt;/iframe>
&lt;script>
  var blockedWorker = new Worker("data:application/javascript,...");
&lt;/script>
</pre>
    </div>
    <h5 class="heading settled" data-level="6.1.1.1" id="child-src-algorithms"><span class="secno">6.1.1.1. </span><span class="content">Algorithms</span><a class="self-link" href="#child-src-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-1">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-25">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>Let <var>name</var> be the result of executing <a href="#effective-directive-for-a-request">§6.1.13.5 Get the effective directive for request</a> on <var>request</var>.</p>
     <li data-md="">
      <p>If <var>name</var> is not <code>frame-src</code> or <code>worker-src</code>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>policy</var> contains a directive whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-6">name</a> is <var>name</var>, return "<code>Allowed</code>"</p>
     <li data-md="">
      <p>Return the result of executing the <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-2">pre-request
  check</a> for the <a data-link-type="dfn" href="#directives" id="ref-for-directives-16">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-7">name</a> is <var>name</var> on <var>request</var> and <var>policy</var>, using this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-9">value</a> for the comparison.</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-2">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-26">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>Let <var>name</var> be the result of executing <a href="#effective-directive-for-a-request">§6.1.13.5 Get the effective directive for request</a> on <var>request</var>.</p>
     <li data-md="">
      <p>If <var>name</var> is not <code>frame-src</code> or <code>worker-src</code>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>policy</var> contains a directive whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-8">name</a> is <var>name</var>, return "<code>Allowed</code>"</p>
     <li data-md="">
      <p>Return the result of executing the <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-3">post-request
  check</a> for the <a data-link-type="dfn" href="#directives" id="ref-for-directives-17">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-9">name</a> is <var>name</var> on <var>request</var> and <var>policy</var>, using this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-10">value</a> for the comparison.</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.2" id="directive-connect-src"><span class="secno">6.1.2. </span><span class="content"><code>connect-src</code></span><a class="self-link" href="#directive-connect-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="connect-src">connect-src</dfn> directive restricts the URLs which can be loaded
  using script interfaces. The syntax for the directive’s name and value is
  described by the following ABNF:</p>
<pre>directive-name  = "connect-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-2">serialized-source-list</a>
</pre>
    <p>This directive controls <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">requests</a> which transmit or receive data from
  other origins. This includes APIs like <code>fetch()</code>, <a data-link-type="biblio" href="#biblio-xhr">[XHR]</a>, <a data-link-type="biblio" href="#biblio-eventsource">[EVENTSOURCE]</a>, <a data-link-type="biblio" href="#biblio-beacon">[BEACON]</a>, and <code><a data-link-type="element" href="https://www.w3.org/TR/html5/text-level-semantics.html#the-a-element">a</a></code>'s <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/#ping">ping</a></code>. This directive <em>also</em> controls
  WebSocket <a data-link-type="biblio" href="#biblio-websockets">[WEBSOCKETS]</a> connections, though those aren’t technically part
  of Fetch.</p>
    <div class="example" id="example-ab3c2745">
     <a class="self-link" href="#example-ab3c2745"></a> JavaScript offers a few mechanisms that directly connect to an external
    server to send or receive information. <code>EventSource</code> maintains an open
    HTTP connection to a server in order to receive push notifications, <code>WebSockets</code> open a bidirectional communication channel between your
    browser and a server, and <code>XMLHttpRequest</code> makes arbitrary HTTP requests
    on your behalf. These are powerful APIs that enable useful functionality,
    but also provide tempting avenues for data exfiltration. 
     <p>The <code>connect-src</code> directive allows you to ensure that these and similar
    sorts of connections are only opened to origins you trust. Sending a
    policy that defines a list of source expressions for this directive is
    straightforward. For example, to limit connections to only <code>https://example.com</code>, send the following header:</p>
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#connect-src" id="ref-for-connect-src-1">connect-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will all return network errors, as the URLs
    provided do not match <code>connect-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-2">source list</a>:</p>
<pre>&lt;a ping="https://not-example.com">...
&lt;script>
  var xhr = new XMLHttpRequest();
  xhr.open('GET', 'https://not-example.com/');
  xhr.send();

  var ws = new WebSocket("https://not-example.com/");
        
  var es = new EventSource("https://not-example.com/");

  navigator.sendBeacon("https://not-example.com/", { ... });
&lt;/script>
</pre>
    </div>
    <h5 class="heading settled" data-level="6.1.2.1" id="connect-src-algorithms"><span class="secno">6.1.2.1. </span><span class="content">Algorithms</span><a class="self-link" href="#connect-src-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-3">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-27">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a> is "<code>fetch</code>", or its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "" and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is
  "<code>subresource</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-11">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-4">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-28">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a> is "<code>fetch</code>", or its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "" and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is
  "<code>subresource</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-12">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.3" id="directive-default-src"><span class="secno">6.1.3. </span><span class="content"><code>default-src</code></span><a class="self-link" href="#directive-default-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="default-src">default-src</dfn> directive serves as a fallback for the other <a data-link-type="dfn" href="#fetch-directives" id="ref-for-fetch-directives-1">fetch directives</a>. The syntax for the directive’s name and value is described by
  the following ABNF:</p>
<pre>directive-name  = "default-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-3">serialized-source-list</a>
</pre>
    <p>If a <a data-link-type="dfn" href="#default-src" id="ref-for-default-src-2">default-src</a> directive is present in a policy, its value will be
  used as the policy’s default source list. That is, given <code>default-src 'none'; script-src 'self'</code>, script requests will use <code>'self'</code> as the <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-3">source
  list</a> to match against. Other requests will use <code>'none'</code>. This is spelled
  out in more detail in the <a href="#should-block-request">§4.1.3 Should request be blocked by Content Security Policy?</a> and <a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a> algorithms.</p>
    <div class="example" id="example-ff4cda9d">
     <a class="self-link" href="#example-ff4cda9d"></a> The following header: 
<pre><a data-link-type="dfn" href="#header-content-security-policy" id="ref-for-header-content-security-policy-2">Content-Security-Policy</a>: <a data-link-type="dfn" href="#default-src" id="ref-for-default-src-3">default-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-2">'self'</a>
</pre>
     <p>will have the same behavior as the following header:</p>
<pre><a data-link-type="dfn" href="#header-content-security-policy" id="ref-for-header-content-security-policy-3">Content-Security-Policy</a>: <a data-link-type="dfn" href="#connect-src" id="ref-for-connect-src-2">connect-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-3">'self'</a>;
                         <a data-link-type="dfn" href="#font-src" id="ref-for-font-src-2">font-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-4">'self'</a>;
                         <a data-link-type="dfn" href="#frame-src" id="ref-for-frame-src-1">frame-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-5">'self'</a>;
                         <a data-link-type="dfn" href="#img-src" id="ref-for-img-src-1">img-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-6">'self'</a>;
                         <a data-link-type="dfn" href="#manifest-src" id="ref-for-manifest-src-1">manifest-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-7">'self'</a>;
                         <a data-link-type="dfn" href="#media-src" id="ref-for-media-src-1">media-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-8">'self'</a>;
                         <a data-link-type="dfn" href="#object-src" id="ref-for-object-src-2">object-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-9">'self'</a>;
                         <a data-link-type="dfn" href="#script-src" id="ref-for-script-src-3">script-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-10">'self'</a>;
                         <a data-link-type="dfn" href="#style-src" id="ref-for-style-src-1">style-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-11">'self'</a>;
                         <a data-link-type="dfn" href="#worker-src" id="ref-for-worker-src-1">worker-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-12">'self'</a>
</pre>
     <p>That is, when <code>default-src</code> is set, every <a data-link-type="dfn" href="#fetch-directives" id="ref-for-fetch-directives-2">fetch directive</a> that isn’t
    explicitly set will fall back to the value <code>default-src</code> specifies.</p>
    </div>
    <div class="example" id="example-e1c8ddf3">
     <a class="self-link" href="#example-e1c8ddf3"></a> There is no inheritance. If a <code>script-src</code> directive is explicitly
    specified, for example, then the value of <code>default-src</code> has no influence on
    script requests. That is, the following header: 
<pre><a data-link-type="dfn" href="#header-content-security-policy" id="ref-for-header-content-security-policy-4">Content-Security-Policy</a>: <a data-link-type="dfn" href="#default-src" id="ref-for-default-src-4">default-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-13">'self'</a>; <a data-link-type="dfn" href="#script-src" id="ref-for-script-src-4">script-src</a> https://example.com
</pre>
     <p>will have the same behavior as the following header:</p>
<pre><a data-link-type="dfn" href="#header-content-security-policy" id="ref-for-header-content-security-policy-5">Content-Security-Policy</a>: <a data-link-type="dfn" href="#connect-src" id="ref-for-connect-src-3">connect-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-14">'self'</a>;
                         <a data-link-type="dfn" href="#font-src" id="ref-for-font-src-3">font-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-15">'self'</a>;
                         <a data-link-type="dfn" href="#frame-src" id="ref-for-frame-src-2">frame-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-16">'self'</a>;
                         <a data-link-type="dfn" href="#img-src" id="ref-for-img-src-2">img-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-17">'self'</a>;
                         <a data-link-type="dfn" href="#manifest-src" id="ref-for-manifest-src-2">manifest-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-18">'self'</a>;
                         <a data-link-type="dfn" href="#media-src" id="ref-for-media-src-2">media-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-19">'self'</a>;
                         <a data-link-type="dfn" href="#object-src" id="ref-for-object-src-3">object-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-20">'self'</a>;
                         <a data-link-type="dfn" href="#script-src" id="ref-for-script-src-5">script-src</a> https://example.com;
                         <a data-link-type="dfn" href="#style-src" id="ref-for-style-src-2">style-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-21">'self'</a>;
                         <a data-link-type="dfn" href="#worker-src" id="ref-for-worker-src-2">worker-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-22">'self'</a>
</pre>
     <p>Given this behavior, one good way to build a policy for a site would be to
    begin with a <code>default-src</code> of <code>'none'</code>, and to build up a policy from there
    which allowed only those resource types which are necessary for the
    particular page the policy will apply to.</p>
    </div>
    <h5 class="heading settled" data-level="6.1.3.1" id="default-src-algorithms"><span class="secno">6.1.3.1. </span><span class="content">Algorithms</span><a class="self-link" href="#default-src-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-4">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-29">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>Let <var>name</var> be the result of executing <a href="#effective-directive-for-a-request">§6.1.13.5 Get the effective directive for request</a> on <var>request</var>.</p>
     <li data-md="">
      <p>If <var>name</var> is <code>null</code>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-18">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-10">name</a> is <var>name</var>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>name</var> is "<code>frame-src</code>" or "<code>worker-src</code>", and <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-19">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-11">name</a> is "<code>child-src</code>",
  return "<code>Allowed</code>".</p>
      <p class="note" role="note">Note: It would be lovely to remove this special case. Perhaps "effective
  directive" could return "<code>child-src</code>" and that could delegate out in the
  same way this algorithm does?</p>
     <li data-md="">
      <p>Otherwise, return the result of executing the <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-5">pre-request check</a> for the <a data-link-type="dfn" href="#directives" id="ref-for-directives-20">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-12">name</a> is <var>name</var> on <var>request</var> and <var>policy</var>, using
  this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-13">value</a> for the comparison.</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-5">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-30">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>Let <var>name</var> be the result of executing <a href="#effective-directive-for-a-request">§6.1.13.5 Get the effective directive for request</a> on <var>request</var>.</p>
     <li data-md="">
      <p>If <var>name</var> is <code>null</code>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-21">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-13">name</a> is <var>name</var>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>name</var> is "<code>frame-src</code>" or "<code>worker-src</code>", and <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives-22">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-14">name</a> is "<code>child-src</code>",
  return "<code>Allowed</code>".</p>
      <p class="note" role="note">Note: It would be lovely to remove this special case. Perhaps "effective
  directive" could return "<code>child-src</code>" and that could delegate out in the
  same way this algorithm does?</p>
     <li data-md="">
      <p>Otherwise, return the result of executing the <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-6">post-request check</a> for the <a data-link-type="dfn" href="#directives" id="ref-for-directives-23">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-15">name</a> is <var>name</var> on <var>request</var> and <var>policy</var>, using
  this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-14">value</a> for the comparison.</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.4" id="directive-font-src"><span class="secno">6.1.4. </span><span class="content"><code>font-src</code></span><a class="self-link" href="#directive-font-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="font-src">font-src</dfn> directive restricts the URLs from which font resources
  may be loaded. The syntax for the directive’s name and value is described by
  the following ABNF:</p>
<pre>directive-name  = "font-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-4">serialized-source-list</a>
</pre>
    <div class="example" id="example-38056220">
     <a class="self-link" href="#example-38056220"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#font-src" id="ref-for-font-src-4">font-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>font-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-4">source list</a>:</p>
<pre>&lt;style>
  @font-face {
    font-family: "Example Font";
    src: url("https://not-example.com/font");
  }
  body {
    font-family: "Example Font";
  }
&lt;/style>
</pre>
    </div>
    <h5 class="heading settled" data-level="6.1.4.1" id="font-src-algorithms"><span class="secno">6.1.4.1. </span><span class="content">Algorithms</span><a class="self-link" href="#font-src-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-6">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-31">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>font</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-15">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-7">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-32">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>font</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-16">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.5" id="directive-frame-src"><span class="secno">6.1.5. </span><span class="content"><code>frame-src</code></span><a class="self-link" href="#directive-frame-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="frame-src">frame-src</dfn> directive restricts the URLs which may be loaded into <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing contexts</a>. The syntax for the directive’s name and value
  is described by the following ABNF:</p>
<pre>directive-name  = "frame-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-5">serialized-source-list</a>
</pre>
    <div class="example" id="example-be3f1952">
     <a class="self-link" href="#example-be3f1952"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#frame-src" id="ref-for-frame-src-3">frame-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>frame-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-5">source list</a>:</p>
<pre>&lt;iframe src="https://not-example.com/">
&lt;/iframe>
</pre>
    </div>
    <h5 class="heading settled" data-level="6.1.5.1" id="frame-src-algorithms"><span class="secno">6.1.5.1. </span><span class="content">Algorithms</span><a class="self-link" href="#frame-src-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-7">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-33">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>document</code>" and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context">target browsing context</a> is a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing
  context</a>:</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-17">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-8">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-34">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>document</code>" and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context">target browsing context</a> is a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing
  context</a>:</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-18">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.6" id="directive-img-src"><span class="secno">6.1.6. </span><span class="content"><code>img-src</code></span><a class="self-link" href="#directive-img-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="img-src">img-src</dfn> directive restricts the URLs from which image resources
  may be loaded. The syntax for the directive’s name and value is described by
  the following ABNF:</p>
<pre>directive-name  = "img-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-6">serialized-source-list</a>
</pre>
    <p>This directive controls <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">requests</a> which load images. More formally, this
  includes <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">requests</a> whose <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>image</code>" <a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a>.</p>
    <div class="example" id="example-8e5ffeae">
     <a class="self-link" href="#example-8e5ffeae"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#img-src" id="ref-for-img-src-3">img-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>img-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-6">source list</a>:</p>
<pre>&lt;img src="https://not-example.com/img">
</pre>
    </div>
    <h5 class="heading settled" data-level="6.1.6.1" id="img-src-algorithms"><span class="secno">6.1.6.1. </span><span class="content">Algorithms</span><a class="self-link" href="#img-src-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-8">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-35">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>image</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-19">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-9">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-36">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>image</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-20">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.7" id="directive-manifest-src"><span class="secno">6.1.7. </span><span class="content"><code>manifest-src</code></span><a class="self-link" href="#directive-manifest-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="manifest-src">manifest-src</dfn> directive restricts the URLs from which application
  manifests may be loaded <a data-link-type="biblio" href="#biblio-appmanifest">[APPMANIFEST]</a>. The syntax for the directive’s name
  and value is described by the following ABNF:</p>
<pre>directive-name  = "manifest-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-7">serialized-source-list</a>
</pre>
    <div class="example" id="example-165f453d">
     <a class="self-link" href="#example-165f453d"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#manifest-src" id="ref-for-manifest-src-3">manifest-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>manifest-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-7">source list</a>:</p>
<pre>&lt;link rel="manifest" href="https://not-example.com/manifest">
</pre>
    </div>
    <h5 class="heading settled" data-level="6.1.7.1" id="manifest-src-algorithms"><span class="secno">6.1.7.1. </span><span class="content">Algorithms</span><a class="self-link" href="#manifest-src-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-9">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-37">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "", and its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a> is "<code>manifest</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-21">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-10">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-38">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "", and its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a> is "<code>manifest</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-22">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.8" id="directive-media-src"><span class="secno">6.1.8. </span><span class="content"><code>media-src</code></span><a class="self-link" href="#directive-media-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="media-src">media-src</dfn> directive restricts the URLs from which video, audio,
  and associated text track resources may be loaded. The syntax for the
  directive’s name and value is described by the following ABNF:</p>
<pre>directive-name  = "media-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-8">serialized-source-list</a>
</pre>
    <div class="example" id="example-557d9dba">
     <a class="self-link" href="#example-557d9dba"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#media-src" id="ref-for-media-src-3">media-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>media-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-8">source list</a>:</p>
<pre>&lt;audio src="https://not-example.com/audio">&lt;/audio>
&lt;video src="https://not-example.com/video">
    &lt;track kind="subtitles" src="https://not-example.com/subtitles">
&lt;/video>
</pre>
    </div>
    <h5 class="heading settled" data-level="6.1.8.1" id="media-src-algorithms"><span class="secno">6.1.8.1. </span><span class="content">Algorithms</span><a class="self-link" href="#media-src-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-10">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-39">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is one of "<code>audio</code>", "<code>video</code>",
  or "<code>track</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-23">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-11">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-40">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is one of "<code>audio</code>", "<code>video</code>",
  or "<code>track</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-24">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.9" id="directive-object-src"><span class="secno">6.1.9. </span><span class="content"><code>object-src</code></span><a class="self-link" href="#directive-object-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="object-src">object-src</dfn> directive restricts the URLs from which plugin
  content may be loaded. The syntax for the directive’s name and value is
  described by the following ABNF:</p>
<pre>directive-name  = "object-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-9">serialized-source-list</a>
</pre>
    <div class="example" id="example-3469e20e">
     <a class="self-link" href="#example-3469e20e"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#object-src" id="ref-for-object-src-4">object-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>object-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-9">source list</a>:</p>
<pre>&lt;embed src="https://not-example.com/flash">&lt;/embed>
&lt;object data="https://not-example.com/flash">&lt;/object>
&lt;applet archive="https://not-example.com/flash">&lt;/applet>
</pre>
    </div>
    <p>If plugin content is loaded without an associated URL (perhaps an <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code> element lacks a <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/embedded-content.html#attr-object-data">data</a></code> attribute, but loads some default plugin based
  on the specified <code>type</code>), it MUST be blocked if <code>object-src</code>'s value is <code>'none'</code>, but will otherwise be allowed.</p>
    <p class="note" role="note">Note: The <code>object-src</code> directive acts upon any request made on behalf of
  an <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code>, <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code>, or <code><a data-link-type="element" href="https://www.w3.org/TR/html5/obsolete.html#the-applet-element">applet</a></code> element. This includes requests
  which would populate the <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing context</a> generated by the
  former two (also including navigations). This is true even when the data is
  semantically equivalent to content which would otherwise be restricted by
  another directive, such as an <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code> element with a <code>text/html</code> MIME
  type.</p>
    <h5 class="heading settled" data-level="6.1.9.1" id="object-src-algorithms"><span class="secno">6.1.9.1. </span><span class="content">Algorithms</span><a class="self-link" href="#object-src-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-11">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-41">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "", and its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is "<code>unknown</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-25">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-12">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-42">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "", and its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is "<code>unknown</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-26">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.10" id="directive-script-src"><span class="secno">6.1.10. </span><span class="content"><code>script-src</code></span><a class="self-link" href="#directive-script-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="script-src">script-src</dfn> directive restricts the locations from which scripts
  may be executed. This includes not only URLs loaded directly into <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements, but also things like inline script blocks and XSLT stylesheets <a data-link-type="biblio" href="#biblio-xslt">[XSLT]</a> which can trigger script execution. The syntax for the directive’s
  name and value is described by the following ABNF:</p>
<pre>directive-name  = "script-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-10">serialized-source-list</a>
</pre>
    <p>The <code>script-src</code> directive governs four things:</p>
    <ol>
     <li data-md="">
      <p>Script <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">requests</a> MUST pass through <a href="#should-block-request">§4.1.3 Should request be blocked by Content Security Policy?</a>.</p>
     <li data-md="">
      <p>Script <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">responses</a> MUST pass through <a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a>.</p>
     <li data-md="">
      <p>Inline <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> blocks MUST pass through <a href="#should-block-inline">§4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?</a>. Their
  behavior will be blocked unless every policy allows inline script, either
  implicitly by not specifying a <code>script-src</code> (or <code>default-src</code>) directive,
  or explicitly, by whitelisting "<code>unsafe-inline</code>", a <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source-2">nonce-source</a> or a <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source-2">hash-source</a> that matches
  the inline block.</p>
     <li data-md="">
      <p>The following JavaScript execution sinks are gated on the "<code>unsafe-eval</code>"
  source expression:</p>
      <ul>
       <li data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262#sec-eval-x">eval()</a></code></p>
       <li data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262#sec-function-objects">Function()</a></code></p>
       <li data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/webappapis.html#dom-settimeout">setTimeout()</a></code> with an initial argument which is not callable.</p>
       <li data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/webappapis.html#dom-setinterval">setInterval()</a></code> with an initial argument which is not callable.</p>
      </ul>
      <p class="note" role="note">Note: If a user agent implements non-standard sinks like <code>setImmediate()</code> or <code>execScript()</code>, they SHOULD also be gated on "<code>unsafe-eval</code>".</p>
    </ol>
    <h5 class="heading settled" data-level="6.1.10.1" id="script-src-algorithms"><span class="secno">6.1.10.1. </span><span class="content">Algorithms</span><a class="self-link" href="#script-src-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-12">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-43">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>script</code>", and its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is "<code>subresource</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-nonce-to-source-list">§6.1.13.2 Does nonce match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata">cryptographic nonce metadata</a> and this
  directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-27">value</a> is "<code>Matches</code>", return
  "<code>Allowed</code>".</p>
       <li data-md="">
        <p>If this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-28">value</a> contains one or more <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-4">source expressions</a> that match the <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source-3">hash-source</a> grammar, and <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-integrity-metadata">integrity metadata</a> is
  not the empty string, then:</p>
        <ol>
         <li data-md="">
          <p>Let <var>integrity sources</var> be the result of executing the <a href="https://www.w3.org/TR/SRI/#parse-metadata">Subresource Integrity §parse-metadata</a> algorithm on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-integrity-metadata">integrity metadata</a>. <a data-link-type="biblio" href="#biblio-sri">[SRI]</a></p>
         <li data-md="">
          <p class="assertion">Assert: <var>integrity sources</var> is not "<code>no metadata</code>".</p>
         <li data-md="">
          <p>Let <var>bypass due to integrity match</var> be <code>true</code>.</p>
         <li data-md="">
          <p>For each <var>source</var> in <var>integrity sources</var>:</p>
          <ol>
           <li data-md="">
            <p>If this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-29">value</a> does not
  contain a <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-5">source expression</a> whose <a data-link-type="grammar" href="#grammardef-hash-algorithm" id="ref-for-grammardef-hash-algorithm-2">hash-algorithm</a> is a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#case-sensitive">case-sensitive</a> match
  for <var>source</var>’s <code>hash-algo</code> component, and whose <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value-3">base64-value</a> is a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#case-sensitive">case-sensitive</a> match
  for <var>source</var>’s <code>base64-value</code>, then set <var>bypass due to
  integrity match</var> to <code>false</code>.</p>
          </ol>
         <li data-md="">
          <p>If <var>bypass due to integrity match</var> is <code>true</code>, return
  "<code>Allowed</code>".</p>
        </ol>
        <p class="note" role="note">Note: Here, we verify only that the <var>request</var> contains a set of <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-integrity-metadata">integrity metadata</a> which is a subset of the <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source-4">hash-source</a> <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-6">source expressions</a> whitelisted by
  this directive. We rely on the browser’s enforcement of Subresource
  Integrity <a data-link-type="biblio" href="#biblio-sri">[SRI]</a> to block non-matching resources upon response.</p>
       <li data-md="">
        <p>If this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-30">value</a> contains a <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-7">source
  expression</a> that is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for
  the "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic-1"><code>'strict-dynamic'</code></a>" <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source-2">keyword-source</a>:</p>
        <ol>
         <li data-md="">
          <p>If the <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-parser-metadata">parser metadata</a> is
  "<code>parser-inserted</code>", return "<code>Blocked</code>".</p>
          <p>Otherwise, return "<code>Allowed</code>".</p>
          <p class="note" role="note">Note: "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic-2"><code>'strict-dynamic'</code></a>" is explained in more detail
  in <a href="#strict-dynamic-usage">§8.2 Usage of "'strict-dynamic'"</a>.</p>
        </ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-31">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-13">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-44">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>script</code>", and its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is "<code>subresource</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-nonce-to-source-list">§6.1.13.2 Does nonce match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata">cryptographic nonce metadata</a> and this
  directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-32">value</a> is "<code>Matches</code>", return
  "<code>Allowed</code>".</p>
       <li data-md="">
        <p class="assertion">Assert: This directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-33">value</a> does not contain "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic-3"><code>'strict-dynamic'</code></a>", or <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-parser-metadata">parser metadata</a> is not "<code>parser-inserted</code>".</p>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-34">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-inline-check" id="ref-for-directive-inline-check-2">inline check</a> algorithm is as follows:</p>
    <p>Given an <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/dom/#interface-element">Element</a></code> (<var>element</var>), a string (<var>type</var>), and a string (<var>source</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>type</var> is "<code>script attribute</code>":</p>
      <ol>
       <li data-md="">
        <p>If <var>list</var> contains a <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-8">source expression</a> which is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII
  case-insensitive match</a> for the <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source-3">keyword-source</a> "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic-4"><code>'strict-dynamic'</code></a>", and does not contain a <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-9">source expression</a> which is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive
  match</a> for the <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source-4">keyword-source</a> "<a data-link-type="grammar" href="#grammardef-unsafe-hashed-attributes" id="ref-for-grammardef-unsafe-hashed-attributes-1"><code>'unsafe-hashed-attributes'</code></a>", return "<code>Blocked</code>".</p>
       <li data-md="">
        <p>If the result of executing <a href="#match-element-to-source-list">§6.1.14.1 Does element match source list for type and source?</a> on <var>element</var>, this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-35">value</a>, and <var>type</var> is "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>If <var>type</var> is "<code>script</code>":</p>
      <ol>
       <li data-md="">
        <p>If <var>list</var> contains a <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-10">source expression</a> which is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII
  case-insensitive match</a> for the <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source-5">keyword-source</a> "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic-5"><code>'strict-dynamic'</code></a>", return "<code>Blocked</code>".</p>
        <p class="note" role="note">Note: "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic-6"><code>'strict-dynamic'</code></a>" is explained in more detail
  in <a href="#strict-dynamic-usage">§8.2 Usage of "'strict-dynamic'"</a>.</p>
       <li data-md="">
        <p>If the result of executing <a href="#match-element-to-source-list">§6.1.14.1 Does element match source list for type and source?</a> on <var>element</var>, this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-36">value</a>, and <var>type</var> is "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.11" id="directive-style-src"><span class="secno">6.1.11. </span><span class="content"><code>style-src</code></span><a class="self-link" href="#directive-style-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="style-src">style-src</dfn> directive restricts the locations from which style
  may be applied to a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code>. The syntax for the directive’s name and
  value is described by the following ABNF:</p>
<pre>directive-name  = "style-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-11">serialized-source-list</a>
</pre>
    <p>The <code>style-src</code> directive governs several things:</p>
    <ol>
     <li data-md="">
      <p>Style <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">requests</a> MUST pass through <a href="#should-block-request">§4.1.3 Should request be blocked by Content Security Policy?</a>. This
  includes:</p>
      <ol>
       <li data-md="">
        <p>Stylesheet requests originating from a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-link-element">link</a></code> element.</p>
       <li data-md="">
        <p>Stylesheet requests originating from the <a class="css" data-link-type="at-rule" href="https://www.w3.org/TR/css-cascade-3/#at-ruledef-import"><code>@import</code></a> rule.</p>
       <li data-md="">
        <p>Stylesheet requests originating from a <code>Link</code> HTTP response header
  field <a data-link-type="biblio" href="#biblio-rfc5988">[RFC5988]</a>.</p>
      </ol>
     <li data-md="">
      <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">Responses</a> to style requests MUST pass through <a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a>.</p>
     <li data-md="">
      <p>Inline <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a></code> blocks MUST pass through <a href="#should-block-inline">§4.2.3 Should element’s inline type behavior be blocked by Content Security Policy?</a>. The
  styles will be blocked unless every policy allows inline style, either
  implicitly by not specifying a <code>style-src</code> (or <code>default-src</code>) directive,
  or explicitly, by whitelisting "<code>unsafe-inline</code>", a <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source-3">nonce-source</a> or a <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source-5">hash-source</a> that matches
  the inline block.</p>
     <li data-md="">
      <p>The following CSS algorithms are gated on the <code>unsafe-eval</code> source
  expression:</p>
      <ol>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://www.w3.org/TR/cssom/#insert-a-css-rule">insert a CSS rule</a></p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://www.w3.org/TR/cssom/#parse-a-css-rule">parse a CSS rule</a>,</p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://www.w3.org/TR/cssom/#parse-a-css-declaration-block">parse a CSS declaration block</a></p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://www.w3.org/TR/cssom/#parse-a-group-of-selectors">parse a group of selectors</a></p>
      </ol>
      <p>This would include, for example, all invocations of CSSOM’s various <code>cssText</code> setters and <code>insertRule</code> methods <a data-link-type="biblio" href="#biblio-cssom">[CSSOM]</a> <a data-link-type="biblio" href="#biblio-html5">[HTML5]</a>.</p>
      <p class="issue" id="issue-ba1a0a35"><a class="self-link" href="#issue-ba1a0a35"></a> This needs to be better explained.</p>
    </ol>
    <h5 class="heading settled" data-level="6.1.11.1" id="style-src-algorithms"><span class="secno">6.1.11.1. </span><span class="content">Algorithms</span><a class="self-link" href="#style-src-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-13">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-45">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>style</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-nonce-to-source-list">§6.1.13.2 Does nonce match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata">cryptographic nonce metadata</a> and this
  directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-37">value</a> is "<code>Matches</code>", return
  "<code>Allowed</code>".</p>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-38">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-14">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-46">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a> is "<code>style</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-nonce-to-source-list">§6.1.13.2 Does nonce match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata">cryptographic nonce metadata</a> and this
  directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-39">value</a> is "<code>Matches</code>", return
  "<code>Allowed</code>".</p>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-40">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-inline-check" id="ref-for-directive-inline-check-3">inline check</a> algorithm is as follows:</p>
    <p>Given an <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/dom/#interface-element">Element</a></code> (<var>element</var>), a string (<var>type</var>), and a string (<var>source</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>type</var> is "<code>style</code>" or "<code>style attribute</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-element-to-source-list">§6.1.14.1 Does element match source list for type and source?</a> on <var>element</var>, this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-41">value</a>, <var>type</var>,
  and <var>source</var>, is "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-initialization" id="ref-for-directive-initialization-2">initialization</a> algorithm is as follows:</p>
    <p class="issue" id="issue-eba1ebc1"><a class="self-link" href="#issue-eba1ebc1"></a> Do something interesting to the execution context in order to lock down
  interesting CSSOM algorithms. I don’t think CSSOM gives us any hooks here, so
  let’s work with them to put something reasonable together.</p>
    <h4 class="heading settled" data-level="6.1.12" id="directive-worker-src"><span class="secno">6.1.12. </span><span class="content"><code>worker-src</code></span><a class="self-link" href="#directive-worker-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="worker-src">worker-src</dfn> directive restricts the URLs which may be loaded as
  a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/workers/#worker">Worker</a></code>, <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#sharedworker">SharedWorker</a></code>, or <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/service-workers/#service-worker-interface">ServiceWorker</a></code>. The syntax for the
  directive’s name and value is described by the following ABNF:</p>
<pre>directive-name  = "worker-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-12">serialized-source-list</a>
</pre>
    <div class="example" id="example-3cd57774">
     <a class="self-link" href="#example-3cd57774"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#worker-src" id="ref-for-worker-src-3">worker-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>worker-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-10">source list</a>:</p>
<pre>&lt;script>
  var blockedWorker = new Worker("data:application/javascript,...");
  blockedWorker = new SharedWorker("https://not-example.com/");
  navigator.serviceWorker.register('https://not-example.com/sw.js');
&lt;/script>
</pre>
    </div>
    <h5 class="heading settled" data-level="6.1.12.1" id="worker-src-algorithms"><span class="secno">6.1.12.1. </span><span class="content">Algorithms</span><a class="self-link" href="#worker-src-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-14">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-47">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is one of
  "<code>serviceworker</code>", "<code>sharedworker</code>", or "<code>worker</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-42">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-15">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-48">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is one of
  "<code>serviceworker</code>", "<code>sharedworker</code>", or "<code>worker</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url">url</a> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-43">value</a> is "<code>Does Not Match</code>",
  return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.13" id="fetch-directive-matching-url"><span class="secno">6.1.13. </span><span class="content">URL Matching Algorithms</span><a class="self-link" href="#fetch-directive-matching-url"></a></h4>
    <h5 class="heading settled algorithm" data-algorithm="Does request violate policy?" data-level="6.1.13.1" id="does-request-violate-policy"><span class="secno">6.1.13.1. </span><span class="content"> Does <var>request</var> violate <var>policy</var>? </span><a class="self-link" href="#does-request-violate-policy"></a></h5>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-49">policy</a> (<var>policy</var>), this
  algorithm returns the violated <a data-link-type="dfn" href="#directives" id="ref-for-directives-24">directive</a> if the request violates the
  policy, and "<code>Does Not Violate</code>" otherwise.</p>
    <ol>
     <li data-md="">
      <p>Let <var>violates</var> be "<code>Does Not Violate</code>".</p>
     <li data-md="">
      <p>For each <var>directive</var> in <var>policy</var>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>result</var> be the result of executing <var>directive</var>’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-15">pre-request check</a> on <var>request</var> and <var>policy</var>.</p>
       <li data-md="">
        <p>If <var>result</var> is "<code>Blocked</code>", then let <var>violates</var> be <var>directive</var>.</p>
      </ol>
     <li data-md="">
      <p>Return <var>violates</var>.</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="Does nonce match source list?" data-level="6.1.13.2" id="match-nonce-to-source-list"><span class="secno">6.1.13.2. </span><span class="content"> Does <var>nonce</var> match <var>source list</var>? </span><a class="self-link" href="#match-nonce-to-source-list"></a></h5>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata">cryptographic nonce metadata</a> (<var>nonce</var>) and a <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-11">source list</a> (<var>source list</var>), this algorithm returns
  "<code>Matches</code>" if the nonce matches one or more source expressions in the list,
  and "<code>Does Not Match</code>" otherwise:</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>source list</var> is not <code>null</code>.</p>
     <li data-md="">
      <p>If <var>nonce</var> is the empty string, return "<code>Does Not Match</code>".</p>
     <li data-md="">
      <p>For each <var>expression</var> in <var>source list</var>:</p>
      <ol>
       <li data-md="">
        <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source-4"><code>nonce-source</code></a> grammar,
  and <var>nonce</var> is a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#case-sensitive">case-sensitive</a> match for <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value-4"><code>base64-value</code></a> part, return "<code>Matches</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Does Not Match</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="Does url match source list?" data-level="6.1.13.3" id="match-url-to-source-list"><span class="secno">6.1.13.3. </span><span class="content"> Does <var>url</var> match <var>source list</var>? </span><a class="self-link" href="#match-url-to-source-list"></a></h5>
    <p>Given a <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url">URL</a></code> (<var>url</var>), and a <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-12">source list</a> (<var>source list</var>), this
  algorithm returns "<code>Matches</code>" if the URL matches one or more source
  expressions in <var>source list</var>, or "<code>Does Not Match</code>" otherwise:</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>source list</var> is not <code>null</code>.</p>
     <li data-md="">
      <p>If <var>source list</var> is an empty list, return "<code>Does Not Match</code>".</p>
     <li data-md="">
      <p>If <var>source list</var> contains a single item which is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII
  case-insensitive match</a> for the string "<code>'none'</code>", return "<code>Does Not Match</code>".</p>
      <p class="note" role="note">Note: An empty source list (that is, a directive without a value: <code>script-src</code>,
  as opposed to <code>script-src host1</code>) is equivalent to a source list containing <code>'none'</code>,
  and will not match any URL.</p>
     <li data-md="">
      <p>For each <var>expression</var> in <var>source list</var>:</p>
      <ol>
       <li data-md="">
        <p>If <a href="#match-url-to-source-expression">§6.1.13.4 Does url match expression in origin with redirect count?</a> returns "<code>Matches</code>" when
  executed upon <var>url</var> and <var>expression</var>, return "<code>Matches</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Does Not Match</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="Does url match expression in origin with redirect count?" data-level="6.1.13.4" id="match-url-to-source-expression"><span class="secno">6.1.13.4. </span><span class="content"> Does <var>url</var> match <var>expression</var> in <var>origin</var> with <var>redirect count</var>? </span><a class="self-link" href="#match-url-to-source-expression"></a></h5>
    <p>Given a <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url">URL</a></code> (<var>url</var>), a <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-11">source expression</a> (<var>expression</var>), an <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6454#section-3.2">origin</a> (<var>origin</var>), and a number (<var>redirect count</var>), this algorithm
  returns "<code>Matches</code>" if <var>url</var> matches <var>expression</var>, and "<code>Does Not Match</code>"
  otherwise.</p>
    <p class="note" role="note">Note: <var>origin</var> is the <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6454#section-3.2">origin</a> of the resource relative to which the <var>expression</var> should be resolved. "<code>'self'</code>", for instance, will have distinct
  meaning depending on that bit of context.</p>
    <ol>
     <li data-md="">
      <p>If <var>expression</var> is the string "*", and <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#network-scheme">network scheme</a>, return "<code>Matches</code>".</p>
      <p class="note" role="note">Note: This logic means that in order to allow resource from non-<a data-link-type="dfn" href="https://url.spec.whatwg.org/#network-scheme">network scheme</a>,
  it has to be explicitly whitelisted: <code>default-src * data: custom-scheme-1: custom-scheme-2:</code>.
  In other words, there is no semantic representation of most permissive <var>expression</var>.</p>
     <li data-md="">
      <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-scheme-source" id="ref-for-grammardef-scheme-source-2"><code>scheme-source</code></a> or <a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source-2"><code>host-source</code></a> grammar:</p>
      <ol>
       <li data-md="">
        <p>If <var>expression</var> has a <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part-3"><code>scheme-part</code></a> that is not an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code>, then
  return "<code>Does Not Match</code>" unless one of the following conditions is
  met:</p>
        <ol>
         <li data-md="">
          <p><var>expression</var>’s <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part-4"><code>scheme-part</code></a> is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII
  case-insensitive match</a> for "<code>http</code>" and <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>https</code>"</p>
         <li data-md="">
          <p><var>expression</var>’s <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part-5"><code>scheme-part</code></a> is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII
  case-insensitive match</a> for "<code>ws</code>" and <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>wss</code>", "<code>http</code>" or "<code>https</code>"</p>
         <li data-md="">
          <p><var>expression</var>’s <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part-6"><code>scheme-part</code></a> is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII
  case-insensitive match</a> for "<code>wss</code>" and <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>https</code>"</p>
        </ol>
       <li data-md="">
        <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-scheme-source" id="ref-for-grammardef-scheme-source-3"><code>scheme-source</code></a> grammar,
  return "<code>Matches</code>".</p>
      </ol>
      <p class="note" role="note">Note: This logic effectively means that <code>script-src http:</code> is
  equivalent to <code>script-src http: https:</code>, and <code>script-src http://example.com/</code> is equivalent to <code>script-src http://example.com https://example.com</code>. As well as WebSocket 
  schemes are equivalent to corresponding HTTP schemes. In short,
  we always allow a secure upgrade from an explicitly insecure expression.</p>
     <li data-md="">
      <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source-3"><code>host-source</code></a> grammar:</p>
      <ol>
       <li data-md="">
        <p>If <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-host">host</a></code> is <code>null</code>, return "<code>Does Not Match</code>".</p>
       <li data-md="">
        <p>If <var>expression</var> does not have a <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part-7"><code>scheme-part</code></a>, then
  return "<code>Does Not Match</code>" unless one of the following conditions is
  met:</p>
        <ol>
         <li data-md="">
          <p><var>origin</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code></p>
         <li data-md="">
          <p><var>origin</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>http</code>", and <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> one of "<code>https</code>", "<code>ws</code>", or "<code>wss</code>".</p>
         <li data-md="">
          <p><var>origin</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>https</code>", and <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>wss</code>".</p>
        </ol>
        <p class="note" role="note">Note: As with <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part-8"><code>scheme-part</code></a> above, we allow schemeless <a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source-4"><code>host-source</code></a> expressions to be upgraded from insecure
  schemes to secure schemes.</p>
       <li data-md="">
        <p>If the first character of <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-host-part" id="ref-for-grammardef-host-part-2"><code>host-part</code></a> is an U+002A ASTERISK character (<code>*</code>):</p>
        <ol>
         <li data-md="">
          <p>Let <var>remaining</var> be the result of removing the leading "<code>*</code>" from <var>expression</var>.</p>
         <li data-md="">
          <p>If <var>remaining</var> (including the leading U+002E FULL STOP character
  (<code>.</code>)) is not an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for the
  rightmost characters of <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-host">host</a></code>, then return "<code>Does Not Match</code>".</p>
        </ol>
       <li data-md="">
        <p>If the first character of <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-host-part" id="ref-for-grammardef-host-part-3"><code>host-part</code></a> is not an U+002A ASTERISK character (<code>*</code>), and <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-host">host</a></code> is not an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-host-part" id="ref-for-grammardef-host-part-4"><code>host-part</code></a>, return "<code>Does Not Match</code>".</p>
       <li data-md="">
        <p>If <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-host-part" id="ref-for-grammardef-host-part-5"><code>host-part</code></a> matches the <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-3.2.2">IPv4address</a> rule from <a data-link-type="biblio" href="#biblio-rfc3986">[RFC3986]</a>, and is not
  "<code>127.0.0.1</code>"; or if <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-host-part" id="ref-for-grammardef-host-part-6"><code>host-part</code></a> is an <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-ipv6">IPv6 address</a>, return "<code>Does Not Match</code>".</p>
        <p class="note" role="note">Note: A future version of this specification may allow literal IPv6
  and IPv4 addresses, depending on usage and demand. Given the weak
  security properties of IP addresses in relation to named hosts,
  however, authors are encouraged to prefer the latter whenever
  possible.</p>
       <li data-md="">
        <p>If <var>expression</var> does not contain a <a data-link-type="grammar" href="#grammardef-port-part" id="ref-for-grammardef-port-part-2"><code>port-part</code></a>, and <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-port">port</a></code> is not the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#default-port">default port</a> for <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code>, return "<code>Does Not Match</code>".</p>
       <li data-md="">
        <p>If <var>expression</var> does contain a <a data-link-type="grammar" href="#grammardef-port-part" id="ref-for-grammardef-port-part-3"><code>port-part</code></a>, return
  "<code>Does Not Match</code>" unless one of the following conditions is met:</p>
        <ol>
         <li data-md="">
          <p><var>expression</var>’s <a data-link-type="grammar" href="#grammardef-port-part" id="ref-for-grammardef-port-part-4"><code>port-part</code></a> is "<code>*</code>".</p>
         <li data-md="">
          <p><var>expression</var>’s <a data-link-type="grammar" href="#grammardef-port-part" id="ref-for-grammardef-port-part-5"><code>port-part</code></a> is the same number as <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-port">port</a></code>.</p>
         <li data-md="">
          <p><var>expression</var>’s <a data-link-type="grammar" href="#grammardef-port-part" id="ref-for-grammardef-port-part-6"><code>port-part</code></a> is <code>80</code>, and <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-port">port</a></code> is <code>443</code>.</p>
        </ol>
       <li data-md="">
        <p>If <var>expression</var> contains a non-empty <a data-link-type="grammar" href="#grammardef-path-part" id="ref-for-grammardef-path-part-2"><code>path-part</code></a>, and <var>redirect count</var> is 0, then:</p>
        <ol>
         <li data-md="">
          <p>Let <var>exact match</var> be <code>false</code> if the final character of <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-path-part" id="ref-for-grammardef-path-part-3"><code>path-part</code></a> is the U+002F SOLIDUS
  character (<code>/</code>), and <code>true</code> otherwise.</p>
         <li data-md="">
          <p>Let <var>path list</var> be the result of <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#strictly-split-a-string">strictly splitting</a> <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-path-part" id="ref-for-grammardef-path-part-4"><code>path-part</code></a> on the U+002F SOLIDUS
  character (<code>/</code>).</p>
         <li data-md="">
          <p>If <var>path list</var> has more items than <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-path">path</a></code>, return
  "<code>Does Not Match</code>".</p>
         <li data-md="">
          <p>If <var>exact match</var> is <code>true</code>, and <var>path list</var> does not have the same
  number of items as <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-path">path</a></code>, return "<code>Does Not Match</code>".</p>
         <li data-md="">
          <p>For each <var>expression piece</var> in <var>path list</var>:</p>
          <ol>
           <li data-md="">
            <p>Let <var>url piece</var> be the next item in <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-path">path</a></code>.</p>
           <li data-md="">
            <p><a data-link-type="dfn" href="https://url.spec.whatwg.org/#percent-decode">Percent decode</a> <var>expression piece</var>.</p>
           <li data-md="">
            <p><a data-link-type="dfn" href="https://url.spec.whatwg.org/#percent-decode">Percent decode</a> <var>url piece</var>.</p>
           <li data-md="">
            <p>If <var>expression piece</var> is not a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#case-sensitive">case-sensitive</a> match
  for <var>url piece</var>, return "<code>Does Not Match</code>".</p>
          </ol>
        </ol>
       <li data-md="">
        <p>Return "<code>Matches</code>".</p>
      </ol>
     <li data-md="">
      <p>If <var>expression</var> is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for "<code>'self'</code>",
  return "<code>Matches</code>" if one or more of the following conditions is met:</p>
      <ol>
       <li data-md="">
        <p><var>origin</var> is the same as <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-origin">origin</a></code></p>
       <li data-md="">
        <p><var>origin</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-host">host</a></code> is the same as <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-host">host</a></code>, <var>origin</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-port">port</a></code> and <var>url</var>’s {{URL/port} are either the same
  or the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#default-port">default ports</a> for their respective <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code>s, and
  one or more of the following conditions is met:</p>
        <ol>
         <li data-md="">
          <p><var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>https</code>" or "<code>wss</code>"</p>
         <li data-md="">
          <p><var>origin</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a></code> is "<code>http</code>"</p>
        </ol>
      </ol>
      <p class="note" role="note">Note: Like the <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part-9"><code>scheme-part</code></a> logic above, the "<code>'self'</code>"
  matching algorithm allows upgrades to secure schemes when it is safe to do
  so. We limit these upgrades to endpoints running on the default port for a
  particular scheme or a port that matches the origin of the protected
  resource, as this seems sufficient to deal with upgrades that can be
  reasonably expected to succeed.</p>
     <li data-md="">
      <p>Return "<code>Does Not Match</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="Get the effective directive for request" data-level="6.1.13.5" id="effective-directive-for-a-request"><span class="secno">6.1.13.5. </span><span class="content"> Get the effective directive for <var>request</var> </span><a class="self-link" href="#effective-directive-for-a-request"></a></h5>
    <p>Each <a data-link-type="dfn" href="#fetch-directives" id="ref-for-fetch-directives-3">fetch directive</a> controls a specific type of <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a>. Given
  a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), the following algorithm returns either <code>null</code> or the <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-16">name</a> of the request’s <dfn data-dfn-for="request" data-dfn-type="dfn" data-export="" id="request-effective-directive">effective directive<a class="self-link" href="#request-effective-directive"></a></dfn>:</p>
    <ol>
     <li data-md="">
      <p>Switch on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-type">type</a>, and execute
  the associated steps:</p>
      <dl>
       <dt data-md="">
        <p>""</p>
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>If the <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a> is
  "<code>fetch</code>", return <code>connect-src</code>.</p>
         <li data-md="">
          <p>If the <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a> is
  "<code>manifest</code>", return <code>manifest-src</code>.</p>
         <li data-md="">
          <p>If the <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is
  "<code>subresource</code>", return <code>connect-src</code>.</p>
         <li data-md="">
          <p>If the <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is
  "<code>unknown</code>", return <code>object-src</code>.</p>
         <li data-md="">
          <p>If the <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is
  "<code>document</code>" <em>and</em> the <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context">target browsing context</a> is a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing
  context</a>, return <code>frame-src</code>.</p>
        </ol>
       <dt data-md="">
        <p>"<code>audio</code>"</p>
       <dt data-md="">
        <p>"<code>track</code>"</p>
       <dt data-md="">
        <p>"<code>video</code>"</p>
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Return <code>media-src</code>.</p>
        </ol>
       <dt data-md="">
        <p>"<code>font</code>"</p>
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Return <code>font-src</code>.</p>
        </ol>
       <dt data-md="">
        <p>"<code>image</code>"</p>
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Return <code>image-src</code>.</p>
        </ol>
       <dt data-md="">
        <p>"<code>style</code>"</p>
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Return <code>style-src</code>.</p>
        </ol>
       <dt data-md="">
        <p>"<code>script</code>"</p>
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Switch on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a>, and
  execute the associated steps:</p>
          <dl>
           <dt data-md="">
            <p>"<code>script</code>"</p>
           <dt data-md="">
            <p>"<code>subresource</code>"</p>
           <dd data-md="">
            <ol>
             <li data-md="">
              <p>Return <code>script-src</code>.</p>
            </ol>
           <dt data-md="">
            <p>"<code>serviceworker</code>"</p>
           <dt data-md="">
            <p>"<code>sharedworker</code>"</p>
           <dt data-md="">
            <p>"<code>worker</code>"</p>
           <dd data-md="">
            <ol>
             <li data-md="">
              <p>Return <code>worker-src</code>.</p>
            </ol>
          </dl>
        </ol>
      </dl>
     <li data-md="">
      <p>Return <code>null</code>.</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.14" id="fetch-directive-matching-element"><span class="secno">6.1.14. </span><span class="content">Element Matching Algorithms</span><a class="self-link" href="#fetch-directive-matching-element"></a></h4>
    <h5 class="heading settled algorithm" data-algorithm="Does element match source list for type and source?" data-level="6.1.14.1" id="match-element-to-source-list"><span class="secno">6.1.14.1. </span><span class="content"> Does <var>element</var> match source <var>list</var> for <var>type</var> and <var>source</var>? </span><a class="self-link" href="#match-element-to-source-list"></a></h5>
    <p>Given an <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/dom/#interface-element">Element</a></code> (<var>element</var>), a <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-13">source list</a> (<var>list</var>), a string
  (<var>type</var>), and a string (<var>source</var>), this algorithm returns "<code>Matches</code>" or
  "<code>Does Not Match</code>".</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>source</var> contains the value of a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> element’s <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/scripting.html#dom-script-text">text</a></code> IDL attribute, the value of a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a></code> element’s <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/dom/#dom-node-textcontent">textContent</a></code> IDL attribute, or the value of one of a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> element’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#event-handler-idl-attributes">event handler IDL attribute</a>.</p>
      <p class="note" role="note">Note: This means that <var>source</var> will be interpreted with the encoding
  of the page in which it is embedded. See the integration points
  in <a href="#html-integration">§4.2 Integration with HTML</a> for more detail.</p>
     <li data-md="">
      <p>If <var>type</var> <var>element</var> has an attribute whose name is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII
  case-insensitive match</a> for the string "<code>&lt;script</code>", or the string
  "<code>&lt;style</code>", then return "<code>Does Not Match</code>".</p>
     <li data-md="">
      <p>Let <var>contains nonce or hash</var> and <var>hashes match attributes</var> be <code>false</code>.</p>
     <li data-md="">
      <p>For each <var>expression</var> in <var>list</var>:</p>
      <ol>
       <li data-md="">
        <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source-5"><code>nonce-source</code></a> or <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source-6"><code>hash-source</code></a> grammar, set <var>contains nonce or hash</var> to <code>true</code>.</p>
       <li data-md="">
        <p>If <var>expression</var> is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for the <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source-6"><code>keyword-source</code></a> "<a data-link-type="grammar" href="#grammardef-unsafe-hashed-attributes" id="ref-for-grammardef-unsafe-hashed-attributes-2"><code>'unsafe-hashed-attributes'</code></a>", set <var>hashes match
  attributes</var> to <code>true</code>.</p>
      </ol>
     <li data-md="">
      <p>If <var>contains nonce or hash</var> is <code>false</code>, and <var>list</var> contains a <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-12">source expression</a> which is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for the string "'unsafe-inline'", then return "<code>Matches</code>".</p>
      <p class="note" role="note">Note: This logic means that if <var>list</var> contains both "'unsafe-inline'"
  and either <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source-6"><code>nonce-source</code></a> or <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source-7"><code>hash-source</code></a>,
  "'unsafe-inline'" will have no effect.</p>
     <li data-md="">
      <p>If <var>type</var> is "<code>script</code>" or "<code>style</code>":</p>
      <ol>
       <li data-md="">
        <p>For each <var>expression</var> in <var>list</var>:</p>
        <ol>
         <li data-md="">
          <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source-7"><code>nonce-source</code></a> grammar,
  and <var>element</var> has a <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/#attr-script-nonce">nonce</a></code> attribute whose value is a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#case-sensitive">case-sensitive</a> match for <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value-5"><code>base64-value</code></a> part, return "<code>Matches</code>".</p>
        </ol>
      </ol>
      <p class="note" role="note">Note: Nonces only apply to inline <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> and inline <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a></code>, not to
  attributes of either element.</p>
     <li data-md="">
      <p>If <var>type</var> is "<code>script</code>" or "<code>style</code>", or <var>hashes match attributes</var> is <code>true</code>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>expression</var> in <var>list</var>:</p>
        <ol>
         <li data-md="">
          <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source-8"><code>hash-source</code></a> grammar:</p>
          <ol>
           <li data-md="">
            <p>Let <var>algorithm</var> be <code>null</code>.</p>
           <li data-md="">
            <p>If <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-hash-algorithm" id="ref-for-grammardef-hash-algorithm-3"><code>hash-algorithm</code></a> part is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for "sha256", set <var>algorithm</var> to <a data-link-type="dfn" href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#">SHA-256</a>.</p>
           <li data-md="">
            <p>If <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-hash-algorithm" id="ref-for-grammardef-hash-algorithm-4"><code>hash-algorithm</code></a> part is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for "sha384", set <var>algorithm</var> to <a data-link-type="dfn" href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#">SHA-384</a>.</p>
           <li data-md="">
            <p>If <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-hash-algorithm" id="ref-for-grammardef-hash-algorithm-5"><code>hash-algorithm</code></a> part is an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ASCII case-insensitive match</a> for "sha512", set <var>algorithm</var> to <a data-link-type="dfn" href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#">SHA-512</a>.</p>
           <li data-md="">
            <p>If <var>algorithm</var> is not <code>null</code>:</p>
            <ol>
             <li data-md="">
              <p>Let <var>actual</var> be the result of <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4648#section-4">base64 encoding</a> the
  result of applying <var>algorithm</var> to <var>source</var>.</p>
             <li data-md="">
              <p>If <var>actual</var> is a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/infrastructure.html#case-sensitive">case-sensitive</a> match for <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value-6"><code>base64-value</code></a> part, return
  "<code>Matches</code>".</p>
            </ol>
          </ol>
        </ol>
      </ol>
      <p class="note" role="note">Note: Hashes apply to inline <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> and inline <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a></code>. If the
  "<a data-link-type="grammar" href="#grammardef-unsafe-hashed-attributes" id="ref-for-grammardef-unsafe-hashed-attributes-3"><code>'unsafe-hashed-attributes'</code></a>" source expression is present,
  they will also apply to event handlers and style attributes.</p>
     <li data-md="">
      <p>Return "<code>Does Not Match</code>".</p>
    </ol>
    <h3 class="heading settled" data-level="6.2" id="directives-document"><span class="secno">6.2. </span><span class="content"> Document Directives </span><a class="self-link" href="#directives-document"></a></h3>
    <p>The following directives govern the properties of a document or worker
  environment to which a policy applies.</p>
    <h4 class="heading settled" data-level="6.2.1" id="directive-base-uri"><span class="secno">6.2.1. </span><span class="content"><code>base-uri</code></span><a class="self-link" href="#directive-base-uri"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="base-uri">base-uri</dfn> directive restricts the <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url">URL</a></code>s which can be used in
  a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-base-element">base</a></code> element. The syntax for the directive’s name and
  value is described by the following ABNF:</p>
<pre>directive-name  = "base-uri"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list-13">serialized-source-list</a>
</pre>
    <p>The following algorithm is called during HTML’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/document-metadata.html#set-the-frozen-base-url">set the frozen base url</a> algorithm in order to monitor and enforce this directive:</p>
    <h5 class="heading settled algorithm" data-algorithm="Is base allowed for document?" data-level="6.2.1.1" id="allow-base-for-document"><span class="secno">6.2.1.1. </span><span class="content"> Is <var>base</var> allowed for <var>document</var>? </span><a class="self-link" href="#allow-base-for-document"></a></h5>
    <p>Given a <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url">URL</a></code> (<var>base</var>), and a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> (<var>document</var>), this algorithm
  returns "<code>Allowed</code>" if <var>base</var> may be used as the value of a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-base-element">base</a></code> element’s <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/semantics.html#attr-base-href">href</a></code> attribute, and "<code>Blocked</code>" otherwise:</p>
    <ol>
     <li data-md="">
      <p>For each <var>policy</var> in <var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list-12">csp list</a>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>source list</var> be <code>null</code>.</p>
       <li data-md="">
        <p>If a <a data-link-type="dfn" href="#directives" id="ref-for-directives-25">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name-17">name</a> is
  "<code>base-uri</code>" is present in <var>policy</var>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set-9">directive
  set</a>, set <var>source list</var> to that <a data-link-type="dfn" href="#directives" id="ref-for-directives-26">directive</a>’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-44">value</a>.</p>
       <li data-md="">
        <p>If <var>source list</var> is <code>null</code>, skip to the next <var>policy</var>.</p>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> on <var>base</var> and <var>source list</var> is "<code>Does Not Match</code>":</p>
        <ol>
         <li data-md="">
          <p>Let <var>violation</var> be the result of executing <a href="#create-violation-for-global">§2.3.1 Create a violation object for global, policy, and directive</a> on <var>document</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global
  object</a>, <var>policy</var>, and "<a data-link-type="dfn" href="#base-uri" id="ref-for-base-uri-1"><code>base-uri</code></a>".</p>
         <li data-md="">
          <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource-6">resource</a> to "<code>inline</code>".</p>
         <li data-md="">
          <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on <var>violation</var>.</p>
         <li data-md="">
          <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition-9">disposition</a> is "<code>enforce</code>",
  return "<code>Blocked</code>".</p>
        </ol>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.2.2" id="directive-plugin-types"><span class="secno">6.2.2. </span><span class="content"><code>plugin-types</code></span><a class="self-link" href="#directive-plugin-types"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="plugin-types">plugin-types</dfn> directive restricts the set of plugins that
  can be embedded into a document by limiting the types of resources which can
  be loaded. The directive’s syntax is described by the following ABNF grammar:</p>
<pre>directive-name  = "plugin-types"
directive-value = <a data-link-type="grammar" href="#grammardef-media-type-list" id="ref-for-grammardef-media-type-list-1">media-type-list</a>

<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-media-type-list">media-type-list</dfn> = <a data-link-type="grammar" href="#grammardef-media-type" id="ref-for-grammardef-media-type-1">media-type</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">RWS</a> <a data-link-type="grammar" href="#grammardef-media-type" id="ref-for-grammardef-media-type-2">media-type</a> )
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-media-type">media-type</dfn> = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc2045#section-5.1">type</a> "/" <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc2045#section-5.1">subtype</a>
; <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc2045#section-5.1">type</a> and <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc2045#section-5.1">subtype</a> are defined in RFC 2045
</pre>
    <p>If a <code>plugin-types</code> directive is present, instantiation of an <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code> or <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code> element will fail if any of the following conditions hold:</p>
    <ol>
     <li data-md="">
      <p>The element does not explicitly declare a <a data-link-type="dfn">MIME type</a> via a <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/embedded-content.html#attr-embed-type">type</a></code> attribute.</p>
     <li data-md="">
      <p>The declared type does not match one of the items in the directive’s
  value.</p>
     <li data-md="">
      <p>The fetched resource does not match the declared type.</p>
    </ol>
    <div class="example" id="example-324fa51f">
     <a class="self-link" href="#example-324fa51f"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#plugin-types" id="ref-for-plugin-types-1">plugin-types</a> application/pdf
</pre>
     <p>Fetches for the following code will all return network errors:</p>
<pre>&lt;!-- No 'type' declaration -->
&lt;object data="https://example.com/flash">&lt;/object>

&lt;!-- Non-matching 'type' declaration -->
&lt;object data="https://example.com/flash" type="application/x-shockwave-flash">&lt;/object>

&lt;!-- Non-matching resource -->
&lt;object data="https://example.com/flash" type="application/pdf">&lt;/object>
</pre>
     <p>If the page allowed Flash content by sending the following header:</p>
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#plugin-types" id="ref-for-plugin-types-2">plugin-types</a> application/x-shockwave-flash
</pre>
     <p>Then the second item above would load successfully:</p>
<pre>&lt;!-- Matching 'type' declaration and resource -->
&lt;object data="https://example.com/flash" type="application/x-shockwave-flash">&lt;/object>
</pre>
    </div>
    <p class="issue" id="issue-4d81caf0"><a class="self-link" href="#issue-4d81caf0"></a> Define the hooks into HTML’s plugin loading algorithms.</p>
    <h4 class="heading settled" data-level="6.2.3" id="directive-sandbox"><span class="secno">6.2.3. </span><span class="content"><code>sandbox</code></span><a class="self-link" href="#directive-sandbox"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="sandbox">sandbox</dfn> directive specifies an HTML sandbox policy which the
  user agent will apply to a resource, just as though it had been included in
  an <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code> with a <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-sandbox">sandbox</a></code> property.</p>
    <p>The directive’s syntax is described by the following ABNF grammar, with
  the additional requirement that each token value MUST be one of the
  keywords defined by HTML specification as allowed values for the <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code> <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-sandbox">sandbox</a></code> attribute <a data-link-type="biblio" href="#biblio-html">[HTML]</a>.</p>
<pre>directive-name  = "sandbox"
directive-value = "" / <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">RWS</a> <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a> )
</pre>
    <p>This directive has no reporting requirements; it will be ignored entirely when
  delivered in a <a data-link-type="dfn" href="#header-content-security-policy-report-only" id="ref-for-header-content-security-policy-report-only-4"><code>Content-Security-Policy-Report-Only</code></a> header, or within
  a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element.</p>
    <h5 class="heading settled" data-level="6.2.3.1" id="sandbox-algorithms"><span class="secno">6.2.3.1. </span><span class="content">Algorithms</span><a class="self-link" href="#sandbox-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-response-check" id="ref-for-directive-response-check-2">response check</a> algorithm is as
  follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-50">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is one of
  "<code>serviceworker</code>", "<code>sharedworker</code>", or "<code>worker</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of the <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#parse-a-sandboxing-directive">Parse a sandboxing directive</a> algorithm
  using this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-45">value</a> as the input
  contains either the <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#sandboxed-scripts-browsing-context-flag">sandboxed scripts browsing context flag</a> or
  the <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#sandboxed-origin-browsing-context-flag">sandboxed origin browsing context flag</a> flags, return
  "<code>Blocked</code>".</p>
        <p class="note" role="note">Note: This will need to change if we allow Workers to be sandboxed into
  unique origins, which seems like a pretty reasonable thing to do.</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-initialization" id="ref-for-directive-initialization-3">initialization</a> algorithm is
  responsible for adjusting a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#forced-sandboxing-flag-set">forced sandboxing flag set</a> according to the <a data-link-type="dfn" href="#sandbox" id="ref-for-sandbox-1"><code>sandbox</code></a> values present in its policies, as
  follows:</p>
    <p>Given a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> or <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a> (<var>context</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-51">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition-10">disposition</a> is not "<code>Enforce</code>", or <var>context</var> is not a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code>, then abort this algorithm.</p>
      <p class="note" role="note">Note: This will need to change if we allow Workers to be sandboxed,
  which seems like a pretty reasonable thing to do.</p>
     <li data-md="">
      <p><a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#parse-a-sandboxing-directive">Parse a sandboxing directive</a> using this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-46">value</a> as the input, and <var>context</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#forced-sandboxing-flag-set">forced
  sandboxing flag set</a> as the output.</p>
    </ol>
    <h4 class="heading settled" data-level="6.2.4" id="directive-disown-opener"><span class="secno">6.2.4. </span><span class="content"><code>disown-opener</code></span><a class="self-link" href="#directive-disown-opener"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="disown-opener"><code>disown-opener</code></dfn> directive ensures that a resource
  will <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#disown-its-opener">disown its opener</a> when navigated to. The directive’s syntax is
  described by the following ABNF grammar:</p>
<pre>directive-name  = "disown-opener"
directive-value = ""
</pre>
    <p>This directive has no reporting requirements; it will be ignored entirely when
  delivered in a <a data-link-type="dfn" href="#header-content-security-policy-report-only" id="ref-for-header-content-security-policy-report-only-5"><code>Content-Security-Policy-Report-Only</code></a> header, or within
  a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element.</p>
    <p class="issue" id="issue-b04594c3"><a class="self-link" href="#issue-b04594c3"></a> Not sure this is the right model. We need to ensure that we take care
  of <a href="https://github.com/w3c/webappsec/issues/139">the inverse</a> as
  well, and there might be a cleverer syntax that could encompass both a
  document’s opener, and a document’s openees. <code>disown-openee</code> is weird.
  Maybe <code>disown 'opener' 'openee'</code>? Do we need origin restrictions on either/both?</p>
    <h5 class="heading settled" data-level="6.2.4.1" id="disown-opener-algorithms"><span class="secno">6.2.4.1. </span><span class="content">Algorithms</span><a class="self-link" href="#disown-opener-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-initialization" id="ref-for-directive-initialization-4">initialization</a> algorithm is as
  follows:</p>
    <p>Given a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/html5/dom.html#document">Document</a></code> or <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a> (<var>context</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-52">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>context</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/webappapis.html#responsible-browsing-context">responsible browsing context</a> has an <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#opener-browsing-context">opener browsing
  context</a>, <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#disown-its-opener">disown its opener</a>.</p>
    </ol>
    <p class="issue" id="issue-466edd09"><a class="self-link" href="#issue-466edd09"></a> What should this do in an <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code>? Anything?</p>
    <h3 class="heading settled" data-level="6.3" id="directives-navigation"><span class="secno">6.3. </span><span class="content"> Navigation Directives </span><a class="self-link" href="#directives-navigation"></a></h3>
    <h4 class="heading settled" data-level="6.3.1" id="directive-form-action"><span class="secno">6.3.1. </span><span class="content"><code>form-action</code></span><a class="self-link" href="#directive-form-action"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="form-action">form-action</dfn> directive restricts the <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url">URL</a></code>s which can be used
  as the target of a form submissions.</p>
    <p class="issue" id="issue-15904ee9"><a class="self-link" href="#issue-15904ee9"></a> Define the hooks into HTML’s navigation and form submission algorithms.</p>
    <h4 class="heading settled" data-level="6.3.2" id="directive-frame-ancestors"><span class="secno">6.3.2. </span><span class="content"><code>frame-ancestors</code></span><a class="self-link" href="#directive-frame-ancestors"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="frame-ancestors">frame-ancestors</dfn> directive restricts the <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url">URL</a></code>s which can
  embed the resource using <code><a data-link-type="element" href="https://www.w3.org/TR/html5/obsolete.html#frame">frame</a></code>, <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code>, <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a></code>, <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a></code>, or <code><a data-link-type="element" href="https://www.w3.org/TR/html5/obsolete.html#the-applet-element">applet</a></code> element. Resources can use this directive to avoid many UI
  Redressing <a data-link-type="biblio" href="#biblio-uisecurity">[UISECURITY]</a> attacks, by avoiding the risk of being embedded into
  potentially hostile contexts.</p>
    <p>The directive’s syntax is described by the following ABNF grammar:</p>
<pre>directive-name  = "frame-ancestors"
directive-value = <a data-link-type="grammar" href="#grammardef-ancestor-source-list" id="ref-for-grammardef-ancestor-source-list-1">ancestor-source-list</a>

<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-ancestor-source-list">ancestor-source-list</dfn> = ( <a data-link-type="grammar" href="#grammardef-ancestor-source" id="ref-for-grammardef-ancestor-source-1">ancestor-source</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">RWS</a> <a data-link-type="grammar" href="#grammardef-ancestor-source" id="ref-for-grammardef-ancestor-source-2">ancestor-source</a>) ) / "<a data-link-type="grammar" href="#grammardef-none" id="ref-for-grammardef-none-2">'none'</a>"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-ancestor-source">ancestor-source</dfn>      = <a data-link-type="grammar" href="#grammardef-scheme-source" id="ref-for-grammardef-scheme-source-4">scheme-source</a> / <a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source-5">host-source</a> / "<a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-23">'self'</a>"
</pre>
    <p>The <code>frame-ancestors</code> directive MUST be ignored when contained in a policy
  declared via a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a></code> element.</p>
    <p class="note" role="note">Note: The <code>frame-ancestors</code> directive’s syntax is similar to a <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists-14">source
  list</a>, but <code>frame-ancestors</code> will not fall back to the <code>default-src</code> directive’s value if one is specified. That is, a policy that declares <code>default-src 'none'</code> will still allow the resource to be embedded by anyone.</p>
    <h5 class="heading settled" data-level="6.3.2.1" id="frame-ancestors-algorithms"><span class="secno">6.3.2.1. </span><span class="content">Algorithms</span><a class="self-link" href="#frame-ancestors-algorithms"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-response-check" id="ref-for-directive-response-check-3">response check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#policy" id="ref-for-policy-53">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a> is "<code>document</code>" <em>and</em> the <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context">target browsing
  context</a> is a <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing context</a>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>ancestor</var> of the <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context">target browsing context</a>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#ancestor-browsing-context">ancestor
  browsing context</a>s:</p>
        <ol>
         <li data-md="">
          <p>Let <var>origin-as-url</var> be the result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-parser">URL
  parser</a> on the <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#unicode-serialization-of-an-origin">unicode serialization</a> of <var>ancestor</var>’s <a data-link-type="dfn" href="https://www.w3.org/TR/html5/browsers.html#active-document">active document</a>’s origin.</p>
         <li data-md="">
          <p>If <a href="#match-url-to-source-list">§6.1.13.3 Does url match source list?</a> returns <code>Does Not Match</code> when
  executed upon <var>origin-as-url</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value-47">value</a>, return "<code>Blocked</code>".</p>
          <p class="issue" id="issue-feda0121"><a class="self-link" href="#issue-feda0121"></a> Do we need syntax to allow matching a unique origin?</p>
        </ol>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p class="issue" id="issue-ca898011"><a class="self-link" href="#issue-ca898011"></a> Rewrite this in terms of HTML’s navigation algorithm.</p>
    <h3 class="heading settled" data-level="6.4" id="directives-reporting"><span class="secno">6.4. </span><span class="content"> Reporting Directives </span><a class="self-link" href="#directives-reporting"></a></h3>
    <p>Various algorithms in this document hook into the reporting process by
  constructing a <a data-link-type="dfn" href="#violation" id="ref-for-violation-16">violation</a> object via <a href="#create-violation-for-request">§2.3.2 Create a violation object for request, policy, and directive</a> or <a href="#create-violation-for-global">§2.3.1 Create a violation object for global, policy, and directive</a>, and passing that object to <a href="#report-violation">§5.3 Report a violation</a> to deliver the report.</p>
    <h4 class="heading settled" data-level="6.4.1" id="directive-report-uri"><span class="secno">6.4.1. </span><span class="content"><code>report-uri</code></span><a class="self-link" href="#directive-report-uri"></a></h4>
    <div class="note" role="note">
      Note: The <a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri-3"><code>report-uri</code></a> directive is deprecated. Please use the <a data-link-type="dfn" href="#report-to" id="ref-for-report-to-3"><code>report-to</code></a> directive instead. If the latter directive is present,
    this directive will be ignored. To ensure backwards compatibility, we
    suggest specifying both, like this: 
     <div class="example" id="example-9d2ef57e">
      <a class="self-link" href="#example-9d2ef57e"></a> 
<pre><a data-link-type="dfn" href="#header-content-security-policy" id="ref-for-header-content-security-policy-6">Content-Security-Policy</a>: ...; <a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri-4">report-uri</a> https://endpoint.com; <a data-link-type="dfn" href="#report-to" id="ref-for-report-to-4">report-to</a> groupname
</pre>
     </div>
    </div>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="report-uri"><code>report-uri</code></dfn> directive defines a set of endpoints to which <a data-link-type="dfn" href="#violation-report" id="ref-for-violation-report-1">violation reports</a> will be sent when particular behaviors are prevented.</p>
<pre>directive-name  = "report-uri"
directive-value = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-4.1">uri-reference</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">RWS</a> <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-4.1">uri-reference</a> )

; The <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-4.1">uri-reference</a> grammar is defined in Section 4.1 of RFC 3986.
</pre>
    <p>The directive has no effect in and of itself, but only gains meaning in
  combination with other directives.</p>
    <h4 class="heading settled" data-level="6.4.2" id="directive-report-to"><span class="secno">6.4.2. </span><span class="content"><code>report-to</code></span><a class="self-link" href="#directive-report-to"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="report-to"><code>report-to</code></dfn> directive defines a <a data-link-type="dfn" href="https://w3c.github.io/reporting/#group">reporting
  group</a> to which violation reports ought to be sent <a data-link-type="biblio" href="#biblio-oob-reporting">[OOB-REPORTING]</a>. The
  directive’s behavior is defined in <a href="#report-violation">§5.3 Report a violation</a>. The directive’s name
  and value are described by the following ABNF:</p>
<pre>directive-name  = "report-to"
directive-value = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a>
</pre>
    <h3 class="heading settled" data-level="6.5" id="directives-elsewhere"><span class="secno">6.5. </span><span class="content"> Directives Defined in Other Documents </span><a class="self-link" href="#directives-elsewhere"></a></h3>
    <p>This document defines a core set of directives, and sets up a framework for
  modular extension by other specifications. At the time this document was
  produced, the following stable documents extend CSP:</p>
    <ul>
     <li data-md="">
      <p><a data-link-type="biblio" href="#biblio-mix">[MIX]</a> defines <code>block-all-mixed-content</code></p>
     <li data-md="">
      <p><a data-link-type="biblio" href="#biblio-upgrade-insecure-requests">[UPGRADE-INSECURE-REQUESTS]</a> defines <code>upgrade-insecure-requests</code></p>
     <li data-md="">
      <p><a data-link-type="biblio" href="#biblio-sri">[SRI]</a> defines <code>require-sri-for</code></p>
    </ul>
    <p>Extensions to CSP MUST register themselves via the process outlined in <a data-link-type="biblio" href="#biblio-rfc7762">[RFC7762]</a>. In particular, note the criteria discussed in Section 4.2 of
  that document.</p>
    <p>New directives SHOULD use the <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check-16">pre-request check</a>, <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check-16">post-request check</a>, <a data-link-type="dfn" href="#directive-response-check" id="ref-for-directive-response-check-4">response
  check</a>, and <a data-link-type="dfn" href="#directive-initialization" id="ref-for-directive-initialization-5">initialization</a> hooks in order to
  integrate themselves into Fetch and HTML.</p>
   </section>
   <section>
    <h2 class="heading settled" data-level="7" id="security-considerations"><span class="secno">7. </span><span class="content">Security Considerations</span><a class="self-link" href="#security-considerations"></a></h2>
    <h3 class="heading settled" data-level="7.1" id="security-nonces"><span class="secno">7.1. </span><span class="content">Nonce Reuse</span><a class="self-link" href="#security-nonces"></a></h3>
    <p>Nonces override the other restrictions present in the directive in which
  they’re delivered. It is critical, then, that they remain unguessable, as
  bypassing a resource’s policy is otherwise trivial.</p>
    <p>If a server delivers a <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source-8">nonce-source</a> expression as part of a <a data-link-type="dfn" href="#policy" id="ref-for-policy-54">policy</a>, the server MUST generate a unique value each time it
  transmits a policy. The generated value SHOULD be at least 128 bits long
  (before encoding), and SHOULD be generated via a cryptographically secure
  random number generator in order to ensure that the value is difficult for
  an attacker to predict.</p>
    <p class="note" role="note">Note: Using a nonce to whitelist inline script or style is less secure than
  not using a nonce, as nonces override the restrictions in the directive in
  which they are present. An attacker who can gain access to the nonce can
  execute whatever script they like, whenever they like. That said, nonces
  provide a substantial improvement over <a data-link-type="grammar" href="#grammardef-unsafe-inline" id="ref-for-grammardef-unsafe-inline-2">'unsafe-inline'</a> when
  layering a content security policy on top of old code. When considering <a data-link-type="grammar" href="#grammardef-unsafe-inline" id="ref-for-grammardef-unsafe-inline-3">'unsafe-inline'</a>, authors are encouraged to consider nonces
  (or hashes) instead.</p>
   </section>
   <section>
    <h2 class="heading settled" data-level="8" id="authoring-considerations"><span class="secno">8. </span><span class="content">Authoring Considerations</span><a class="self-link" href="#authoring-considerations"></a></h2>
    <h3 class="heading settled" data-level="8.1" id="multiple-policies"><span class="secno">8.1. </span><span class="content"> The effect of multiple policies </span><a class="self-link" href="#multiple-policies"></a></h3>
    <p><em>This section is not normative.</em></p>
    <p>The above sections note that when multiple policies are present, each must be
  enforced or reported, according to its type. An example will help clarify how
  that ought to work in practice. The behavior of an <code>XMLHttpRequest</code> might seem unclear given a site that, for whatever reason, delivered the
  following HTTP headers:</p>
    <div class="example" id="example-ef0bfc7a">
     <a class="self-link" href="#example-ef0bfc7a"></a> 
<pre>Content-Security-Policy: default-src 'self' http://example.com http://example.net;
                         connect-src 'none';
Content-Security-Policy: connect-src http://example.com/;
                         script-src http://example.com/
</pre>
    </div>
    <p>Is a connection to example.com allowed or not? The short answer is that the
  connection is not allowed. Enforcing both policies means that a potential
  connection would have to pass through both unscathed. Even though the second
  policy would allow this connection, the first policy contains <code>connect-src 'none'</code>, so its enforcement blocks the connection. The
  impact is that adding additional policies to the list of policies to enforce
  can <em>only</em> further restrict the capabilities of the protected resource.</p>
    <p>To demonstrate that further, consider a script tag on this page. The first
  policy would lock scripts down to <code>'self'</code>, <code>http://example.com</code> and <code>http://example.net</code> via the <code>default-src</code> directive. The second, however,
  would only allow script from <code>http://example.com/</code>. Script will only load if
  it meets both policy’s criteria: in this case, the only origin that can match
  is <code>http://example.com</code>, as both policies allow it.</p>
    <h3 class="heading settled" data-level="8.2" id="strict-dynamic-usage"><span class="secno">8.2. </span><span class="content"> Usage of "<code>'strict-dynamic'</code>" </span><a class="self-link" href="#strict-dynamic-usage"></a></h3>
    <p>Whitelists are tough to get right, especially on sprawling origins like CDNs.
  The <a href="https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22#107-bytes">solutions
  to Cure53’s H5SC Minichallenge 3: "Sh*t, it’s CSP!"</a> <a data-link-type="biblio" href="#biblio-h5sc3">[H5SC3]</a> are good
  examples of the kinds of bypasses which whitelists can enable, and though CSP
  is capable of mitigating these bypasses via extensive whitelists, those end
  up being brittle, awkward, and difficult to implement and maintain.</p>
    <p>The "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic-7"><code>'strict-dynamic'</code></a>" source expression aims to make Content
  Security Policy simpler to deploy for existing applications who have a high
  degree of confidence in the scripts they load directly, but low confidence in
  their ability to provide a reasonably secure whitelist.</p>
    <p>If present in a <a data-link-type="dfn" href="#script-src" id="ref-for-script-src-6"><code>script-src</code></a> or <a data-link-type="dfn" href="#default-src" id="ref-for-default-src-5"><code>default-src</code></a> directive, it has
  two main effects:</p>
    <ol>
     <li data-md="">
      <p><a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source-6">host-source</a> and <a data-link-type="grammar" href="#grammardef-scheme-source" id="ref-for-grammardef-scheme-source-5">scheme-source</a> expressions, as well as the "<a data-link-type="grammar" href="#grammardef-unsafe-inline" id="ref-for-grammardef-unsafe-inline-4"><code>'unsafe-inline'</code></a>"
  and "<a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self-24"><code>'self'</code></a> <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source-7">keyword-source</a>s will be
  ignored when loading script.</p>
      <p><a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source-9">hash-source</a> and <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source-9">nonce-source</a> expressions
  will be honored.</p>
     <li data-md="">
      <p>Script requests which are triggered by non-<a data-link-type="dfn" href="https://www.w3.org/TR/html5/scripting-1.html#parser-inserted">parser-inserted</a> <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements are allowed.</p>
    </ol>
    <p>The first change allows you to deploy "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic-8"><code>'strict-dynamic'</code></a> in a
  backwards compatible way, without requiring user-agent sniffing: the policy <code>'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'</code> will act like <code>'unsafe-inline' https:</code> in browsers that support CSP1, <code>https: 'nonce-abcdefg'</code> in browsers that support CSP2, and <code>'nonce-abcdefg' 'strict-dynamic'</code> in browsers that support CSP3.</p>
    <p>The second allows scripts which are given access to the page via nonces or
  hashes to bring in their dependencies without adding them explicitly to the
  page’s policy.</p>
    <div class="example" id="example-5ed12dc8">
     <a class="self-link" href="#example-5ed12dc8"></a> Suppose MegaCorp, Inc. deploys the following policy: 
<pre><a data-link-type="dfn" href="#header-content-security-policy" id="ref-for-header-content-security-policy-7">Content-Security-Policy</a>: <a data-link-type="dfn" href="#script-src" id="ref-for-script-src-7">script-src</a> 'nonce-abcdefg' <a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic-9">'strict-dynamic'</a>
</pre>
     <p>And serves the following HTML with that policy active:</p>
<pre>...
&lt;script src="https://cdn.example.com/script.js" nonce="abcdefg" >&lt;/script>
...
</pre>
     <p>This will generate a request for <code>https://cdn.example.com/script.js</code>, which
    will not be blocked because of the matching <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/#attr-script-nonce">nonce</a></code> attribute.</p>
     <p>If <code>script.js</code> contains the following code:</p>
<pre>var s = document.createElement('script');
s.src = 'https://othercdn.not-example.net/dependency.js';
document.head.appendChild('s');

document.write('&lt;scr' + 'ipt src='/sadness.js'>&lt;/scr' + 'ipt>');
</pre>
     <p><code>dependency.js</code> will load, as the <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> element created by <code>createElement()</code> is not <a data-link-type="dfn" href="https://www.w3.org/TR/html5/scripting-1.html#parser-inserted">parser-inserted</a>.</p>
     <p><code>sadness.js</code> will <em>not</em> load, however, as <code>document.write()</code> produces <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements which are <a data-link-type="dfn" href="https://www.w3.org/TR/html5/scripting-1.html#parser-inserted">parser-inserted</a>.</p>
    </div>
    <h3 class="heading settled" data-level="8.3" id="unsafe-hashed-attributes-usage"><span class="secno">8.3. </span><span class="content"> Usage of "<code>'unsafe-hashed-attributes'</code>" </span><a class="self-link" href="#unsafe-hashed-attributes-usage"></a></h3>
    <p><em>This section is not normative.</em></p>
    <p>Legacy websites and websites with legacy dependencies might find it difficult
  to entirely externalize event handlers. These sites could enable such handlers
  by whitelisting <code>'unsafe-inline'</code>, but that’s a big hammer with a lot of
  associated risk (and cannot be used in conjunction with nonces or hashes).</p>
    <p>The "<a data-link-type="grammar" href="#grammardef-unsafe-hashed-attributes" id="ref-for-grammardef-unsafe-hashed-attributes-4"><code>'unsafe-hashed-attributes'</code></a>" source expression aims to make
  CSP deployment simpler and safer in these situations by allowing developers
  to whitelist specific handlers via hashes.</p>
    <div class="example" id="example-8fc7a5c9">
     <a class="self-link" href="#example-8fc7a5c9"></a> MegaCorp, Inc. can’t quite get rid of the following HTML on anything
    resembling a reasonable schedule: 
<pre>&lt;button id="action" onclick="doSubmit()">
</pre>
     <p>Rather than whitelisting "<code>'unsafe-inline'</code>", they decide to use
    "<code>'unsafe-hashed-attributes'</code>" along with a hash source expression, as follows:</p>
<pre><a data-link-type="dfn" href="#header-content-security-policy" id="ref-for-header-content-security-policy-8">Content-Security-Policy</a>: <a data-link-type="grammar" href="#grammardef-unsafe-hashed-attributes" id="ref-for-grammardef-unsafe-hashed-attributes-5">'unsafe-hashed-attributes'</a> 'sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY='
</pre>
    </div>
    <h3 class="heading settled" data-level="8.4" id="external-hash"><span class="secno">8.4. </span><span class="content"> Whitelisting external JavaScript with hashes </span><a class="self-link" href="#external-hash"></a></h3>
    <p><em>This section is not normative.</em></p>
    <p>In <a data-link-type="biblio" href="#biblio-csp2">[CSP2]</a>, hash <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression-13">source expressions</a> could only whitelist inlined
  script, but now that Subresource Integrity is widely deployed, we can expand
  the scope to enable externalized JavaScript as well.</p>
    <p>If multiple sets of integrity metadata are specified for a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code>, the
  request will match a policy’s <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source-10">hash-source</a>s if and only if <em>each</em> item in a <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code>'s integrity metadata matches the policy.</p>
    <div class="example" id="example-8e55aae2">
     <a class="self-link" href="#example-8e55aae2"></a> MegaCorp, Inc. wishes to whitelist two specific scripts on a page in a way
    that ensures that the content matches their expectations. They do so by
    setting the following policy: 
<pre>Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'
</pre>
     <p>In the presence of that policy, the following <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements would be
    whitelisted because they contain only integrity metadata that matches the
    policy:</p>
<pre>&lt;script integrity="sha256-abc123" ...>&lt;/script>
&lt;script integrity="sha512-321cba" ...>&lt;/script>
&lt;script integrity="sha256-abc123 sha512-321cba" ...>&lt;/script>
</pre>
     <p>While the following <code><a data-link-type="element" href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a></code> elements would not be whitelisted because they
    contain metadata that does not match the policy (even though other metadata
    does match):</p>
<pre>&lt;script integrity="<b>sha384-xyz789</b>" ...>&lt;/script>
&lt;script integrity="<b>sha384-xyz789</b> sha512-321cba" ...>&lt;/script>
&lt;script integrity="sha256-abc123 <b>sha384-xyz789</b> sha512-321cba" ...>&lt;/script>
</pre>
    </div>
   </section>
   <section>
    <h2 class="heading settled" data-level="9" id="implementation-considerations"><span class="secno">9. </span><span class="content">Implementation Considerations</span><a class="self-link" href="#implementation-considerations"></a></h2>
    <h3 class="heading settled" data-level="9.1" id="extensions"><span class="secno">9.1. </span><span class="content">Vendor-specific Extensions and Addons</span><a class="self-link" href="#extensions"></a></h3>
    <p><a data-link-type="dfn" href="#policy" id="ref-for-policy-55">Policy</a> enforced on a resource SHOULD NOT interfere with the operation
  of user-agent features like addons, extensions, or bookmarklets. These kinds
  of features generally advance the user’s priority over page authors, as
  espoused in <a data-link-type="biblio" href="#biblio-html-design">[HTML-DESIGN]</a>.</p>
    <p>Moreover, applying CSP to these kinds of features produces a substantial
  amount of noise in violation reports, significantly reducing their value to
  developers.</p>
    <p>Chrome, for example, excludes the <code>chrome-extension:</code> scheme from CSP checks,
  and does some work to ensure that extension-driven injections are allowed,
  regardless of a page’s policy.</p>
   </section>
   <section>
    <h2 class="heading settled" data-level="10" id="iana-considerations"><span class="secno">10. </span><span class="content">IANA Considerations</span><a class="self-link" href="#iana-considerations"></a></h2>
    <h3 class="heading settled" data-level="10.1" id="iana-registry"><span class="secno">10.1. </span><span class="content"> Directive Registry </span><a class="self-link" href="#iana-registry"></a></h3>
    <p>The Content Security Policy Directive registry should be updated with the
  following directives and references <a data-link-type="biblio" href="#biblio-rfc7762">[RFC7762]</a>:</p>
    <dl>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#base-uri" id="ref-for-base-uri-2"><code>base-uri</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-base-uri">§6.2.1 base-uri</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#child-src" id="ref-for-child-src-2"><code>child-src</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-child-src">§6.1.1 child-src</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#connect-src" id="ref-for-connect-src-4"><code>connect-src</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-connect-src">§6.1.2 connect-src</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#default-src" id="ref-for-default-src-6"><code>default-src</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-default-src">§6.1.3 default-src</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#disown-opener" id="ref-for-disown-opener-2"><code>disown-opener</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-disown-opener">§6.2.4 disown-opener</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#font-src" id="ref-for-font-src-5"><code>font-src</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-font-src">§6.1.4 font-src</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#form-action" id="ref-for-form-action-1"><code>form-action</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-form-action">§6.3.1 form-action</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#frame-ancestors" id="ref-for-frame-ancestors-1"><code>frame-ancestors</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-frame-ancestors">§6.3.2 frame-ancestors</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#frame-src" id="ref-for-frame-src-4"><code>frame-src</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-frame-src">§6.1.5 frame-src</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#img-src" id="ref-for-img-src-4"><code>img-src</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-img-src">§6.1.6 img-src</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#manifest-src" id="ref-for-manifest-src-4"><code>manifest-src</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-manifest-src">§6.1.7 manifest-src</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#media-src" id="ref-for-media-src-4"><code>media-src</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-media-src">§6.1.8 media-src</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#object-src" id="ref-for-object-src-5"><code>object-src</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-object-src">§6.1.9 object-src</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#plugin-types" id="ref-for-plugin-types-3"><code>plugin-types</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-plugin-types">§6.2.2 plugin-types</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri-5"><code>report-uri</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-report-uri">§6.4.1 report-uri</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#report-to" id="ref-for-report-to-5"><code>report-to</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-report-to">§6.4.2 report-to</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#sandbox" id="ref-for-sandbox-2"><code>sandbox</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-sandbox">§6.2.3 sandbox</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#script-src" id="ref-for-script-src-8"><code>script-src</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-script-src">§6.1.10 script-src</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#style-src" id="ref-for-style-src-3"><code>style-src</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-style-src">§6.1.11 style-src</a>)</p>
     <dt data-md="">
      <p><a data-link-type="dfn" href="#worker-src" id="ref-for-worker-src-4"><code>worker-src</code></a></p>
     <dd data-md="">
      <p>This document (see <a href="#directive-worker-src">§6.1.12 worker-src</a>)</p>
    </dl>
    <h3 class="heading settled" data-level="10.2" id="iana-headers"><span class="secno">10.2. </span><span class="content"> Headers </span><a class="self-link" href="#iana-headers"></a></h3>
    <p>The permanent message header field registry should be updated
  with the following registrations: <a data-link-type="biblio" href="#biblio-rfc3864">[RFC3864]</a></p>
    <h4 class="heading settled" data-level="10.2.1" id="iana-csp"><span class="secno">10.2.1. </span><span class="content">Content-Security-Policy</span><a class="self-link" href="#iana-csp"></a></h4>
    <dl>
     <dt>Header field name
     <dd>Content-Security-Policy
     <dt>Applicable protocol
     <dd>http
     <dt>Status
     <dd>standard
     <dt>Author/Change controller
     <dd>W3C
     <dt>Specification document
     <dd>This specification (See <a href="#csp-header">§3.1 The Content-Security-Policy HTTP Response Header Field</a>)
    </dl>
    <h4 class="heading settled" data-level="10.2.2" id="iana-cspro"><span class="secno">10.2.2. </span><span class="content">Content-Security-Policy-Report-Only</span><a class="self-link" href="#iana-cspro"></a></h4>
    <dl>
     <dt>Header field name
     <dd>Content-Security-Policy-Report-Only
     <dt>Applicable protocol
     <dd>http
     <dt>Status
     <dd>standard
     <dt>Author/Change controller
     <dd>W3C
     <dt>Specification document
     <dd>This specification (See <a href="#cspro-header">§3.2 The Content-Security-Policy-Report-Only HTTP Response Header Field</a>)
    </dl>
   </section>
   <section>
    <h2 class="heading settled" data-level="11" id="acknowledgements"><span class="secno">11. </span><span class="content">Acknowledgements</span><a class="self-link" href="#acknowledgements"></a></h2>
    <p>Lots of people are awesome. For instance:</p>
    <ul>
     <li data-md="">
      <p>Mario and all of Cure53.</p>
     <li data-md="">
      <p>Artur Janc, Michele Spagnuolo, Lukas Weichselbaum, Jochen Eisinger, and the
rest of Google’s CSP Cabal.</p>
    </ul>
   </section>
  </main>
  <h2 class="no-ref no-num heading settled" id="conformance"><span class="content">Conformance</span><a class="self-link" href="#conformance"></a></h2>
  <h3 class="no-ref no-num heading settled" id="conventions"><span class="content">Document conventions</span><a class="self-link" href="#conventions"></a></h3>
  <p>Conformance requirements are expressed with a combination of
    descriptive assertions and RFC 2119 terminology. The key words “MUST”,
    “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”,
    “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this
    document are to be interpreted as described in RFC 2119.
    However, for readability, these words do not appear in all uppercase
    letters in this specification. </p>
  <p>All of the text of this specification is normative except sections
    explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a></p>
  <p>Examples in this specification are introduced with the words “for example”
    or are set apart from the normative text with <code>class="example"</code>,
    like this: </p>
  <div class="example" id="example-f839f6c8">
   <a class="self-link" href="#example-f839f6c8"></a> 
   <p>This is an example of an informative example.</p>
  </div>
  <p>Informative notes begin with the word “Note” and are set apart from the
    normative text with <code>class="note"</code>, like this: </p>
  <p class="note" role="note">Note, this is an informative note.</p>
  <h3 class="no-ref no-num heading settled" id="conformant-algorithms"><span class="content">Conformant Algorithms</span><a class="self-link" href="#conformant-algorithms"></a></h3>
  <p>Requirements phrased in the imperative as part of algorithms (such as
    "strip any leading space characters" or "return false and abort these
    steps") are to be interpreted with the meaning of the key word ("must",
    "should", "may", etc) used in introducing the algorithm.</p>
  <p>Conformance requirements phrased as algorithms or specific steps can be
    implemented in any manner, so long as the end result is equivalent. In
    particular, the algorithms defined in this specification are intended to
    be easy to understand and are not intended to be performant. Implementers
    are encouraged to optimize.</p>
<script src="https://www.w3.org/scripts/TR/2016/fixup.js"></script>
  <h2 class="no-num no-ref heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
  <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3>
  <ul class="index">
   <li><a href="#grammardef-ancestor-source">ancestor-source</a><span>, in §6.3.2</span>
   <li><a href="#grammardef-ancestor-source-list">ancestor-source-list</a><span>, in §6.3.2</span>
   <li><a href="#grammardef-base64-value">base64-value</a><span>, in §2.2.1</span>
   <li><a href="#base-uri">base-uri</a><span>, in §6.2.1</span>
   <li><a href="#child-src">child-src</a><span>, in §6.1.1</span>
   <li><a href="#violation-column-number">column number</a><span>, in §2.3</span>
   <li><a href="#connect-src">connect-src</a><span>, in §6.1.2</span>
   <li><a href="#header-content-security-policy">Content-Security-Policy</a><span>, in §3.1</span>
   <li><a href="#content-security-policy">Content Security Policy</a><span>, in §1</span>
   <li><a href="#header-content-security-policy-report-only">Content-Security-Policy-Report-Only</a><span>, in §3.2</span>
   <li><a href="#global-object-csp-list">CSP list</a><span>, in §4.2</span>
   <li><a href="#default-src">default-src</a><span>, in §6.1.3</span>
   <li><a href="#grammardef-directive-name">directive-name</a><span>, in §2.2</span>
   <li><a href="#directives">directives</a><span>, in §2.2</span>
   <li><a href="#policy-directive-set">directive set</a><span>, in §2.1</span>
   <li><a href="#grammardef-directive-value">directive-value</a><span>, in §2.2</span>
   <li><a href="#disown-opener">disown-opener</a><span>, in §6.2.4</span>
   <li><a href="#policy-disposition">disposition</a><span>, in §2.1</span>
   <li>
    effective directive
    <ul>
     <li><a href="#violation-effective-directive">dfn for violation</a><span>, in §2.3</span>
     <li><a href="#request-effective-directive">dfn for request</a><span>, in §6.1.13.5</span>
    </ul>
   <li><a href="#embedding-document">embedding document</a><span>, in §4.2</span>
   <li><a href="#enforced">enforced</a><span>, in §4.2</span>
   <li><a href="#can-compile-strings">EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm)</a><span>, in §4.3</span>
   <li><a href="#fetch-directives">Fetch directives</a><span>, in §6.1</span>
   <li><a href="#font-src">font-src</a><span>, in §6.1.4</span>
   <li><a href="#form-action">form-action</a><span>, in §6.3.1</span>
   <li><a href="#frame-ancestors">frame-ancestors</a><span>, in §6.3.2</span>
   <li><a href="#frame-src">frame-src</a><span>, in §6.1.5</span>
   <li><a href="#violation-global-object">global object</a><span>, in §2.3</span>
   <li><a href="#grammardef-hash-algorithm">hash-algorithm</a><span>, in §2.2.1</span>
   <li><a href="#grammardef-hash-source">hash-source</a><span>, in §2.2.1</span>
   <li><a href="#grammardef-host-char">host-char</a><span>, in §2.2.1</span>
   <li><a href="#grammardef-host-part">host-part</a><span>, in §2.2.1</span>
   <li><a href="#grammardef-host-source">host-source</a><span>, in §2.2.1</span>
   <li><a href="#img-src">img-src</a><span>, in §6.1.6</span>
   <li><a href="#directive-initialization">initialization</a><span>, in §2.2</span>
   <li><a href="#directive-inline-check">inline check</a><span>, in §2.2</span>
   <li><a href="#grammardef-keyword-source">keyword-source</a><span>, in §2.2.1</span>
   <li><a href="#violation-line-number">line number</a><span>, in §2.3</span>
   <li><a href="#manifest-src">manifest-src</a><span>, in §6.1.7</span>
   <li><a href="#matches-a-source-list">matches a source list</a><span>, in §2.2.1</span>
   <li><a href="#media-src">media-src</a><span>, in §6.1.8</span>
   <li><a href="#grammardef-media-type">media-type</a><span>, in §6.2.2</span>
   <li><a href="#grammardef-media-type-list">media-type-list</a><span>, in §6.2.2</span>
   <li><a href="#monitored">monitored</a><span>, in §4.2</span>
   <li><a href="#directive-name">name</a><span>, in §2.2</span>
   <li><a href="#grammardef-nonce-source">nonce-source</a><span>, in §2.2.1</span>
   <li><a href="#grammardef-none">'none'</a><span>, in §2.2.1</span>
   <li><a href="#object-src">object-src</a><span>, in §6.1.9</span>
   <li><a href="#parse-serialized-policy">parse a serialized CSP</a><span>, in §2.1</span>
   <li><a href="#grammardef-path-part">path-part</a><span>, in §2.2.1</span>
   <li><a href="#plugin-types">plugin-types</a><span>, in §6.2.2</span>
   <li>
    policy
    <ul>
     <li><a href="#policy">definition of</a><span>, in §2.1</span>
     <li><a href="#violation-policy">dfn for violation</a><span>, in §2.3</span>
    </ul>
   <li><a href="#grammardef-port-part">port-part</a><span>, in §2.2.1</span>
   <li><a href="#directive-post-request-check">post-request check</a><span>, in §2.2</span>
   <li><a href="#directive-pre-request-check">pre-request check</a><span>, in §2.2</span>
   <li><a href="#violation-referrer">referrer</a><span>, in §2.3</span>
   <li><a href="#report-to">report-to</a><span>, in §6.4.2</span>
   <li><a href="#report-uri">report-uri</a><span>, in §6.4.1</span>
   <li><a href="#violation-resource">resource</a><span>, in §2.3</span>
   <li><a href="#directive-response-check">response check</a><span>, in §2.2</span>
   <li><a href="#sandbox">sandbox</a><span>, in §6.2.3</span>
   <li><a href="#grammardef-scheme-part">scheme-part</a><span>, in §2.2.1</span>
   <li><a href="#grammardef-scheme-source">scheme-source</a><span>, in §2.2.1</span>
   <li><a href="#script-src">script-src</a><span>, in §6.1.10</span>
   <li><a href="#securitypolicyviolationevent">SecurityPolicyViolationEvent</a><span>, in §5.1</span>
   <li><a href="#grammardef-self">'self'</a><span>, in §2.2.1</span>
   <li><a href="#serialized-csp">serialized CSP</a><span>, in §2.1</span>
   <li><a href="#serialized-directive">serialized directive</a><span>, in §2.2</span>
   <li><a href="#grammardef-serialized-directive">serialized-directive</a><span>, in §2.2</span>
   <li><a href="#grammardef-serialized-policy">serialized-policy</a><span>, in §2.1</span>
   <li><a href="#serialized-source-list">serialized source list</a><span>, in §2.2.1</span>
   <li><a href="#grammardef-serialized-source-list">serialized-source-list</a><span>, in §2.2.1</span>
   <li><a href="#grammardef-source-expression">source-expression</a><span>, in §2.2.1</span>
   <li><a href="#source-expression">source expression</a><span>, in §2.2.1</span>
   <li><a href="#violation-source-file">source file</a><span>, in §2.3</span>
   <li><a href="#source-lists">source lists</a><span>, in §2.2.1</span>
   <li><a href="#violation-status">status</a><span>, in §2.3</span>
   <li><a href="#grammardef-strict-dynamic">'strict-dynamic'</a><span>, in §2.2.1</span>
   <li><a href="#style-src">style-src</a><span>, in §6.1.11</span>
   <li><a href="#grammardef-unsafe-eval">'unsafe-eval'</a><span>, in §2.2.1</span>
   <li><a href="#grammardef-unsafe-hashed-attributes">'unsafe-hashed-attributes'</a><span>, in §2.2.1</span>
   <li><a href="#grammardef-unsafe-inline">'unsafe-inline'</a><span>, in §2.2.1</span>
   <li><a href="#violation-url">url</a><span>, in §2.3</span>
   <li><a href="#directive-value">value</a><span>, in §2.2</span>
   <li><a href="#violation">violation</a><span>, in §2.3</span>
   <li><a href="#violation-report">violation report</a><span>, in §5</span>
   <li><a href="#worker-src">worker-src</a><span>, in §6.1.12</span>
  </ul>
  <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
  <ul class="index">
   <li>
    <a data-link-type="biblio">[CSSOM]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/cssom/#insert-a-css-rule">insert a css rule</a>
     <li><a href="https://www.w3.org/TR/cssom/#parse-a-css-declaration-block">parse a css declaration block</a>
     <li><a href="https://www.w3.org/TR/cssom/#parse-a-css-rule">parse a css rule</a>
     <li><a href="https://www.w3.org/TR/cssom/#parse-a-group-of-selectors">parse a group of selectors</a>
    </ul>
   <li>
    <a data-link-type="biblio">[WHATWG-DOM]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/dom/#interface-element">Element</a>
     <li><a href="https://www.w3.org/TR/dom/#dom-node-textcontent">textContent</a>
    </ul>
   <li>
    <a data-link-type="biblio">[ECMA262]</a> defines the following terms:
    <ul>
     <li><a href="https://tc39.github.io/ecma262#sec-function-objects">Function()</a>
     <li><a href="https://tc39.github.io/ecma262#sec-hostensurecancompilestrings">HostEnsureCanCompileStrings()</a>
     <li><a href="https://tc39.github.io/ecma262#sec-json.stringify">JSON.stringify()</a>
     <li><a href="https://tc39.github.io/ecma262#sec-eval-x">eval()</a>
     <li><a href="https://tc39.github.io/ecma262#realm">realm</a>
    </ul>
   <li>
    <a data-link-type="biblio">[FETCH]</a> defines the following terms:
    <ul>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-body">body</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-cache-mode">cache mode</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-credentials-mode">credentials mode</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata">cryptographic nonce metadata</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-response-csp-list">csp list</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-current-url">current url</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-fetch">fetch</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-response-header-list">header list</a>
     <li><a href="https://fetch.spec.whatwg.org/#http-fetch">http fetch</a>
     <li><a href="https://fetch.spec.whatwg.org/#http-network-fetch">http-network fetch</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-integrity-metadata">integrity metadata</a>
     <li><a href="https://fetch.spec.whatwg.org/#main-fetch">main fetch</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-method">method</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-network-error">network error</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-origin">origin</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-header-parse">parse a header value</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-parser-metadata">parser metadata</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-redirect-mode">redirect mode</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request">request</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-response">response</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context">target browsing context</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-type">type</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-url">url</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-window">window</a>
    </ul>
   <li>
    <a data-link-type="biblio">[HTML]</a> defines the following terms:
    <ul>
     <li><a href="https://html.spec.whatwg.org/#attr-meta-http-equiv-content-security-policy">content-security-policy http-equiv processing instructions</a>
     <li><a href="https://html.spec.whatwg.org/#initialising-a-new-document-object">initialising a new document object</a>
     <li><a href="https://html.spec.whatwg.org/#attr-script-nonce">nonce</a>
     <li><a href="https://html.spec.whatwg.org/#ping">ping</a>
     <li><a href="https://html.spec.whatwg.org/#concept-realm-global-object">realm's global object</a>
     <li><a href="https://html.spec.whatwg.org/#run-a-worker">run a worker</a>
     <li><a href="https://html.spec.whatwg.org/#the-workers-documents">the worker's documents</a>
     <li><a href="https://html.spec.whatwg.org/#update-a-style-block">update a style block</a>
    </ul>
   <li>
    <a data-link-type="biblio">[HTML5]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/html5/dom.html#document">Document</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#dom-window">Window</a>
     <li><a href="https://www.w3.org/TR/html5/text-level-semantics.html#the-a-element">a</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#active-document">active document</a>
     <li><a href="https://www.w3.org/TR/html5/embedded-content-0.html#an-iframe-srcdoc-document">an iframe srcdoc document</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#ancestor-browsing-context">ancestor browsing context</a>
     <li><a href="https://www.w3.org/TR/html5/obsolete.html#the-applet-element">applet</a>
     <li><a href="https://www.w3.org/TR/html5/infrastructure.html#ascii-case-insensitive">ascii case-insensitive match</a>
     <li><a href="https://www.w3.org/TR/html5/document-metadata.html#the-base-element">base</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#browsing-context">browsing context</a>
     <li><a href="https://www.w3.org/TR/html5/infrastructure.html#case-sensitive">case-sensitive</a>
     <li><a href="https://www.w3.org/TR/html5/infrastructure.html#collect-a-sequence-of-characters">collect a sequence of characters</a>
     <li><a href="https://www.w3.org/TR/html5/document-metadata.html#attr-meta-content">content</a>
     <li><a href="https://www.w3.org/TR/html5/dom.html#concept-document-csp-list">csp list</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#disown-its-opener">disown its opener</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#dom-document-2">document</a>
     <li><a href="https://www.w3.org/TR/html5/embedded-content-0.html#the-embed-element">embed</a>
     <li><a href="https://www.w3.org/TR/html5/webappapis.html#event-handler-idl-attributes">event handler idl attributes</a>
     <li><a href="https://www.w3.org/TR/html5/infrastructure.html#concept-event-fire">fire</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#forced-sandboxing-flag-set">forced sandboxing flag set</a>
     <li><a href="https://www.w3.org/TR/html5/obsolete.html#frame">frame</a>
     <li><a href="https://www.w3.org/TR/html5/webappapis.html#global-object">global object</a>
     <li><a href="https://www.w3.org/TR/html5/document-metadata.html#attr-meta-http-equiv">http-equiv</a>
     <li><a href="https://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a>
     <li><a href="https://www.w3.org/TR/html5/webappapis.html#incumbent-settings-object">incumbent settings object</a>
     <li><a href="https://www.w3.org/TR/html5/document-metadata.html#the-link-element">link</a>
     <li><a href="https://www.w3.org/TR/html5/document-metadata.html#the-meta-element">meta</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing context</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#browsing-context-nested-through">nested through</a>
     <li><a href="https://www.w3.org/TR/html5/embedded-content-0.html#the-object-element">object</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#opener-browsing-context">opener browsing context</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#parse-a-sandboxing-directive">parse a sandboxing directive</a>
     <li><a href="https://www.w3.org/TR/html5/scripting-1.html#parser-inserted">parser-inserted</a>
     <li><a href="https://www.w3.org/TR/html5/scripting-1.html#prepare-a-script">prepare a script</a>
     <li><a href="https://www.w3.org/TR/html5/dom.html#dom-document-referrer">referrer</a>
     <li><a href="https://www.w3.org/TR/html5/webappapis.html#relevant-settings-object-for-a-global-object">relevant settings object</a>
     <li><a href="https://www.w3.org/TR/html5/webappapis.html#responsible-browsing-context">responsible browsing context</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#sandboxed-origin-browsing-context-flag">sandboxed origin browsing context flag</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#sandboxed-scripts-browsing-context-flag">sandboxed scripts browsing context flag</a>
     <li><a href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element">script</a>
     <li><a href="https://www.w3.org/TR/html5/document-metadata.html#set-the-frozen-base-url">set the frozen base url</a>
     <li><a href="https://www.w3.org/TR/html5/infrastructure.html#space-characters">space characters</a>
     <li><a href="https://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-commas">split a string on commas</a>
     <li><a href="https://www.w3.org/TR/html5/infrastructure.html#split-a-string-on-spaces">split a string on spaces</a>
     <li><a href="https://www.w3.org/TR/html5/infrastructure.html#strictly-split-a-string">strictly split a string</a>
     <li><a href="https://www.w3.org/TR/html5/infrastructure.html#strip-leading-and-trailing-whitespace">strip leading and trailing whitespace</a>
     <li><a href="https://www.w3.org/TR/html5/document-metadata.html#the-style-element">style</a>
     <li><a href="https://www.w3.org/TR/html5/infrastructure.html#concept-event-trusted">trusted</a>
     <li><a href="https://www.w3.org/TR/html5/browsers.html#unicode-serialization-of-an-origin">unicode serialization</a>
    </ul>
   <li>
    <a data-link-type="biblio">[REPORTING]</a> defines the following terms:
    <ul>
     <li><a href="https://w3c.github.io/reporting/#group">group</a>
     <li><a href="https://w3c.github.io/reporting/#queue-report">queue report</a>
    </ul>
   <li>
    <a data-link-type="biblio">[rfc2045]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc2045#section-5.1">subtype</a>
     <li><a href="https://tools.ietf.org/html/rfc2045#section-5.1">type</a>
    </ul>
   <li>
    <a data-link-type="biblio">[RFC3986]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc3986#section-3.2.2">ipv4address</a>
     <li><a href="https://tools.ietf.org/html/rfc3986#section-3.3">path</a>
     <li><a href="https://tools.ietf.org/html/rfc3986#section-3.1">scheme</a>
     <li><a href="https://tools.ietf.org/html/rfc3986#section-4.1">uri-reference</a>
    </ul>
   <li>
    <a data-link-type="biblio">[rfc4648]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc4648#section-4">base64 encoding</a>
    </ul>
   <li>
    <a data-link-type="biblio">[RFC5234]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc5234#appendix-B.1">alpha</a>
     <li><a href="https://tools.ietf.org/html/rfc5234#appendix-B.1">digit</a>
     <li><a href="https://tools.ietf.org/html/rfc5234#appendix-B.1">vchar</a>
    </ul>
   <li>
    <a data-link-type="biblio">[rfc6454]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc6454#section-3.2">origin</a>
    </ul>
   <li>
    <a data-link-type="biblio">[rfc7230]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc7230#section-3.2.3">ows</a>
     <li><a href="https://tools.ietf.org/html/rfc7230#section-3.2.3">rws</a>
     <li><a href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a>
    </ul>
   <li>
    <a data-link-type="biblio">[rfc7231]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc7231#section-3">representation</a>
     <li><a href="https://tools.ietf.org/html/rfc7231#section-3">resource representation</a>
    </ul>
   <li>
    <a data-link-type="biblio">[service-workers]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/service-workers/#service-worker-interface">ServiceWorker</a>
    </ul>
   <li>
    <a data-link-type="biblio">[SHA2]</a> defines the following terms:
    <ul>
     <li><a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#">sha-256</a>
     <li><a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#">sha-384</a>
     <li><a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#">sha-512</a>
    </ul>
   <li>
    <a data-link-type="biblio">[WHATWG-URL]</a> defines the following terms:
    <ul>
     <li><a href="https://url.spec.whatwg.org/#url">URL</a>
     <li><a href="https://url.spec.whatwg.org/#default-port">default port</a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-host">host</a>
     <li><a href="https://url.spec.whatwg.org/#concept-ipv6">ipv6 address</a>
     <li><a href="https://url.spec.whatwg.org/#local-scheme">local scheme</a>
     <li><a href="https://url.spec.whatwg.org/#network-scheme">network scheme</a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-origin">origin</a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-path">path</a>
     <li><a href="https://url.spec.whatwg.org/#percent-decode">percent decode</a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-port">port</a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-parser">url parser</a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-serializer">url serializer</a>
    </ul>
   <li>
    <a data-link-type="biblio">[workers]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/workers/#worker">Worker</a>
    </ul>
   <li>
    <a data-link-type="biblio">[CSP1]</a> defines the following terms:
    <ul>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-securitypolicyviolationevent">SecurityPolicyViolationEvent(type, eventInitDict)</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dictdef-securitypolicyviolationeventinit">SecurityPolicyViolationEventInit</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-blockeduri">blockedURI</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-columnnumber">columnNumber</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-documenturi">documentURI</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-effectivedirective">effectiveDirective</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-eventinitdict">eventInitDict</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-linenumber">lineNumber</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-originalpolicy">originalPolicy</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-referrer">referrer</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-sourcefile">sourceFile</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-statuscode">statusCode</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-type">type</a>
     <li><a href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-violateddirective">violatedDirective</a>
    </ul>
   <li>
    <a data-link-type="biblio">[css-cascade-3]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/css-cascade-3/#at-ruledef-import">@import</a>
    </ul>
   <li>
    <a data-link-type="biblio">[WHATWG-DOM]</a> defines the following terms:
    <ul>
     <li><a href="https://dom.spec.whatwg.org/#event">Event</a>
     <li><a href="https://dom.spec.whatwg.org/#dictdef-eventinit">EventInit</a>
     <li><a href="https://dom.spec.whatwg.org/#ascii-case-insensitive">ascii case-insensitive</a>
    </ul>
   <li>
    <a data-link-type="biblio">[HTML]</a> defines the following terms:
    <ul>
     <li><a href="https://html.spec.whatwg.org/multipage/workers.html#sharedworker">SharedWorker</a>
     <li><a href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope">WorkerGlobalScope</a>
     <li><a href="https://html.spec.whatwg.org/multipage/embedded-content.html#attr-object-data">data</a>
     <li><a href="https://html.spec.whatwg.org/multipage/semantics.html#attr-base-href">href</a>
     <li><a href="https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-sandbox">sandbox</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#dom-setinterval">setInterval()</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#dom-settimeout">setTimeout()</a>
     <li><a href="https://html.spec.whatwg.org/multipage/scripting.html#dom-script-text">text</a>
     <li><a href="https://html.spec.whatwg.org/multipage/embedded-content.html#attr-embed-type">type</a>
    </ul>
  </ul>
  <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num no-ref heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
  <dl>
   <dt id="biblio-csp1">[CSP1]
   <dd>Brandon Sterne; Adam Barth. <a href="https://www.w3.org/TR/CSP1/">Content Security Policy 1.0</a>. 19 February 2015. NOTE. URL: <a href="https://www.w3.org/TR/CSP1/">https://www.w3.org/TR/CSP1/</a>
   <dt id="biblio-css-cascade-3">[CSS-CASCADE-3]
   <dd>Elika Etemad; Tab Atkins Jr.. <a href="https://www.w3.org/TR/css-cascade-3/">CSS Cascading and Inheritance Level 3</a>. 19 May 2016. CR. URL: <a href="https://www.w3.org/TR/css-cascade-3/">https://www.w3.org/TR/css-cascade-3/</a>
   <dt id="biblio-cssom">[CSSOM]
   <dd>Simon Pieters; Glenn Adams. <a href="https://www.w3.org/TR/cssom-1/">CSS Object Model (CSSOM)</a>. 17 March 2016. WD. URL: <a href="https://www.w3.org/TR/cssom-1/">https://www.w3.org/TR/cssom-1/</a>
   <dt id="biblio-ecma262">[ECMA262]
   <dd>Brian Terlson; Allen Wirfs-Brock. <a href="https://tc39.github.io/ecma262/">ECMAScript® Language Specification</a>. URL: <a href="https://tc39.github.io/ecma262/">https://tc39.github.io/ecma262/</a>
   <dt id="biblio-fetch">[FETCH]
   <dd>Anne van Kesteren. <a href="https://fetch.spec.whatwg.org/">Fetch Standard</a>. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a>
   <dt id="biblio-html">[HTML]
   <dd>Ian Hickson. <a href="https://html.spec.whatwg.org/multipage/">HTML Standard</a>. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a>
   <dt id="biblio-html5">[HTML5]
   <dd>Ian Hickson; et al. <a href="https://www.w3.org/TR/html5/">HTML5</a>. 28 October 2014. REC. URL: <a href="https://www.w3.org/TR/html5/">https://www.w3.org/TR/html5/</a>
   <dt id="biblio-oob-reporting">[OOB-REPORTING]
   <dd>Ilya Gregorik; Mike West. <a href="https://mikewest.github.io/error-reporting/">Out-of-band Reporting</a>. URL: <a href="https://mikewest.github.io/error-reporting/">https://mikewest.github.io/error-reporting/</a>
   <dt id="biblio-rfc2045">[RFC2045]
   <dd>N. Freed; N. Borenstein. <a href="https://tools.ietf.org/html/rfc2045">Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies</a>. November 1996. Draft Standard. URL: <a href="https://tools.ietf.org/html/rfc2045">https://tools.ietf.org/html/rfc2045</a>
   <dt id="biblio-rfc2119">[RFC2119]
   <dd>S. Bradner. <a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a>
   <dt id="biblio-rfc3492">[RFC3492]
   <dd>A. Costello. <a href="https://tools.ietf.org/html/rfc3492">Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)</a>. March 2003. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc3492">https://tools.ietf.org/html/rfc3492</a>
   <dt id="biblio-rfc3864">[RFC3864]
   <dd>G. Klyne; M. Nottingham; J. Mogul. <a href="https://tools.ietf.org/html/rfc3864">Registration Procedures for Message Header Fields</a>. September 2004. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc3864">https://tools.ietf.org/html/rfc3864</a>
   <dt id="biblio-rfc3986">[RFC3986]
   <dd>T. Berners-Lee; R. Fielding; L. Masinter. <a href="https://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>. January 2005. Internet Standard. URL: <a href="https://tools.ietf.org/html/rfc3986">https://tools.ietf.org/html/rfc3986</a>
   <dt id="biblio-rfc4648">[RFC4648]
   <dd>S. Josefsson. <a href="https://tools.ietf.org/html/rfc4648">The Base16, Base32, and Base64 Data Encodings</a>. October 2006. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc4648">https://tools.ietf.org/html/rfc4648</a>
   <dt id="biblio-rfc5234">[RFC5234]
   <dd>D. Crocker, Ed.; P. Overell. <a href="https://tools.ietf.org/html/rfc5234">Augmented BNF for Syntax Specifications: ABNF</a>. January 2008. Internet Standard. URL: <a href="https://tools.ietf.org/html/rfc5234">https://tools.ietf.org/html/rfc5234</a>
   <dt id="biblio-rfc5988">[RFC5988]
   <dd>M. Nottingham. <a href="https://tools.ietf.org/html/rfc5988">Web Linking</a>. October 2010. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc5988">https://tools.ietf.org/html/rfc5988</a>
   <dt id="biblio-rfc6454">[RFC6454]
   <dd>A. Barth. <a href="https://tools.ietf.org/html/rfc6454">The Web Origin Concept</a>. December 2011. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6454">https://tools.ietf.org/html/rfc6454</a>
   <dt id="biblio-rfc7230">[RFC7230]
   <dd>R. Fielding, Ed.; J. Reschke, Ed.. <a href="https://tools.ietf.org/html/rfc7230">Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing</a>. June 2014. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7230">https://tools.ietf.org/html/rfc7230</a>
   <dt id="biblio-rfc7231">[RFC7231]
   <dd>R. Fielding, Ed.; J. Reschke, Ed.. <a href="https://tools.ietf.org/html/rfc7231">Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</a>. June 2014. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7231">https://tools.ietf.org/html/rfc7231</a>
   <dt id="biblio-rfc7762">[RFC7762]
   <dd>M. West. <a href="https://tools.ietf.org/html/rfc7762">Initial Assignment for the Content Security Policy Directives Registry</a>. January 2016. Informational. URL: <a href="https://tools.ietf.org/html/rfc7762">https://tools.ietf.org/html/rfc7762</a>
   <dt id="biblio-service-workers">[SERVICE-WORKERS]
   <dd>Alex Russell; Jungkee Song; Jake Archibald. <a href="https://www.w3.org/TR/service-workers/">Service Workers</a>. 25 June 2015. WD. URL: <a href="https://www.w3.org/TR/service-workers/">https://www.w3.org/TR/service-workers/</a>
   <dt id="biblio-sha2">[SHA2]
   <dd><a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">FIPS PUB 180-4, Secure Hash Standard</a>. URL: <a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf</a>
   <dt id="biblio-sri">[SRI]
   <dd>Devdatta Akhawe; et al. <a href="https://www.w3.org/TR/SRI/">Subresource Integrity</a>. 23 June 2016. REC. URL: <a href="https://www.w3.org/TR/SRI/">https://www.w3.org/TR/SRI/</a>
   <dt id="biblio-whatwg-dom">[WHATWG-DOM]
   <dd>Anne van Kesteren. <a href="https://dom.spec.whatwg.org/">DOM Standard</a>. Living Standard. URL: <a href="https://dom.spec.whatwg.org/">https://dom.spec.whatwg.org/</a>
   <dt id="biblio-whatwg-url">[WHATWG-URL]
   <dd>Anne van Kesteren. <a href="https://url.spec.whatwg.org/">URL Standard</a>. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a>
   <dt id="biblio-workers">[WORKERS]
   <dd>Ian Hickson. <a href="https://www.w3.org/TR/workers/">Web Workers</a>. 24 September 2015. WD. URL: <a href="https://www.w3.org/TR/workers/">https://www.w3.org/TR/workers/</a>
  </dl>
  <h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-appmanifest">[APPMANIFEST]
   <dd>Marcos Caceres; et al. <a href="https://www.w3.org/TR/appmanifest/">Web App Manifest</a>. 14 July 2016. WD. URL: <a href="https://www.w3.org/TR/appmanifest/">https://www.w3.org/TR/appmanifest/</a>
   <dt id="biblio-beacon">[BEACON]
   <dd>Ilya Grigorik; et al. <a href="https://www.w3.org/TR/beacon/">Beacon</a>. 29 June 2016. WD. URL: <a href="https://www.w3.org/TR/beacon/">https://www.w3.org/TR/beacon/</a>
   <dt id="biblio-csp2">[CSP2]
   <dd>Mike West; Adam Barth; Daniel Veditz. <a href="https://www.w3.org/TR/CSP2/">Content Security Policy Level 2</a>. 21 July 2015. CR. URL: <a href="https://www.w3.org/TR/CSP2/">https://www.w3.org/TR/CSP2/</a>
   <dt id="biblio-eventsource">[EVENTSOURCE]
   <dd>Ian Hickson. <a href="https://www.w3.org/TR/eventsource/">Server-Sent Events</a>. 3 February 2015. REC. URL: <a href="https://www.w3.org/TR/eventsource/">https://www.w3.org/TR/eventsource/</a>
   <dt id="biblio-h5sc3">[H5SC3]
   <dd>Mario Heiderich. <a href="https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22">H5SC Minichallenge 3: "Sh*t, it's CSP!"</a>. URL: <a href="https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22">https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22</a>
   <dt id="biblio-html-design">[HTML-DESIGN]
   <dd>Anne Van Kesteren; Maciej Stachowiak. <a href="https://www.w3.org/TR/html-design-principles/">HTML Design Principles</a>. URL: <a href="https://www.w3.org/TR/html-design-principles/">https://www.w3.org/TR/html-design-principles/</a>
   <dt id="biblio-mix">[MIX]
   <dd>Mike West. <a href="https://www.w3.org/TR/mixed-content/">Mixed Content</a>. 8 October 2015. CR. URL: <a href="https://www.w3.org/TR/mixed-content/">https://www.w3.org/TR/mixed-content/</a>
   <dt id="biblio-timing">[TIMING]
   <dd>Paul Stone. <a href="http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf">Pixel Perfect Timing Attacks with HTML5</a>. URL: <a href="http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf">http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf</a>
   <dt id="biblio-uisecurity">[UISECURITY]
   <dd>Brad Hill. <a href="https://www.w3.org/TR/UISecurity/">User Interface Security and the Visibility API</a>. 7 June 2016. WD. URL: <a href="https://www.w3.org/TR/UISecurity/">https://www.w3.org/TR/UISecurity/</a>
   <dt id="biblio-upgrade-insecure-requests">[UPGRADE-INSECURE-REQUESTS]
   <dd>Mike West. <a href="https://www.w3.org/TR/upgrade-insecure-requests/">Upgrade Insecure Requests</a>. 8 October 2015. CR. URL: <a href="https://www.w3.org/TR/upgrade-insecure-requests/">https://www.w3.org/TR/upgrade-insecure-requests/</a>
   <dt id="biblio-websockets">[WEBSOCKETS]
   <dd>Ian Hickson. <a href="https://www.w3.org/TR/websockets/">The WebSocket API</a>. 20 September 2012. CR. URL: <a href="https://www.w3.org/TR/websockets/">https://www.w3.org/TR/websockets/</a>
   <dt id="biblio-xhr">[XHR]
   <dd>Anne van Kesteren. <a href="https://xhr.spec.whatwg.org/">XMLHttpRequest Standard</a>. Living Standard. URL: <a href="https://xhr.spec.whatwg.org/">https://xhr.spec.whatwg.org/</a>
   <dt id="biblio-xslt">[XSLT]
   <dd>James Clark. <a href="https://www.w3.org/TR/xslt">XSL Transformations (XSLT) Version 1.0</a>. 16 November 1999. REC. URL: <a href="https://www.w3.org/TR/xslt">https://www.w3.org/TR/xslt</a>
  </dl>
  <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">IDL Index</span><a class="self-link" href="#idl-index"></a></h2>
<pre class="idl def">[<a class="nv idl-code" data-link-type="constructor" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-securitypolicyviolationevent">Constructor</a>(<span class="kt">DOMString</span> <a class="nv idl-code" data-link-type="argument" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-type">type</a>, <span class="kt">optional</span> <a class="n" data-link-type="idl-name" href="https://w3c.github.io/webappsec-csp/#dictdef-securitypolicyviolationeventinit">SecurityPolicyViolationEventInit</a> <a class="nv idl-code" data-link-type="argument" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-eventinitdict">eventInitDict</a>)]
<span class="kt">interface</span> <a class="nv" href="#securitypolicyviolationevent">SecurityPolicyViolationEvent</a> : <a class="n" data-link-type="idl-name" href="https://dom.spec.whatwg.org/#event">Event</a> {
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-documenturi">documentURI</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-referrer">referrer</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-blockeduri">blockedURI</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-violateddirective">violatedDirective</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-effectivedirective">effectiveDirective</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-originalpolicy">originalPolicy</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="DOMString" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-sourcefile">sourceFile</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">unsigned</span> <span class="kt">short</span> <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="unsigned short" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-statuscode">statusCode</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">long</span>           <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="long" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-linenumber">lineNumber</a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <span class="kt">long</span>           <a class="nv idl-code" data-link-type="attribute" data-readonly="" data-type="long" href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationevent-columnnumber">columnNumber</a>;
};

<span class="kt">dictionary</span> <a class="nv idl-code" data-link-type="dictionary" href="https://w3c.github.io/webappsec-csp/#dictdef-securitypolicyviolationeventinit">SecurityPolicyViolationEventInit</a> : <a class="n" data-link-type="idl-name" href="https://dom.spec.whatwg.org/#dictdef-eventinit">EventInit</a> {
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-documenturi">documentURI</a>;
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-referrer">referrer</a>;
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-blockeduri">blockedURI</a>;
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-violateddirective">violatedDirective</a>;
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-effectivedirective">effectiveDirective</a>;
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-originalpolicy">originalPolicy</a>;
    <span class="kt">DOMString</span>      <a class="nv idl-code" data-link-type="dict-member" data-type="DOMString      " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-sourcefile">sourceFile</a>;
    <span class="kt">unsigned</span> <span class="kt">short</span> <a class="nv idl-code" data-link-type="dict-member" data-type="unsigned short " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-statuscode">statusCode</a>;
    <span class="kt">long</span>           <a class="nv idl-code" data-link-type="dict-member" data-type="long           " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-linenumber">lineNumber</a>;
    <span class="kt">long</span>           <a class="nv idl-code" data-link-type="dict-member" data-type="long           " href="https://w3c.github.io/webappsec-csp/#dom-securitypolicyviolationeventinit-columnnumber">columnNumber</a>;
};

</pre>
  <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content">Issues Index</span><a class="self-link" href="#issues-index"></a></h2>
  <div style="counter-reset:issue">
   <div class="issue"> Is this kind of thing specified anywhere? I didn’t see anything
  that looked useful in <a data-link-type="biblio" href="#biblio-ecma262">[ECMA262]</a>.<a href="#issue-c404edb5"> ↵ </a></div>
   <div class="issue"> How, exactly, do we get the status code? We don’t actually store it
  anywhere.<a href="#issue-99576800"> ↵ </a></div>
   <div class="issue"> This concept is missing from W3C’s Workers. <a href="https://github.com/w3c/html/issues/187">&lt;https://github.com/w3c/html/issues/187></a><a href="#issue-a794766b"> ↵ </a></div>
   <div class="issue"> Stylesheet loading is not yet integrated with
  Fetch in W3C’s HTML. <a href="https://github.com/whatwg/html/issues/198">&lt;https://github.com/whatwg/html/issues/198></a><a href="#issue-aa77c60b"> ↵ </a></div>
   <div class="issue"> Stylesheet loading is not yet integrated with
  Fetch in WHATWG’s HTML. <a href="https://github.com/whatwg/html/issues/968">&lt;https://github.com/whatwg/html/issues/968></a><a href="#issue-25da4fba"> ↵ </a></div>
   <div class="issue"> This needs to be better explained.<a href="#issue-ba1a0a35"> ↵ </a></div>
   <div class="issue"> Do something interesting to the execution context in order to lock down
  interesting CSSOM algorithms. I don’t think CSSOM gives us any hooks here, so
  let’s work with them to put something reasonable together.<a href="#issue-eba1ebc1"> ↵ </a></div>
   <div class="issue"> Define the hooks into HTML’s plugin loading algorithms.<a href="#issue-4d81caf0"> ↵ </a></div>
   <div class="issue"> Not sure this is the right model. We need to ensure that we take care
  of <a href="https://github.com/w3c/webappsec/issues/139">the inverse</a> as
  well, and there might be a cleverer syntax that could encompass both a
  document’s opener, and a document’s openees. <code>disown-openee</code> is weird.
  Maybe <code>disown 'opener' 'openee'</code>? Do we need origin restrictions on either/both?<a href="#issue-b04594c3"> ↵ </a></div>
   <div class="issue"> What should this do in an <code><a data-link-type="element" href="https://www.w3.org/TR/html5/embedded-content-0.html#the-iframe-element">iframe</a></code>? Anything?<a href="#issue-466edd09"> ↵ </a></div>
   <div class="issue"> Define the hooks into HTML’s navigation and form submission algorithms.<a href="#issue-15904ee9"> ↵ </a></div>
   <div class="issue"> Do we need syntax to allow matching a unique origin?<a href="#issue-feda0121"> ↵ </a></div>
   <div class="issue"> Rewrite this in terms of HTML’s navigation algorithm.<a href="#issue-ca898011"> ↵ </a></div>
  </div>
  <aside class="dfn-panel" data-for="policy">
   <b><a href="#policy">#policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-policy-1">2.1.1. 
    Parse a serialized CSP as disposition </a> <a href="#ref-for-policy-2">(2)</a> <a href="#ref-for-policy-3">(3)</a>
    <li><a href="#ref-for-policy-4">2.1.2. 
    Parse a serialized CSP list as disposition </a>
    <li><a href="#ref-for-policy-5">2.2. Directives</a> <a href="#ref-for-policy-6">(2)</a> <a href="#ref-for-policy-7">(3)</a> <a href="#ref-for-policy-8">(4)</a> <a href="#ref-for-policy-9">(5)</a>
    <li><a href="#ref-for-policy-10">2.3. Violations</a> <a href="#ref-for-policy-11">(2)</a> <a href="#ref-for-policy-12">(3)</a>
    <li><a href="#ref-for-policy-13">2.3.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-policy-14">2.3.2. 
    Create a violation object for request, policy, and directive </a>
    <li><a href="#ref-for-policy-15">3. 
    Policy Delivery </a> <a href="#ref-for-policy-16">(2)</a>
    <li><a href="#ref-for-policy-17">4.1. 
    Integration with Fetch </a>
    <li><a href="#ref-for-policy-18">4.2. 
    Integration with HTML </a> <a href="#ref-for-policy-19">(2)</a> <a href="#ref-for-policy-20">(3)</a> <a href="#ref-for-policy-21">(4)</a>
    <li><a href="#ref-for-policy-22">4.2.1. 
    Initialize a Document's CSP list </a>
    <li><a href="#ref-for-policy-23">5. 
    Reporting </a> <a href="#ref-for-policy-24">(2)</a>
    <li><a href="#ref-for-policy-25">6.1.1.1. Algorithms</a> <a href="#ref-for-policy-26">(2)</a>
    <li><a href="#ref-for-policy-27">6.1.2.1. Algorithms</a> <a href="#ref-for-policy-28">(2)</a>
    <li><a href="#ref-for-policy-29">6.1.3.1. Algorithms</a> <a href="#ref-for-policy-30">(2)</a>
    <li><a href="#ref-for-policy-31">6.1.4.1. Algorithms</a> <a href="#ref-for-policy-32">(2)</a>
    <li><a href="#ref-for-policy-33">6.1.5.1. Algorithms</a> <a href="#ref-for-policy-34">(2)</a>
    <li><a href="#ref-for-policy-35">6.1.6.1. Algorithms</a> <a href="#ref-for-policy-36">(2)</a>
    <li><a href="#ref-for-policy-37">6.1.7.1. Algorithms</a> <a href="#ref-for-policy-38">(2)</a>
    <li><a href="#ref-for-policy-39">6.1.8.1. Algorithms</a> <a href="#ref-for-policy-40">(2)</a>
    <li><a href="#ref-for-policy-41">6.1.9.1. Algorithms</a> <a href="#ref-for-policy-42">(2)</a>
    <li><a href="#ref-for-policy-43">6.1.10.1. Algorithms</a> <a href="#ref-for-policy-44">(2)</a>
    <li><a href="#ref-for-policy-45">6.1.11.1. Algorithms</a> <a href="#ref-for-policy-46">(2)</a>
    <li><a href="#ref-for-policy-47">6.1.12.1. Algorithms</a> <a href="#ref-for-policy-48">(2)</a>
    <li><a href="#ref-for-policy-49">6.1.13.1. 
    Does request violate policy? </a>
    <li><a href="#ref-for-policy-50">6.2.3.1. Algorithms</a> <a href="#ref-for-policy-51">(2)</a>
    <li><a href="#ref-for-policy-52">6.2.4.1. Algorithms</a>
    <li><a href="#ref-for-policy-53">6.3.2.1. Algorithms</a>
    <li><a href="#ref-for-policy-54">7.1. Nonce Reuse</a>
    <li><a href="#ref-for-policy-55">9.1. Vendor-specific Extensions and Addons</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="policy-directive-set">
   <b><a href="#policy-directive-set">#policy-directive-set</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-policy-directive-set-1">2.1.1. 
    Parse a serialized CSP as disposition </a> <a href="#ref-for-policy-directive-set-2">(2)</a> <a href="#ref-for-policy-directive-set-3">(3)</a> <a href="#ref-for-policy-directive-set-4">(4)</a>
    <li><a href="#ref-for-policy-directive-set-5">2.1.2. 
    Parse a serialized CSP list as disposition </a>
    <li><a href="#ref-for-policy-directive-set-6">5.3. 
    Report a violation </a> <a href="#ref-for-policy-directive-set-7">(2)</a> <a href="#ref-for-policy-directive-set-8">(3)</a>
    <li><a href="#ref-for-policy-directive-set-9">6.2.1.1. 
    Is base allowed for document? </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="policy-disposition">
   <b><a href="#policy-disposition">#policy-disposition</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-policy-disposition-1">2.1.1. 
    Parse a serialized CSP as disposition </a> <a href="#ref-for-policy-disposition-2">(2)</a>
    <li><a href="#ref-for-policy-disposition-3">2.1.2. 
    Parse a serialized CSP list as disposition </a>
    <li><a href="#ref-for-policy-disposition-4">4.1.2. 
    Report Content Security Policy violations for request </a>
    <li><a href="#ref-for-policy-disposition-5">4.1.3. 
    Should request be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-policy-disposition-6">4.1.4. 
    Should response to request be blocked by Content
    Security Policy? </a> <a href="#ref-for-policy-disposition-7">(2)</a>
    <li><a href="#ref-for-policy-disposition-8">4.2.3. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-policy-disposition-9">6.2.1.1. 
    Is base allowed for document? </a>
    <li><a href="#ref-for-policy-disposition-10">6.2.3.1. Algorithms</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="serialized-csp">
   <b><a href="#serialized-csp">#serialized-csp</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-serialized-csp-1">2.1.1. 
    Parse a serialized CSP as disposition </a>
    <li><a href="#ref-for-serialized-csp-2">2.1.2. 
    Parse a serialized CSP list as disposition </a>
    <li><a href="#ref-for-serialized-csp-3">2.2.1. Source Lists</a>
    <li><a href="#ref-for-serialized-csp-4">3. 
    Policy Delivery </a>
    <li><a href="#ref-for-serialized-csp-5">3.1. 
    The Content-Security-Policy HTTP Response Header Field </a>
    <li><a href="#ref-for-serialized-csp-6">3.2. 
    The Content-Security-Policy-Report-Only HTTP Response Header Field </a>
    <li><a href="#ref-for-serialized-csp-7">4.1.1. 
    Set response’s CSP list </a>
    <li><a href="#ref-for-serialized-csp-8">5.2. 
    Obtain the deprecated serialization of violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-serialized-policy">
   <b><a href="#grammardef-serialized-policy">#grammardef-serialized-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-serialized-policy-1">3.1. 
    The Content-Security-Policy HTTP Response Header Field </a>
    <li><a href="#ref-for-grammardef-serialized-policy-2">3.2. 
    The Content-Security-Policy-Report-Only HTTP Response Header Field </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="parse-serialized-policy">
   <b><a href="#parse-serialized-policy">#parse-serialized-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-parse-serialized-policy-1">2.1.2. 
    Parse a serialized CSP list as disposition </a>
    <li><a href="#ref-for-parse-serialized-policy-2">3.1. 
    The Content-Security-Policy HTTP Response Header Field </a>
    <li><a href="#ref-for-parse-serialized-policy-3">3.2. 
    The Content-Security-Policy-Report-Only HTTP Response Header Field </a>
    <li><a href="#ref-for-parse-serialized-policy-4">4.1. 
    Integration with Fetch </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directives">
   <b><a href="#directives">#directives</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directives-1">2.1. Policies</a>
    <li><a href="#ref-for-directives-2">2.1.1. 
    Parse a serialized CSP as disposition </a> <a href="#ref-for-directives-3">(2)</a>
    <li><a href="#ref-for-directives-4">2.2. Directives</a> <a href="#ref-for-directives-5">(2)</a>
    <li><a href="#ref-for-directives-6">2.2.1. Source Lists</a>
    <li><a href="#ref-for-directives-7">2.3. Violations</a>
    <li><a href="#ref-for-directives-8">4.1. 
    Integration with Fetch </a>
    <li><a href="#ref-for-directives-9">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm) </a> <a href="#ref-for-directives-10">(2)</a> <a href="#ref-for-directives-11">(3)</a>
    <li><a href="#ref-for-directives-12">5.3. 
    Report a violation </a> <a href="#ref-for-directives-13">(2)</a> <a href="#ref-for-directives-14">(3)</a>
    <li><a href="#ref-for-directives-15">6. 
    Content Security Policy Directives </a>
    <li><a href="#ref-for-directives-16">6.1.1.1. Algorithms</a> <a href="#ref-for-directives-17">(2)</a>
    <li><a href="#ref-for-directives-18">6.1.3.1. Algorithms</a> <a href="#ref-for-directives-19">(2)</a> <a href="#ref-for-directives-20">(3)</a> <a href="#ref-for-directives-21">(4)</a> <a href="#ref-for-directives-22">(5)</a> <a href="#ref-for-directives-23">(6)</a>
    <li><a href="#ref-for-directives-24">6.1.13.1. 
    Does request violate policy? </a>
    <li><a href="#ref-for-directives-25">6.2.1.1. 
    Is base allowed for document? </a> <a href="#ref-for-directives-26">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-name">
   <b><a href="#directive-name">#directive-name</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-name-1">2.1.1. 
    Parse a serialized CSP as disposition </a> <a href="#ref-for-directive-name-2">(2)</a>
    <li><a href="#ref-for-directive-name-3">2.2. Directives</a>
    <li><a href="#ref-for-directive-name-4">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm) </a> <a href="#ref-for-directive-name-5">(2)</a>
    <li><a href="#ref-for-directive-name-6">6.1.1.1. Algorithms</a> <a href="#ref-for-directive-name-7">(2)</a> <a href="#ref-for-directive-name-8">(3)</a> <a href="#ref-for-directive-name-9">(4)</a>
    <li><a href="#ref-for-directive-name-10">6.1.3.1. Algorithms</a> <a href="#ref-for-directive-name-11">(2)</a> <a href="#ref-for-directive-name-12">(3)</a> <a href="#ref-for-directive-name-13">(4)</a> <a href="#ref-for-directive-name-14">(5)</a> <a href="#ref-for-directive-name-15">(6)</a>
    <li><a href="#ref-for-directive-name-16">6.1.13.5. 
    Get the effective directive for request </a>
    <li><a href="#ref-for-directive-name-17">6.2.1.1. 
    Is base allowed for document? </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-value">
   <b><a href="#directive-value">#directive-value</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-value-1">2.1.1. 
    Parse a serialized CSP as disposition </a>
    <li><a href="#ref-for-directive-value-2">2.2. Directives</a> <a href="#ref-for-directive-value-3">(2)</a>
    <li><a href="#ref-for-directive-value-4">2.2.1. Source Lists</a>
    <li><a href="#ref-for-directive-value-5">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm) </a> <a href="#ref-for-directive-value-6">(2)</a>
    <li><a href="#ref-for-directive-value-7">5.3. 
    Report a violation </a> <a href="#ref-for-directive-value-8">(2)</a>
    <li><a href="#ref-for-directive-value-9">6.1.1.1. Algorithms</a> <a href="#ref-for-directive-value-10">(2)</a>
    <li><a href="#ref-for-directive-value-11">6.1.2.1. Algorithms</a> <a href="#ref-for-directive-value-12">(2)</a>
    <li><a href="#ref-for-directive-value-13">6.1.3.1. Algorithms</a> <a href="#ref-for-directive-value-14">(2)</a>
    <li><a href="#ref-for-directive-value-15">6.1.4.1. Algorithms</a> <a href="#ref-for-directive-value-16">(2)</a>
    <li><a href="#ref-for-directive-value-17">6.1.5.1. Algorithms</a> <a href="#ref-for-directive-value-18">(2)</a>
    <li><a href="#ref-for-directive-value-19">6.1.6.1. Algorithms</a> <a href="#ref-for-directive-value-20">(2)</a>
    <li><a href="#ref-for-directive-value-21">6.1.7.1. Algorithms</a> <a href="#ref-for-directive-value-22">(2)</a>
    <li><a href="#ref-for-directive-value-23">6.1.8.1. Algorithms</a> <a href="#ref-for-directive-value-24">(2)</a>
    <li><a href="#ref-for-directive-value-25">6.1.9.1. Algorithms</a> <a href="#ref-for-directive-value-26">(2)</a>
    <li><a href="#ref-for-directive-value-27">6.1.10.1. Algorithms</a> <a href="#ref-for-directive-value-28">(2)</a> <a href="#ref-for-directive-value-29">(3)</a> <a href="#ref-for-directive-value-30">(4)</a> <a href="#ref-for-directive-value-31">(5)</a> <a href="#ref-for-directive-value-32">(6)</a> <a href="#ref-for-directive-value-33">(7)</a> <a href="#ref-for-directive-value-34">(8)</a> <a href="#ref-for-directive-value-35">(9)</a> <a href="#ref-for-directive-value-36">(10)</a>
    <li><a href="#ref-for-directive-value-37">6.1.11.1. Algorithms</a> <a href="#ref-for-directive-value-38">(2)</a> <a href="#ref-for-directive-value-39">(3)</a> <a href="#ref-for-directive-value-40">(4)</a> <a href="#ref-for-directive-value-41">(5)</a>
    <li><a href="#ref-for-directive-value-42">6.1.12.1. Algorithms</a> <a href="#ref-for-directive-value-43">(2)</a>
    <li><a href="#ref-for-directive-value-44">6.2.1.1. 
    Is base allowed for document? </a>
    <li><a href="#ref-for-directive-value-45">6.2.3.1. Algorithms</a> <a href="#ref-for-directive-value-46">(2)</a>
    <li><a href="#ref-for-directive-value-47">6.3.2.1. Algorithms</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="serialized-directive">
   <b><a href="#serialized-directive">#serialized-directive</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-serialized-directive-1">2.1. Policies</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-serialized-directive">
   <b><a href="#grammardef-serialized-directive">#grammardef-serialized-directive</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-serialized-directive-1">2.1. Policies</a> <a href="#ref-for-grammardef-serialized-directive-2">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-directive-name">
   <b><a href="#grammardef-directive-name">#grammardef-directive-name</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-directive-name-1">2.2. Directives</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-directive-value">
   <b><a href="#grammardef-directive-value">#grammardef-directive-value</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-directive-value-1">2.2. Directives</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-pre-request-check">
   <b><a href="#directive-pre-request-check">#directive-pre-request-check</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-pre-request-check-1">6.1.1.1. Algorithms</a> <a href="#ref-for-directive-pre-request-check-2">(2)</a>
    <li><a href="#ref-for-directive-pre-request-check-3">6.1.2.1. Algorithms</a>
    <li><a href="#ref-for-directive-pre-request-check-4">6.1.3.1. Algorithms</a> <a href="#ref-for-directive-pre-request-check-5">(2)</a>
    <li><a href="#ref-for-directive-pre-request-check-6">6.1.4.1. Algorithms</a>
    <li><a href="#ref-for-directive-pre-request-check-7">6.1.5.1. Algorithms</a>
    <li><a href="#ref-for-directive-pre-request-check-8">6.1.6.1. Algorithms</a>
    <li><a href="#ref-for-directive-pre-request-check-9">6.1.7.1. Algorithms</a>
    <li><a href="#ref-for-directive-pre-request-check-10">6.1.8.1. Algorithms</a>
    <li><a href="#ref-for-directive-pre-request-check-11">6.1.9.1. Algorithms</a>
    <li><a href="#ref-for-directive-pre-request-check-12">6.1.10.1. Algorithms</a>
    <li><a href="#ref-for-directive-pre-request-check-13">6.1.11.1. Algorithms</a>
    <li><a href="#ref-for-directive-pre-request-check-14">6.1.12.1. Algorithms</a>
    <li><a href="#ref-for-directive-pre-request-check-15">6.1.13.1. 
    Does request violate policy? </a>
    <li><a href="#ref-for-directive-pre-request-check-16">6.5. 
    Directives Defined in Other Documents </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-post-request-check">
   <b><a href="#directive-post-request-check">#directive-post-request-check</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-post-request-check-1">4.1.4. 
    Should response to request be blocked by Content
    Security Policy? </a>
    <li><a href="#ref-for-directive-post-request-check-2">6.1.1.1. Algorithms</a> <a href="#ref-for-directive-post-request-check-3">(2)</a>
    <li><a href="#ref-for-directive-post-request-check-4">6.1.2.1. Algorithms</a>
    <li><a href="#ref-for-directive-post-request-check-5">6.1.3.1. Algorithms</a> <a href="#ref-for-directive-post-request-check-6">(2)</a>
    <li><a href="#ref-for-directive-post-request-check-7">6.1.4.1. Algorithms</a>
    <li><a href="#ref-for-directive-post-request-check-8">6.1.5.1. Algorithms</a>
    <li><a href="#ref-for-directive-post-request-check-9">6.1.6.1. Algorithms</a>
    <li><a href="#ref-for-directive-post-request-check-10">6.1.7.1. Algorithms</a>
    <li><a href="#ref-for-directive-post-request-check-11">6.1.8.1. Algorithms</a>
    <li><a href="#ref-for-directive-post-request-check-12">6.1.9.1. Algorithms</a>
    <li><a href="#ref-for-directive-post-request-check-13">6.1.10.1. Algorithms</a>
    <li><a href="#ref-for-directive-post-request-check-14">6.1.11.1. Algorithms</a>
    <li><a href="#ref-for-directive-post-request-check-15">6.1.12.1. Algorithms</a>
    <li><a href="#ref-for-directive-post-request-check-16">6.5. 
    Directives Defined in Other Documents </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-response-check">
   <b><a href="#directive-response-check">#directive-response-check</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-response-check-1">4.1.4. 
    Should response to request be blocked by Content
    Security Policy? </a>
    <li><a href="#ref-for-directive-response-check-2">6.2.3.1. Algorithms</a>
    <li><a href="#ref-for-directive-response-check-3">6.3.2.1. Algorithms</a>
    <li><a href="#ref-for-directive-response-check-4">6.5. 
    Directives Defined in Other Documents </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-inline-check">
   <b><a href="#directive-inline-check">#directive-inline-check</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-inline-check-1">4.2.3. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-directive-inline-check-2">6.1.10.1. Algorithms</a>
    <li><a href="#ref-for-directive-inline-check-3">6.1.11.1. Algorithms</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-initialization">
   <b><a href="#directive-initialization">#directive-initialization</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-initialization-1">4.2.1. 
    Initialize a Document's CSP list </a>
    <li><a href="#ref-for-directive-initialization-2">6.1.11.1. Algorithms</a>
    <li><a href="#ref-for-directive-initialization-3">6.2.3.1. Algorithms</a>
    <li><a href="#ref-for-directive-initialization-4">6.2.4.1. Algorithms</a>
    <li><a href="#ref-for-directive-initialization-5">6.5. 
    Directives Defined in Other Documents </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="source-lists">
   <b><a href="#source-lists">#source-lists</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-source-lists-1">6.1.1. child-src</a>
    <li><a href="#ref-for-source-lists-2">6.1.2. connect-src</a>
    <li><a href="#ref-for-source-lists-3">6.1.3. default-src</a>
    <li><a href="#ref-for-source-lists-4">6.1.4. font-src</a>
    <li><a href="#ref-for-source-lists-5">6.1.5. frame-src</a>
    <li><a href="#ref-for-source-lists-6">6.1.6. img-src</a>
    <li><a href="#ref-for-source-lists-7">6.1.7. manifest-src</a>
    <li><a href="#ref-for-source-lists-8">6.1.8. media-src</a>
    <li><a href="#ref-for-source-lists-9">6.1.9. object-src</a>
    <li><a href="#ref-for-source-lists-10">6.1.12. worker-src</a>
    <li><a href="#ref-for-source-lists-11">6.1.13.2. 
    Does nonce match source list? </a>
    <li><a href="#ref-for-source-lists-12">6.1.13.3. 
    Does url match source list? </a>
    <li><a href="#ref-for-source-lists-13">6.1.14.1. 
    Does element match source list for type and source? </a>
    <li><a href="#ref-for-source-lists-14">6.3.2. frame-ancestors</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="source-expression">
   <b><a href="#source-expression">#source-expression</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-source-expression-1">1.3. Changes from Level 2</a>
    <li><a href="#ref-for-source-expression-2">2.2.1. Source Lists</a>
    <li><a href="#ref-for-source-expression-3">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm) </a>
    <li><a href="#ref-for-source-expression-4">6.1.10.1. Algorithms</a> <a href="#ref-for-source-expression-5">(2)</a> <a href="#ref-for-source-expression-6">(3)</a> <a href="#ref-for-source-expression-7">(4)</a> <a href="#ref-for-source-expression-8">(5)</a> <a href="#ref-for-source-expression-9">(6)</a> <a href="#ref-for-source-expression-10">(7)</a>
    <li><a href="#ref-for-source-expression-11">6.1.13.4. 
    Does url match expression in origin with redirect count? </a>
    <li><a href="#ref-for-source-expression-12">6.1.14.1. 
    Does element match source list for type and source? </a>
    <li><a href="#ref-for-source-expression-13">8.4. 
    Whitelisting external JavaScript with hashes </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-serialized-source-list">
   <b><a href="#grammardef-serialized-source-list">#grammardef-serialized-source-list</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-serialized-source-list-1">6.1.1. child-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list-2">6.1.2. connect-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list-3">6.1.3. default-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list-4">6.1.4. font-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list-5">6.1.5. frame-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list-6">6.1.6. img-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list-7">6.1.7. manifest-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list-8">6.1.8. media-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list-9">6.1.9. object-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list-10">6.1.10. script-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list-11">6.1.11. style-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list-12">6.1.12. worker-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list-13">6.2.1. base-uri</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-none">
   <b><a href="#grammardef-none">#grammardef-none</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-none-1">2.2.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-none-2">6.3.2. frame-ancestors</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-source-expression">
   <b><a href="#grammardef-source-expression">#grammardef-source-expression</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-source-expression-1">2.2.1. Source Lists</a> <a href="#ref-for-grammardef-source-expression-2">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-scheme-source">
   <b><a href="#grammardef-scheme-source">#grammardef-scheme-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-scheme-source-1">2.2.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-scheme-source-2">6.1.13.4. 
    Does url match expression in origin with redirect count? </a> <a href="#ref-for-grammardef-scheme-source-3">(2)</a>
    <li><a href="#ref-for-grammardef-scheme-source-4">6.3.2. frame-ancestors</a>
    <li><a href="#ref-for-grammardef-scheme-source-5">8.2. 
    Usage of "'strict-dynamic'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-host-source">
   <b><a href="#grammardef-host-source">#grammardef-host-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-host-source-1">2.2.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-host-source-2">6.1.13.4. 
    Does url match expression in origin with redirect count? </a> <a href="#ref-for-grammardef-host-source-3">(2)</a> <a href="#ref-for-grammardef-host-source-4">(3)</a>
    <li><a href="#ref-for-grammardef-host-source-5">6.3.2. frame-ancestors</a>
    <li><a href="#ref-for-grammardef-host-source-6">8.2. 
    Usage of "'strict-dynamic'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-scheme-part">
   <b><a href="#grammardef-scheme-part">#grammardef-scheme-part</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-scheme-part-1">2.2.1. Source Lists</a> <a href="#ref-for-grammardef-scheme-part-2">(2)</a>
    <li><a href="#ref-for-grammardef-scheme-part-3">6.1.13.4. 
    Does url match expression in origin with redirect count? </a> <a href="#ref-for-grammardef-scheme-part-4">(2)</a> <a href="#ref-for-grammardef-scheme-part-5">(3)</a> <a href="#ref-for-grammardef-scheme-part-6">(4)</a> <a href="#ref-for-grammardef-scheme-part-7">(5)</a> <a href="#ref-for-grammardef-scheme-part-8">(6)</a> <a href="#ref-for-grammardef-scheme-part-9">(7)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-host-part">
   <b><a href="#grammardef-host-part">#grammardef-host-part</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-host-part-1">2.2.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-host-part-2">6.1.13.4. 
    Does url match expression in origin with redirect count? </a> <a href="#ref-for-grammardef-host-part-3">(2)</a> <a href="#ref-for-grammardef-host-part-4">(3)</a> <a href="#ref-for-grammardef-host-part-5">(4)</a> <a href="#ref-for-grammardef-host-part-6">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-host-char">
   <b><a href="#grammardef-host-char">#grammardef-host-char</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-host-char-1">2.2.1. Source Lists</a> <a href="#ref-for-grammardef-host-char-2">(2)</a> <a href="#ref-for-grammardef-host-char-3">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-port-part">
   <b><a href="#grammardef-port-part">#grammardef-port-part</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-port-part-1">2.2.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-port-part-2">6.1.13.4. 
    Does url match expression in origin with redirect count? </a> <a href="#ref-for-grammardef-port-part-3">(2)</a> <a href="#ref-for-grammardef-port-part-4">(3)</a> <a href="#ref-for-grammardef-port-part-5">(4)</a> <a href="#ref-for-grammardef-port-part-6">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-path-part">
   <b><a href="#grammardef-path-part">#grammardef-path-part</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-path-part-1">2.2.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-path-part-2">6.1.13.4. 
    Does url match expression in origin with redirect count? </a> <a href="#ref-for-grammardef-path-part-3">(2)</a> <a href="#ref-for-grammardef-path-part-4">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-keyword-source">
   <b><a href="#grammardef-keyword-source">#grammardef-keyword-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-keyword-source-1">2.2.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-keyword-source-2">6.1.10.1. Algorithms</a> <a href="#ref-for-grammardef-keyword-source-3">(2)</a> <a href="#ref-for-grammardef-keyword-source-4">(3)</a> <a href="#ref-for-grammardef-keyword-source-5">(4)</a>
    <li><a href="#ref-for-grammardef-keyword-source-6">6.1.14.1. 
    Does element match source list for type and source? </a>
    <li><a href="#ref-for-grammardef-keyword-source-7">8.2. 
    Usage of "'strict-dynamic'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-self">
   <b><a href="#grammardef-self">#grammardef-self</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-self-1">2.2.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-self-2">6.1.3. default-src</a> <a href="#ref-for-grammardef-self-3">(2)</a> <a href="#ref-for-grammardef-self-4">(3)</a> <a href="#ref-for-grammardef-self-5">(4)</a> <a href="#ref-for-grammardef-self-6">(5)</a> <a href="#ref-for-grammardef-self-7">(6)</a> <a href="#ref-for-grammardef-self-8">(7)</a> <a href="#ref-for-grammardef-self-9">(8)</a> <a href="#ref-for-grammardef-self-10">(9)</a> <a href="#ref-for-grammardef-self-11">(10)</a> <a href="#ref-for-grammardef-self-12">(11)</a> <a href="#ref-for-grammardef-self-13">(12)</a> <a href="#ref-for-grammardef-self-14">(13)</a> <a href="#ref-for-grammardef-self-15">(14)</a> <a href="#ref-for-grammardef-self-16">(15)</a> <a href="#ref-for-grammardef-self-17">(16)</a> <a href="#ref-for-grammardef-self-18">(17)</a> <a href="#ref-for-grammardef-self-19">(18)</a> <a href="#ref-for-grammardef-self-20">(19)</a> <a href="#ref-for-grammardef-self-21">(20)</a> <a href="#ref-for-grammardef-self-22">(21)</a>
    <li><a href="#ref-for-grammardef-self-23">6.3.2. frame-ancestors</a>
    <li><a href="#ref-for-grammardef-self-24">8.2. 
    Usage of "'strict-dynamic'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-unsafe-inline">
   <b><a href="#grammardef-unsafe-inline">#grammardef-unsafe-inline</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-unsafe-inline-1">6. 
    Content Security Policy Directives </a>
    <li><a href="#ref-for-grammardef-unsafe-inline-2">7.1. Nonce Reuse</a> <a href="#ref-for-grammardef-unsafe-inline-3">(2)</a>
    <li><a href="#ref-for-grammardef-unsafe-inline-4">8.2. 
    Usage of "'strict-dynamic'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-unsafe-eval">
   <b><a href="#grammardef-unsafe-eval">#grammardef-unsafe-eval</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-unsafe-eval-1">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm) </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-strict-dynamic">
   <b><a href="#grammardef-strict-dynamic">#grammardef-strict-dynamic</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-strict-dynamic-1">6.1.10.1. Algorithms</a> <a href="#ref-for-grammardef-strict-dynamic-2">(2)</a> <a href="#ref-for-grammardef-strict-dynamic-3">(3)</a> <a href="#ref-for-grammardef-strict-dynamic-4">(4)</a> <a href="#ref-for-grammardef-strict-dynamic-5">(5)</a> <a href="#ref-for-grammardef-strict-dynamic-6">(6)</a>
    <li><a href="#ref-for-grammardef-strict-dynamic-7">8.2. 
    Usage of "'strict-dynamic'" </a> <a href="#ref-for-grammardef-strict-dynamic-8">(2)</a> <a href="#ref-for-grammardef-strict-dynamic-9">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-unsafe-hashed-attributes">
   <b><a href="#grammardef-unsafe-hashed-attributes">#grammardef-unsafe-hashed-attributes</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-unsafe-hashed-attributes-1">6.1.10.1. Algorithms</a>
    <li><a href="#ref-for-grammardef-unsafe-hashed-attributes-2">6.1.14.1. 
    Does element match source list for type and source? </a> <a href="#ref-for-grammardef-unsafe-hashed-attributes-3">(2)</a>
    <li><a href="#ref-for-grammardef-unsafe-hashed-attributes-4">8.3. 
    Usage of "'unsafe-hashed-attributes'" </a> <a href="#ref-for-grammardef-unsafe-hashed-attributes-5">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-nonce-source">
   <b><a href="#grammardef-nonce-source">#grammardef-nonce-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-nonce-source-1">2.2.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-nonce-source-2">6.1.10. script-src</a>
    <li><a href="#ref-for-grammardef-nonce-source-3">6.1.11. style-src</a>
    <li><a href="#ref-for-grammardef-nonce-source-4">6.1.13.2. 
    Does nonce match source list? </a>
    <li><a href="#ref-for-grammardef-nonce-source-5">6.1.14.1. 
    Does element match source list for type and source? </a> <a href="#ref-for-grammardef-nonce-source-6">(2)</a> <a href="#ref-for-grammardef-nonce-source-7">(3)</a>
    <li><a href="#ref-for-grammardef-nonce-source-8">7.1. Nonce Reuse</a>
    <li><a href="#ref-for-grammardef-nonce-source-9">8.2. 
    Usage of "'strict-dynamic'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-base64-value">
   <b><a href="#grammardef-base64-value">#grammardef-base64-value</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-base64-value-1">2.2.1. Source Lists</a> <a href="#ref-for-grammardef-base64-value-2">(2)</a>
    <li><a href="#ref-for-grammardef-base64-value-3">6.1.10.1. Algorithms</a>
    <li><a href="#ref-for-grammardef-base64-value-4">6.1.13.2. 
    Does nonce match source list? </a>
    <li><a href="#ref-for-grammardef-base64-value-5">6.1.14.1. 
    Does element match source list for type and source? </a> <a href="#ref-for-grammardef-base64-value-6">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-hash-source">
   <b><a href="#grammardef-hash-source">#grammardef-hash-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-hash-source-1">2.2.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-hash-source-2">6.1.10. script-src</a>
    <li><a href="#ref-for-grammardef-hash-source-3">6.1.10.1. Algorithms</a> <a href="#ref-for-grammardef-hash-source-4">(2)</a>
    <li><a href="#ref-for-grammardef-hash-source-5">6.1.11. style-src</a>
    <li><a href="#ref-for-grammardef-hash-source-6">6.1.14.1. 
    Does element match source list for type and source? </a> <a href="#ref-for-grammardef-hash-source-7">(2)</a> <a href="#ref-for-grammardef-hash-source-8">(3)</a>
    <li><a href="#ref-for-grammardef-hash-source-9">8.2. 
    Usage of "'strict-dynamic'" </a>
    <li><a href="#ref-for-grammardef-hash-source-10">8.4. 
    Whitelisting external JavaScript with hashes </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-hash-algorithm">
   <b><a href="#grammardef-hash-algorithm">#grammardef-hash-algorithm</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-hash-algorithm-1">2.2.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-hash-algorithm-2">6.1.10.1. Algorithms</a>
    <li><a href="#ref-for-grammardef-hash-algorithm-3">6.1.14.1. 
    Does element match source list for type and source? </a> <a href="#ref-for-grammardef-hash-algorithm-4">(2)</a> <a href="#ref-for-grammardef-hash-algorithm-5">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation">
   <b><a href="#violation">#violation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-1">2.3. Violations</a> <a href="#ref-for-violation-2">(2)</a> <a href="#ref-for-violation-3">(3)</a> <a href="#ref-for-violation-4">(4)</a> <a href="#ref-for-violation-5">(5)</a> <a href="#ref-for-violation-6">(6)</a> <a href="#ref-for-violation-7">(7)</a> <a href="#ref-for-violation-8">(8)</a> <a href="#ref-for-violation-9">(9)</a> <a href="#ref-for-violation-10">(10)</a>
    <li><a href="#ref-for-violation-11">2.3.1. 
    Create a violation object for global, policy, and directive </a> <a href="#ref-for-violation-12">(2)</a>
    <li><a href="#ref-for-violation-13">2.3.2. 
    Create a violation object for request, policy, and directive </a>
    <li><a href="#ref-for-violation-14">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-15">5.3. 
    Report a violation </a>
    <li><a href="#ref-for-violation-16">6.4. 
    Reporting Directives </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-global-object">
   <b><a href="#violation-global-object">#violation-global-object</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-global-object-1">2.3. Violations</a>
    <li><a href="#ref-for-violation-global-object-2">2.3.1. 
    Create a violation object for global, policy, and directive </a> <a href="#ref-for-violation-global-object-3">(2)</a>
    <li><a href="#ref-for-violation-global-object-4">5.3. 
    Report a violation </a> <a href="#ref-for-violation-global-object-5">(2)</a> <a href="#ref-for-violation-global-object-6">(3)</a> <a href="#ref-for-violation-global-object-7">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-url">
   <b><a href="#violation-url">#violation-url</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-url-1">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-url-2">5.3. 
    Report a violation </a> <a href="#ref-for-violation-url-3">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-status">
   <b><a href="#violation-status">#violation-status</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-status-1">2.3.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-status-2">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-status-3">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-resource">
   <b><a href="#violation-resource">#violation-resource</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-resource-1">2.3.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-resource-2">2.3.2. 
    Create a violation object for request, policy, and directive </a>
    <li><a href="#ref-for-violation-resource-3">4.2.3. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-violation-resource-4">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-resource-5">5.3. 
    Report a violation </a>
    <li><a href="#ref-for-violation-resource-6">6.2.1.1. 
    Is base allowed for document? </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-referrer">
   <b><a href="#violation-referrer">#violation-referrer</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-referrer-1">2.3.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-referrer-2">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-referrer-3">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-policy">
   <b><a href="#violation-policy">#violation-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-policy-1">2.3.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-policy-2">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-policy-3">5.3. 
    Report a violation </a> <a href="#ref-for-violation-policy-4">(2)</a> <a href="#ref-for-violation-policy-5">(3)</a> <a href="#ref-for-violation-policy-6">(4)</a> <a href="#ref-for-violation-policy-7">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-effective-directive">
   <b><a href="#violation-effective-directive">#violation-effective-directive</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-effective-directive-1">2.3.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-effective-directive-2">5.2. 
    Obtain the deprecated serialization of violation </a> <a href="#ref-for-violation-effective-directive-3">(2)</a>
    <li><a href="#ref-for-violation-effective-directive-4">5.3. 
    Report a violation </a> <a href="#ref-for-violation-effective-directive-5">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-source-file">
   <b><a href="#violation-source-file">#violation-source-file</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-source-file-1">2.3.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-source-file-2">5.2. 
    Obtain the deprecated serialization of violation </a> <a href="#ref-for-violation-source-file-3">(2)</a>
    <li><a href="#ref-for-violation-source-file-4">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-line-number">
   <b><a href="#violation-line-number">#violation-line-number</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-line-number-1">2.3.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-line-number-2">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-line-number-3">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-column-number">
   <b><a href="#violation-column-number">#violation-column-number</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-column-number-1">2.3.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-column-number-2">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-column-number-3">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="header-content-security-policy">
   <b><a href="#header-content-security-policy">#header-content-security-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-header-content-security-policy-1">3.1. 
    The Content-Security-Policy HTTP Response Header Field </a>
    <li><a href="#ref-for-header-content-security-policy-2">6.1.3. default-src</a> <a href="#ref-for-header-content-security-policy-3">(2)</a> <a href="#ref-for-header-content-security-policy-4">(3)</a> <a href="#ref-for-header-content-security-policy-5">(4)</a>
    <li><a href="#ref-for-header-content-security-policy-6">6.4.1. report-uri</a>
    <li><a href="#ref-for-header-content-security-policy-7">8.2. 
    Usage of "'strict-dynamic'" </a>
    <li><a href="#ref-for-header-content-security-policy-8">8.3. 
    Usage of "'unsafe-hashed-attributes'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="header-content-security-policy-report-only">
   <b><a href="#header-content-security-policy-report-only">#header-content-security-policy-report-only</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-header-content-security-policy-report-only-1">3.2. 
    The Content-Security-Policy-Report-Only HTTP Response Header Field </a> <a href="#ref-for-header-content-security-policy-report-only-2">(2)</a>
    <li><a href="#ref-for-header-content-security-policy-report-only-3">3.3. 
    The &lt;meta> element </a>
    <li><a href="#ref-for-header-content-security-policy-report-only-4">6.2.3. sandbox</a>
    <li><a href="#ref-for-header-content-security-policy-report-only-5">6.2.4. disown-opener</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="global-object-csp-list">
   <b><a href="#global-object-csp-list">#global-object-csp-list</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-global-object-csp-list-1">4.1.2. 
    Report Content Security Policy violations for request </a>
    <li><a href="#ref-for-global-object-csp-list-2">4.1.3. 
    Should request be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-global-object-csp-list-3">4.1.4. 
    Should response to request be blocked by Content
    Security Policy? </a>
    <li><a href="#ref-for-global-object-csp-list-4">4.2. 
    Integration with HTML </a>
    <li><a href="#ref-for-global-object-csp-list-5">4.2.2. 
    Initialize a global object’s CSP list </a> <a href="#ref-for-global-object-csp-list-6">(2)</a> <a href="#ref-for-global-object-csp-list-7">(3)</a> <a href="#ref-for-global-object-csp-list-8">(4)</a>
    <li><a href="#ref-for-global-object-csp-list-9">4.2.3. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-global-object-csp-list-10">4.3. Integration with ECMAScript</a>
    <li><a href="#ref-for-global-object-csp-list-11">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm) </a>
    <li><a href="#ref-for-global-object-csp-list-12">6.2.1.1. 
    Is base allowed for document? </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enforced">
   <b><a href="#enforced">#enforced</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enforced-1">3.1. 
    The Content-Security-Policy HTTP Response Header Field </a>
    <li><a href="#ref-for-enforced-2">4.2. 
    Integration with HTML </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="monitored">
   <b><a href="#monitored">#monitored</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-monitored-1">3.2. 
    The Content-Security-Policy-Report-Only HTTP Response Header Field </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="embedding-document">
   <b><a href="#embedding-document">#embedding-document</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-embedding-document-1">4.2.1. 
    Initialize a Document's CSP list </a> <a href="#ref-for-embedding-document-2">(2)</a>
    <li><a href="#ref-for-embedding-document-3">4.2.2. 
    Initialize a global object’s CSP list </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-report">
   <b><a href="#violation-report">#violation-report</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-report-1">6.4.1. report-uri</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="securitypolicyviolationevent">
   <b><a href="#securitypolicyviolationevent">#securitypolicyviolationevent</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-securitypolicyviolationevent-1">5.3. 
    Report a violation </a> <a href="#ref-for-securitypolicyviolationevent-2">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="fetch-directives">
   <b><a href="#fetch-directives">#fetch-directives</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-fetch-directives-1">6.1.3. default-src</a> <a href="#ref-for-fetch-directives-2">(2)</a>
    <li><a href="#ref-for-fetch-directives-3">6.1.13.5. 
    Get the effective directive for request </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="child-src">
   <b><a href="#child-src">#child-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-child-src-1">6.1.1. child-src</a>
    <li><a href="#ref-for-child-src-2">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="connect-src">
   <b><a href="#connect-src">#connect-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-connect-src-1">6.1.2. connect-src</a>
    <li><a href="#ref-for-connect-src-2">6.1.3. default-src</a> <a href="#ref-for-connect-src-3">(2)</a>
    <li><a href="#ref-for-connect-src-4">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="default-src">
   <b><a href="#default-src">#default-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-default-src-1">6. 
    Content Security Policy Directives </a>
    <li><a href="#ref-for-default-src-2">6.1.3. default-src</a> <a href="#ref-for-default-src-3">(2)</a> <a href="#ref-for-default-src-4">(3)</a>
    <li><a href="#ref-for-default-src-5">8.2. 
    Usage of "'strict-dynamic'" </a>
    <li><a href="#ref-for-default-src-6">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="font-src">
   <b><a href="#font-src">#font-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-font-src-1">6.1. 
    Fetch Directives </a>
    <li><a href="#ref-for-font-src-2">6.1.3. default-src</a> <a href="#ref-for-font-src-3">(2)</a>
    <li><a href="#ref-for-font-src-4">6.1.4. font-src</a>
    <li><a href="#ref-for-font-src-5">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="frame-src">
   <b><a href="#frame-src">#frame-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-frame-src-1">6.1.3. default-src</a> <a href="#ref-for-frame-src-2">(2)</a>
    <li><a href="#ref-for-frame-src-3">6.1.5. frame-src</a>
    <li><a href="#ref-for-frame-src-4">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="img-src">
   <b><a href="#img-src">#img-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-img-src-1">6.1.3. default-src</a> <a href="#ref-for-img-src-2">(2)</a>
    <li><a href="#ref-for-img-src-3">6.1.6. img-src</a>
    <li><a href="#ref-for-img-src-4">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="manifest-src">
   <b><a href="#manifest-src">#manifest-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-manifest-src-1">6.1.3. default-src</a> <a href="#ref-for-manifest-src-2">(2)</a>
    <li><a href="#ref-for-manifest-src-3">6.1.7. manifest-src</a>
    <li><a href="#ref-for-manifest-src-4">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="media-src">
   <b><a href="#media-src">#media-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-media-src-1">6.1.3. default-src</a> <a href="#ref-for-media-src-2">(2)</a>
    <li><a href="#ref-for-media-src-3">6.1.8. media-src</a>
    <li><a href="#ref-for-media-src-4">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="object-src">
   <b><a href="#object-src">#object-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-object-src-1">6. 
    Content Security Policy Directives </a>
    <li><a href="#ref-for-object-src-2">6.1.3. default-src</a> <a href="#ref-for-object-src-3">(2)</a>
    <li><a href="#ref-for-object-src-4">6.1.9. object-src</a>
    <li><a href="#ref-for-object-src-5">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="script-src">
   <b><a href="#script-src">#script-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-script-src-1">6. 
    Content Security Policy Directives </a>
    <li><a href="#ref-for-script-src-2">6.1. 
    Fetch Directives </a>
    <li><a href="#ref-for-script-src-3">6.1.3. default-src</a> <a href="#ref-for-script-src-4">(2)</a> <a href="#ref-for-script-src-5">(3)</a>
    <li><a href="#ref-for-script-src-6">8.2. 
    Usage of "'strict-dynamic'" </a> <a href="#ref-for-script-src-7">(2)</a>
    <li><a href="#ref-for-script-src-8">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="style-src">
   <b><a href="#style-src">#style-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-style-src-1">6.1.3. default-src</a> <a href="#ref-for-style-src-2">(2)</a>
    <li><a href="#ref-for-style-src-3">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="worker-src">
   <b><a href="#worker-src">#worker-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-worker-src-1">6.1.3. default-src</a> <a href="#ref-for-worker-src-2">(2)</a>
    <li><a href="#ref-for-worker-src-3">6.1.12. worker-src</a>
    <li><a href="#ref-for-worker-src-4">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="base-uri">
   <b><a href="#base-uri">#base-uri</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-base-uri-1">6.2.1.1. 
    Is base allowed for document? </a>
    <li><a href="#ref-for-base-uri-2">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="plugin-types">
   <b><a href="#plugin-types">#plugin-types</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-plugin-types-1">6.2.2. plugin-types</a> <a href="#ref-for-plugin-types-2">(2)</a>
    <li><a href="#ref-for-plugin-types-3">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-media-type-list">
   <b><a href="#grammardef-media-type-list">#grammardef-media-type-list</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-media-type-list-1">6.2.2. plugin-types</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-media-type">
   <b><a href="#grammardef-media-type">#grammardef-media-type</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-media-type-1">6.2.2. plugin-types</a> <a href="#ref-for-grammardef-media-type-2">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="sandbox">
   <b><a href="#sandbox">#sandbox</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-sandbox-1">6.2.3.1. Algorithms</a>
    <li><a href="#ref-for-sandbox-2">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="disown-opener">
   <b><a href="#disown-opener">#disown-opener</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-disown-opener-1">1.3. Changes from Level 2</a>
    <li><a href="#ref-for-disown-opener-2">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="form-action">
   <b><a href="#form-action">#form-action</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-form-action-1">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="frame-ancestors">
   <b><a href="#frame-ancestors">#frame-ancestors</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-frame-ancestors-1">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-ancestor-source-list">
   <b><a href="#grammardef-ancestor-source-list">#grammardef-ancestor-source-list</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-ancestor-source-list-1">6.3.2. frame-ancestors</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-ancestor-source">
   <b><a href="#grammardef-ancestor-source">#grammardef-ancestor-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-ancestor-source-1">6.3.2. frame-ancestors</a> <a href="#ref-for-grammardef-ancestor-source-2">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="report-uri">
   <b><a href="#report-uri">#report-uri</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-report-uri-1">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-report-uri-2">5.3. 
    Report a violation </a>
    <li><a href="#ref-for-report-uri-3">6.4.1. report-uri</a> <a href="#ref-for-report-uri-4">(2)</a>
    <li><a href="#ref-for-report-uri-5">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="report-to">
   <b><a href="#report-to">#report-to</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-report-to-1">5.3. 
    Report a violation </a> <a href="#ref-for-report-to-2">(2)</a>
    <li><a href="#ref-for-report-to-3">6.4.1. report-uri</a> <a href="#ref-for-report-to-4">(2)</a>
    <li><a href="#ref-for-report-to-5">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
<script>/* script-dfn-panel */

        document.body.addEventListener("click", function(e) {
            var queryAll = function(sel) { return [].slice.call(document.querySelectorAll(sel)); }
            // Find the dfn element or panel, if any, that was clicked on.
            var el = e.target;
            var target;
            var hitALink = false;
            while(el.parentElement) {
                if(el.tagName == "A") {
                    // Clicking on a link in a <dfn> shouldn't summon the panel
                    hitALink = true;
                }
                if(el.classList.contains("dfn-paneled")) {
                    target = "dfn";
                    break;
                }
                if(el.classList.contains("dfn-panel")) {
                    target = "dfn-panel";
                    break;
                }
                el = el.parentElement;
            }
            if(target != "dfn-panel") {
                // Turn off any currently "on" or "activated" panels.
                queryAll(".dfn-panel.on, .dfn-panel.activated").forEach(function(el){
                    el.classList.remove("on");
                    el.classList.remove("activated");
                });
            }
            if(target == "dfn" && !hitALink) {
                // open the panel
                var dfnPanel = document.querySelector(".dfn-panel[data-for='" + el.id + "']");
                if(dfnPanel) {
                    console.log(dfnPanel);
                    dfnPanel.classList.add("on");
                    var rect = el.getBoundingClientRect();
                    dfnPanel.style.left = window.scrollX + rect.right + 5 + "px";
                    dfnPanel.style.top = window.scrollY + rect.top + "px";
                    var panelRect = dfnPanel.getBoundingClientRect();
                    var panelWidth = panelRect.right - panelRect.left;
                    if(panelRect.right > document.body.scrollWidth && (rect.left - (panelWidth + 5)) > 0) {
                        // Reposition, because the panel is overflowing
                        dfnPanel.style.left = window.scrollX + rect.left - (panelWidth + 5) + "px";
                    }
                } else {
                    console.log("Couldn't find .dfn-panel[data-for='" + el.id + "']");
                }
            } else if(target == "dfn-panel") {
                // Switch it to "activated" state, which pins it.
                el.classList.add("activated");
                el.style.left = null;
                el.style.top = null;
            }

        });
        </script>