index.src.html

<h1>Content Security Policy Level 3</h1>
<pre class="metadata">
Status: ED
ED: https://w3c.github.io/webappsec-csp/
TR: https://www.w3.org/TR/CSP3/
Previous Version: https://www.w3.org/TR/2016/WD-CSP3-20160913/
Shortname: CSP3
Level: None
Editor: Mike West 56384, Google Inc., mkwst@google.com
Group: webappsec
Abstract:
  This document defines a mechanism by which web developers can control the
  resources which a particular page can fetch or execute, as well as a number
  of security-relevant policy decisions.
Indent: 2
Version History: https://github.com/w3c/webappsec-csp/commits/master/index.src.html
Boilerplate: omit conformance, omit feedback-header
!Participate: <a href="https://github.com/w3c/webappsec-csp/issues/new">File an issue</a> (<a href="https://github.com/w3c/webappsec-csp/issues">open issues</a>)
Markup Shorthands: css off, markdown on
At Risk: The [[#is-element-nonceable]] algorithm.
</pre>
<pre class="link-defaults">
spec:dom; type:interface; text:Document
spec:html
  type: dfn
    text: case-sensitive
    text: browsing context; for: /
    text: plugin document
  type: element
    text: a
    text: link
    text: script
    text: style
spec:fetch
  type: dfn
    text: main fetch
    text: http-network fetch
    text: http fetch
    text: keepalive flag
    text: response; for: /
spec:url
  type: dfn
    text: default port
    text: percent decode
    text: base url
  type:interface;
    text:URL
spec:cssom
  type: dfn
    text: insert a css rule
    text: parse a css declaration block
    text: parse a css rule
    text: parse a group of selectors
spec:css-cascade
  type: at-rule
    text: @import
spec:infra;
  type:dfn;
    text:string; for: /
    text:list; for: / 
    text:set; for: / 
    text:append; for: set
    text:empty; for: set
</pre>
<pre class="anchors">
spec: RFC6454; urlPrefix: https://tools.ietf.org/html/rfc6454
  type: dfn
    text: the same; url: section-5
spec: ECMA262; urlPrefix: https://tc39.github.io/ecma262
  type: dfn
    text: realm
  type: method
    text: HostEnsureCanCompileStrings(); url: sec-hostensurecancompilestrings
    text: eval(); url: sec-eval-x
    text: Function(); url: sec-function-objects
    text: JSON.stringify(); url: sec-json.stringify
spec: FETCH; urlPrefix: https://fetch.spec.whatwg.org/
  type: dfn
    for: request
      text: target browsing context; url: concept-request-target-browsing-context
spec: MIX; urlPrefix: https://www.w3.org/TR/mixed-content/
  type: dfn; text: block-all-mixed-content
spec: MIMESNIFF; urlPrefix: https://mimesniff.spec.whatwg.org/
  type: dfn; text: valid MIME type
spec: RFC2045; urlPrefix: https://tools.ietf.org/html/rfc2045
  type: grammar
    text: type; url: section-5.1
    text: subtype; url: section-5.1
spec: RFC3986; urlPrefix: https://tools.ietf.org/html/rfc3986
  type: grammar
    text: path-abempty; url: section-3.3
    text: scheme; url: section-3.1
    text: IPv4address; url: section-3.2.2
    text: uri-reference; url: section-4.1
spec: RFC4648; urlPrefix: https://tools.ietf.org/html/rfc4648
  type: dfn
    text: base64 encoding; url: section-4
spec: RFC5234; urlPrefix: https://tools.ietf.org/html/rfc5234
  type: grammar
    text: ALPHA; url: appendix-B.1
    text: DIGIT; url: appendix-B.1
    text: VCHAR; url: appendix-B.1
    text: WSP; url: appendix-B.1
spec: RFC5890; urlPrefix: https://tools.ietf.org/html/rfc5890
  type: dfn
    text: label; url: section-2.2
spec: RFC7230; urlPrefix: https://tools.ietf.org/html/rfc7230
  type: grammar
    text: BWS; url: section-3.2.3
    text: OWS; url: section-3.2.3
    text: RWS; url: section-3.2.3
    text: quoted-string; url: section-3.2.6
    text: token; url: section-3.2.6
spec: RFC7231; urlPrefix: https://tools.ietf.org/html/rfc7231
  type: dfn
    url: section-3
      text: resource representation
      text: representation

spec: REPORTING; urlPrefix: https://w3c.github.io/reporting/
  type: dfn
    text: group
    text: queue report; url: queue-report

spec: SHA2; urlPrefix: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
  type: dfn
    text: SHA-256; url: #
    text: SHA-384; url: #
    text: SHA-512; url: #
</pre>
<pre class="biblio">
{
  "HTML-DESIGN": {
    "authors": [ "Anne Van Kesteren", "Maciej Stachowiak" ],
    "href": "https://www.w3.org/TR/html-design-principles/",
    "title": "HTML Design Principles",
    "publisher": "W3C"
  },
  "ECMA262": {
    "authors": [ "Brian Terlson", "Allen Wirfs-Brock" ],
    "href": "https://tc39.github.io/ecma262/",
    "title": "ECMAScript® Language Specification",
    "publisher": "ECMA"
  },
  "SHA2": {
    "href": "http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf",
    "title": "FIPS PUB 180-4, Secure Hash Standard"
  },
  "REPORTING": {
    "href": "https://wicg.github.io/reporting/",
    "title": "Reporting API",
    "authors": [ "Ilya Gregorik", "Mike West" ]
  },
  "TIMING": {
      "href": "http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf",
      "title": "Pixel Perfect Timing Attacks with HTML5",
      "authors": [ "Paul Stone" ],
      "publisher": "Context Information Security"
  },
  "H5SC3": {
      "href": "https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22",
      "title": "H5SC Minichallenge 3: \"Sh*t, it's CSP!\"",
      "authors": [ "Mario Heiderich" ],
      "publisher": "Cure53"
  },
  "CSS-ABUSE": {
      "href": "https://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html",
      "title": "Generic cross-browser cross-domain theft",
      "authors": [ "Chris Evans" ],
      "date": "28 December 2009"
  },
  "FILEDESCRIPTOR-2015": {
      "href": "https://blog.innerht.ml/csp-2015/#danglingmarkupinjection",
      "title": "CSP 2015",
      "authors": [ "filedescriptor" ],
      "date": "23 November 2015"
  }
}
</pre>
<style>
  ul.toc ul ul ul {
    margin: 0 0 0 2em;
  }
  ul.toc ul ul ul span.secno {
    margin-left: -9em;
  }

  a[href^="http:"]:after {
    color: red;
    content: "🔓";
  }

  .wip {
    margin: 1em auto;

    background: #FCFAEE;
    border: 0.5em;
    border-left-style: solid;
    border-color: #E0CB52;
    padding: 0.5em;
  }

  .wip::before {
    content: "Work In Progress: ";
    display: block;
    color: #827017;
  }

</style>
<!--
████ ██    ██ ████████ ████████   ███████
 ██  ███   ██    ██    ██     ██ ██     ██
 ██  ████  ██    ██    ██     ██ ██     ██
 ██  ██ ██ ██    ██    ████████  ██     ██
 ██  ██  ████    ██    ██   ██   ██     ██
 ██  ██   ███    ██    ██    ██  ██     ██
████ ██    ██    ██    ██     ██  ███████
-->
<section>
  <h2 id="intro">Introduction</h2>

  <em>This section is not normative.</em>

  This document defines <dfn export>Content Security Policy</dfn> (CSP), a tool
  which developers can use to lock down their applications in various ways,
  mitigating the risk of content injection vulnerabilities such as cross-site scripting, and
  reducing the privilege with which their applications execute.

  CSP is not intended as a first line of defense against content injection
  vulnerabilities. Instead, CSP is best used as defense-in-depth. It reduces
  the harm that a malicious injection can cause, but it is not a replacement for
  careful input validation and output encoding.

  This document is an iteration on Content Security Policy Level 2, with the
  goal of more clearly explaining the interactions between CSP, HTML, and Fetch
  on the one hand, and providing clear hooks for modular extensibility on the
  other. Ideally, this will form a stable core upon which we can build new
  functionality.

  <h3 id="examples">Examples</h3>

  <h4 id="example-basic">Control Execution</h4>

  <div class="example">
    MegaCorp Inc's developers want to protect themselves against cross-site
    scripting attacks. They can mitigate the risk of script injection by
    ensuring that their trusted CDN is the only origin from which script can
    load and execute. Moreover, they wish to ensure that no plugins can
    execute in their pages' contexts. The following policy has that effect:

    <pre>
      Content-Security-Policy: script-src https://cdn.example.com/scripts/; object-src 'none'
    </pre>
  </div>

  <h3 id="goals">Goals</h3>

  Content Security Policy aims to do to a few related things:

  1.  Mitigate the risk of content-injection attacks by giving developers
      fairly granular control over

      *   The resources which can be requested (and subsequently embedded or
          executed) on behalf of a specific {{Document}} or {{Worker}}

      *   The execution of inline script

      *   Dynamic code execution (via {{eval()}} and similar constructs)

      *   The application of inline style

  2.  Mitigate the risk of attacks which require a resource to be embedded
      in a malicious context (the "Pixel Perfect" attack described in
      [[TIMING]], for example) by giving developers granular control over the
      origins which can embed a given resource.

  3.  Provide a policy framework which allows developers to reduce the privilege
      of their applications.

  4.  Provide a reporting mechanism which allows developers to detect flaws
      being exploited in the wild.

  <h3 id="changes-from-level-2">Changes from Level 2</h3>

  This document describes an evolution of the Content Security Policy Level 2
  specification [[CSP2]]. The following is a high-level overview of the changes:

  1.  The specification has been rewritten from the ground up in terms of the
      [[FETCH]] specification, which should make it simpler to integrate CSP's
      requirements and restrictions with other specifications (and with
      Service Workers in particular).

  2.  The `child-src` model has been substantially altered:

      1. The `frame-src` directive, which was deprecated in CSP Level
         2, has been undeprecated, but continues to defer to `child-src` if
         not present (which defers to `default-src` in turn).

      2. A `worker-src` directive has been added, deferring to `script-src`
         if not present (which likewise defers to `default-src` in turn).

      3. `child-src` is now deprecated.

      4. Dedicated workers now always inherit their creator's policy.

      ISSUE(w3c/webappsec-csp#146): This still might not be the right model.

  3.  The URL matching algorithm now treats insecure schemes and ports as
      matching their secure variants. That is, the source expression
      `http://example.com:80` will match both `http://example.com:80` and
      `https://example.com:443`.

      Likewise, `'self'` now matches `https:` and `wss:` variants of the page's
      origin, even on pages whose scheme is `http`.

  4.  Violation reports generated from inline script or style will now report
      "`inline`" as the blocked resource. Likewise, blocked `eval()` execution
      will report "`eval`" as the blocked resource.

  5.  The `manifest-src` directive has been added.

  6.  The `report-uri` directive is deprecated in favor of the new `report-to`
      directive, which relies on [[REPORTING]] as infrastructure.

  7.  The `'strict-dynamic'` source expression will now allow script which
      executes on a page to load more script via non-<a>"parser-inserted"</a>
      <{script}> elements. Details are in [[#strict-dynamic-usage]].

  8.  <div class="wip">
        The `'unsafe-hashed-attributes'` source expression will now allow event
        handlers and style attributes to match hash source expressions. Details
        in [[#unsafe-hashed-attributes-usage]].

        ISSUE(w3c/webappsec-csp#13): `unsafe-hashed-attributes` is a work in progress.
      </div>

  9.  The <a>source expression</a> matching has been changed to require explicit presence
      of any non-<a>network scheme</a>, rather than <a>local scheme</a>,
      unless that non-<a>network scheme</a> is the same as the scheme of protected resource,
      as described in [[#match-url-to-source-expression]].

  10. Hash-based source expressions may now match external scripts if the
      <{script}> element that triggers the request specifies a set of integrity
      metadata which is listed in the current policy. Details in
      [[#external-hash]].

  11. The <a>`disown-opener`</a> directive ensures that a resource can't be opened
      in such a way as to give another browsing context control over its contents.

  12. The <a>`navigation-to`</a> directive gives a resource control over the endpoints
      to which it can initiate navigation.
</section>

<!-- Big Text: Framework -->
<section>
  <h2 id="framework">Framework</h2>

  <h3 id="framework-policy">Policies</h3>

  A <dfn export lt="content security policy object" local-lt="policy">policy</dfn> defines allowed
  and restricted behaviors, and may be applied to a {{Window}} or {{WorkerGlobalScope}} as described
  in [[#initialize-global-object-csp]].

  Each policy has an associated <dfn for="policy" export>directive set</dfn>, which is an <a>ordered
  set</a> of <a>directives</a> that define the policy's implications when applied.

  Each policy has an associated <dfn for="policy" export>disposition</dfn>, which is either
  "`enforce`" or "`report`".

  A <dfn export>serialized CSP</dfn> is an <a>ASCII string</a> consisting of a semicolon-delimited
  series of <a>serialized directives</a>, adhering to the following ABNF grammar [[!RFC5234]]:

  <pre dfn-type="grammar" link-type="grammar">
    <dfn>serialized-policy</dfn> = <a>serialized-directive</a> *( <a>OWS</a> ";" [ <a>OWS</a> <a>serialized-directive</a> ] )
                        ; <a>OWS</a> is defined in section 3.2.3 of RFC 7230
  </pre>

  <h4 id="parse-serialized-policy" dfn lt="parse a serialized CSP" algorithm>
    Parse a |serialized CSP| as |disposition|
  </h4>

  Given a <a>serialized CSP</a> (|serialized CSP|), and a
  <a for="policy">disposition</a> (|disposition|), this algorithm will return a
  <a for="/">policy</a> object. If the string cannot be parsed, the resulting
  <a for="/">policy</a>'s <a>directive set</a> will be empty.

  1.  Let |policy| be a new <a for="/">policy</a> with an empty
      <a for="policy">directive set</a>, and a <a for="policy">disposition</a>
      of |disposition|.

  2.  For each |token| returned by
      <a lt="strictly split a string">strictly splitting</a> |serialized
      CSP| on the U+003B SEMICOLON character (`;`):

      1.  <a>Strip leading and trailing whitespace</a> from |token|.

      2.  If |token| is an empty string, skip the remaining substeps
          and continue to the next item.

      3.  Let |directive name| be the result of
          <a lt="collect a sequence of characters">collecting a sequence of
          characters</a> from |token| which are not <a>space
          characters</a>.

      4.  If |policy|'s <a>directive set</a> contains a
          <a>directive</a> whose <a for="directive">name</a> is |directive
          name|, <a for="iteration">continue</a>.

          The user agent SHOULD notify developers that a directive was ignored.
          A console warning might be appropriate, for example.

      5.  Let |directive value| be the result of
          <a lt="split a string on spaces">splitting |token| on
          spaces</a>.

      6.  Let |directive| be a new <a>directive</a> whose
          <a for="directive">name</a> is |directive name|, and
          <a for="directive">value</a> is |directive value|.

      7.  <a for="set">Append</a> |directive| to |policy|'s <a>directive set</a>.

  3.  Return |policy|.

  <h4 id="parse-serialized-policy-list" algorithm>
    Parse a serialized CSP |list| as |disposition|
  </h4>

  Given a <a>string</a> which contains a comma-delimited series of <a>serialized CSP</a> strings
  (|list|) and a <a for="policy">disposition</a> (|disposition|), the following algorithm will
  return a <a>list</a> of <a for="/">policy</a> objects:

  1.  Let |policies| be an empty <a>list</a>.

  2.  For each |token| returned by
      <a lt="split a string on commas">splitting |list| on commas</a>:

      1.  Let |policy| be the result of executing
          [[#parse-serialized-policy]] on |token| with |disposition|.

      2.  If |policy|'s <a>directive set</a> is empty, skip the
          remaining substeps, and continue to the next item.

      3.  <a for="list">Append</a> |policy| to |policies|.

  3.  Return |policies|.

  <h3 id="framework-directives">Directives</h3>

  Each <a for="/">policy</a> contains an <a>ordered set</a> of <dfn export>directives</dfn> (its
  <a for="policy">directive set</a>), each of which controls a specific behavior. The directives
  defined in this document are described in detail in [[#csp-directives]].

  Each <a>directive</a> is a <dfn for="directive" export>name</dfn> /
  <dfn for="directive" export>value</dfn> pair. The <a for="directive">name</a> is a
  non-empty <a>string</a>, and the <a>value</a> is a <a>set</a> of non-empty <a>strings</a>. The
  <a>value</a> MAY be <a for="list" lt="is empty">empty</a>.

  A <dfn export>serialized directive</dfn> is an <a>ASCII string</a>, consisting of one or more
  whitespace-delimited tokens, and adhering to the following ABNF [[!RFC5234]]:

  <pre dfn-type="grammar" link-type="grammar">
    <dfn>serialized-directive</dfn> = <a>directive-name</a> [ <a>RWS</a> <a>directive-value</a> ]
    <dfn>directive-name</dfn>       = 1*( <a>ALPHA</a> / <a>DIGIT</a> / "-" )
    <dfn>directive-value</dfn>      = *( %x09 / %x20-%x2B / %x2D-%x3A / %x3C-%7E )
                           ; Directive values may contain whitespace and <a>VCHAR</a> characters,
                           ; excluding ";" and ","

    ; <a>RWS</a> is defined in section 3.2.3 of RFC7230. <a>ALPHA</a>, <a>DIGIT</a>, and
    ; <a>VCHAR</a> are defined in Appendix B.1 of RFC 5234.
  </pre>

  <a>Directives</a> have a number of associated algorithms:

  1.  A <dfn for="directive" export>pre-request check</dfn>, which takes a
      <a for="/">request</a> and a <a for="/">policy</a> as an argument, and is executed
      during [[#should-block-request]]. This algorithm returns "`Allowed`" unless
      otherwise specified.

  2.  A <dfn for="directive" export>post-request check</dfn>, which takes a
      <a for="/">request</a>, a <a>response</a>, and a <a for="/">policy</a> as arguments,
      and is executed during [[#should-block-response]]. This algorithm returns
      "`Allowed`" unless otherwise specified.

  3.  A <dfn for="directive" export>response check</dfn>, which takes a
      <a for="/">request</a>, a <a>response</a>, and a <a for="/">policy</a> as arguments,
      and is executed during [[#should-block-response]]. This algorithm returns
      "`Allowed`" unless otherwise specified.

  4.  An <dfn for="directive" export>inline check</dfn>, which takes an {{Element}} a
      type string, and a soure string as arguments, and is executed during
      [[#should-block-inline]]. This algorithm returns "`Allowed`" unless
      otherwise specified.

  5.  An <dfn for="directive" export>initialization</dfn>, which takes a {{Document}}
      or <a for="/">global object</a>, a <a>response</a>, and a <a for="/">policy</a>
      as arguments. This algorithm is executed during [[#initialize-document-csp]],
      and has no effect unless otherwise specified.

  6.  A <dfn for="directive" export>pre-navigation check</dfn>, which takes a
      <a for="/">request</a>, type string, and two <a>browsing contexts</a> as arguments, and
      is executed during [[#should-block-navigation-request]]. It returns
      "`Allowed`" unless otherwise specified.

  7.  A <dfn for="directive" export>navigation response check</dfn>, which takes a
      <a for="/">request</a>, a <a>response</a> and two <a>browsing contexts</a> as
      arguments, and is executed during [[#should-block-navigation-response]].
      It returns "`Allowed`" unless otherwise specified.

  <h4 id="framework-directive-source-list">Source Lists</h4>

  Many <a>directives</a>' <a>values</a> consist of <dfn export>source lists</dfn>: <a>sets</a>
  of <a>strings</a> which identify content that can be fetched and potentially embedded or
  executed. Each <a>string</a> represents one of the following types of <dfn export>source
  expression</dfn>:

  1.  Keywords such as <a grammar>`'none'`</a> and
      <a grammar>`'self'`</a> (which match nothing and the current
      URL's origin, respectively)

  2.  Serialized URLs such as `https://example.com/path/to/file.js`
      (which matches a specific file) or `https://example.com/`
      (which matches everything on that origin)

  3.  Schemes such as `https:` (which matches any resource having
      the specified scheme)

  4.  Hosts such as `example.com` (which matches any resource on
      the host, regardless of scheme) or `*.example.com` (which
      matches any resource on the host or any of its subdomains (and any of
      its subdomains' subdomains, and so on))

  5.  Nonces such as `'nonce-ch4hvvbHDpv7xCSvXCs3BrNggHdTzxUA'` (which can match
      specific elements on a page)

  6.  Digests such as `'sha256-abcd...'` (which can match specific
      elements on a page)

  A <dfn export>serialized source list</dfn> is an <a>ASCII string</a>, consisting of a
  whitespace-delimited series of <a>source expressions</a>, adhering to the following ABNF grammar
  [[!RFC5234]]:

  <pre dfn-type="grammar" link-type="grammar">
    <dfn>serialized-source-list</dfn> = ( <a>source-expression</a> *( <a>RWS</a> <a>source-expression</a> ) ) / "<dfn>'none'</dfn>"
    <dfn>source-expression</dfn>      = <a>scheme-source</a> / <a>host-source</a> / <a>keyword-source</a>
                             / <a>nonce-source</a> / <a>hash-source</a>

    ; Schemes: "https:" / "custom-scheme:" / "another.custom-scheme:"
    <dfn>scheme-source</dfn> = <a>scheme-part</a> ":"

    ; Hosts: "example.com" / "*.example.com" / "https://*.example.com:12/path/to/file.js"
    <dfn>host-source</dfn> = [ <a>scheme-part</a> "://" ] <a>host-part</a> [ ":" <a>port-part</a> ] [ <a>path-part</a> ]
    <dfn>scheme-part</dfn> = <a>scheme</a>
                  ; <a>scheme</a> is defined in section 3.1 of RFC 3986.
    <dfn>host-part</dfn>   = "*" / [ "*." ] 1*<a>host-char</a> *( "." 1*<a>host-char</a> )
    <dfn>host-char</dfn>   = <a>ALPHA</a> / <a>DIGIT</a> / "-"
    <dfn>port-part</dfn>   = 1*<a>DIGIT</a> / "*"
    <dfn>path-part</dfn>   = <a>path-abempty</a>
                  ; <a>path-abempty</a> is defined in section 3.3 of RFC 3986.

    ; Keywords:
    <dfn>keyword-source</dfn> = "<dfn>'self'</dfn>" / "<dfn>'unsafe-inline'</dfn>" / "<dfn>'unsafe-eval'</dfn>" / "<dfn>'strict-dynamic'</dfn>" / "<dfn>'unsafe-hashed-attributes'</dfn>"

    ; Nonces: 'nonce-[nonce goes here]'
    <dfn>nonce-source</dfn>  = "'nonce-" <a>base64-value</a> "'"
    <dfn>base64-value</dfn>  = 1*( <a>ALPHA</a> / <a>DIGIT</a> / "+" / "/" / "-" / "_" )*2( "=" )

    ; Digests: 'sha256-[digest goes here]'
    <dfn>hash-source</dfn>    = "'" <a>hash-algorithm</a> "-" <a>base64-value</a> "'"
    <dfn>hash-algorithm</dfn> = "sha256" / "sha384" / "sha512"
  </pre>

  The <a grammar>host-char</a> production intentionally contains only ASCII
  characters; internationalized domain names cannot be entered directly as part
  of a <a>serialized CSP</a>, but instead MUST be Punycode-encoded
  [[!RFC3492]]. For example, the domain `üüüüüü.de` MUST be represented as
  `xn--tdaaaaaa.de`.

  Note: Though IP address do match the grammar above, only
  `127.0.0.1` will actually match a URL when used in a source
  expression (see [[#match-url-to-source-list]] for details). The security
  properties of IP addresses are suspect, and authors ought to prefer hostnames
  whenever possible.

  <h3 id="framework-violation">Violations</h3>

  A <dfn export>violation</dfn> represents an action or resource which goes against the
  set of <a for="/">policy</a> objects associated with a <a for="/">global object</a>.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-global-object" export>global object</dfn>, which
  is the <a for="/">global object</a> whose <a for="/">policy</a> has been violated.

  Each <a>violation</a> has a <dfn for="violation" id="violation-url" export>url</dfn>
  which is its <a for="violation">global object</a>'s {{URL}}.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-status" export>status</dfn> which is a
  non-negative integer representing the HTTP status code of the resource for
  which the global object was instantiated.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-resource" export>resource</dfn>, which is
  either `null`, "`inline`", "`eval`", or a {{URL}}. It represents the resource
  which violated the policy.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-referrer" export>referrer</dfn>, which is either
  `null`, or a {{URL}}. It represents the referrer of the resource whose policy
  was violated.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-policy" export>policy</dfn>, which is the
  <a for="/">policy</a> that has been violated.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-disposition" export>disposition</dfn>, which is the
  <a for="policy">disposition</a> of the <a for="/">policy</a> that has been violated.

  Each <a>violation</a> has an
  <dfn for="violation" id="violation-effective-directive" export>effective directive</dfn>
  which is a non-empty string representing the <a>directive</a> whose
  enforcement caused the violation.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-source-file" export>source file</dfn>, which is
  either `null` or a {{URL}}.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-line-number" export>line number</dfn>, which is
  a non-negative integer.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-column-number" export>column number</dfn>, which
  is a non-negative integer.

  Each <a>violation</a> has a
  <dfn for="violation" id="violation-element" export>element</dfn>, which is either
  `null` or an element.

  <h4 id="create-violation-for-global" algorithm>
    Create a violation object for |global|, |policy|, and |directive|
  </h4>

  Given a <a for="/">global object</a> (|global|), a <a for="/">policy</a> (|policy|), and a
  <a>string</a> (|directive|), the following algorithm creates a new <a>violation</a>
  object, and populates it with an initial set of data:

  1.  Let |violation| be a new <a>violation</a> whose <a for="violation">global
      object</a> is |global|, <a for="violation">policy</a> is |policy|,
      <a for="violation">effective directive</a> is |directive|, and
      <a for="violation">resource</a> is `null`.

  2.  If the user agent is currently executing script, and can extract a source
      file's URL, line number, and column number from the |global|, set
      |violation|'s <a for="violation">source file</a>, <a for="violation">line
      number</a>, and <a for="violation">column number</a> accordingly.

      ISSUE: Is this kind of thing specified anywhere? I didn't see anything
      that looked useful in [[ECMA262]].

  3.  If |global| is a {{Window}} object, set |violation|'s
      <a for="violation">referrer</a> to |global|'s {{Window/document}}'s
      {{Document/referrer}}.

  4.  Set |violation|'s <a for="violation">status</a> to the HTTP status code
      for the resource associated with |violation|'s <a for="violation">global
      object</a>.

      ISSUE: How, exactly, do we get the status code? We don't actually store it
      anywhere.

  5.  Return |violation|.

  <h4 id="create-violation-for-request" algorithm>
    Create a violation object for |request|, |policy|, and |directive|
  </h4>

  Given a <a for="/">request</a> (|request|), a <a for="/">policy</a> (|policy|), and a string
  (|directive|), the following algorithm creates a new <a>violation</a> object,
  and populates it with an initial set of data:

  1.  Let |violation| be the result of executing
      [[#create-violation-for-global]] on |request|'s
      <a for="request">client</a>'s <a for="environment settings object">global object</a>,
      |policy|, and |directive|.

  2.  Set |violation|'s <a for="violation">resource</a> to |request|'s
      <a for="request">url</a>.

      Note: We use |request|'s <a for="request">url</a>, and <em>not</em> its
      <a for="request">current url</a>, as the latter might contain information
      about redirect targets to which the page MUST NOT be given access.

  3.  Return |violation|.
</section>

<!-- Big Text: Delivery -->
<section>
  <h2 id="policy-delivery">
    Policy Delivery
  </h2>

  A server MAY declare a <a for="/">policy</a> for a particular <a>resource
  representation</a> via an HTTP response header field whose value is a
  <a>serialized CSP</a>. This mechanism is defined in detail in
  [[#csp-header]] and [[#cspro-header]], and the integration with Fetch
  and HTML is described in [[#fetch-integration]] and [[#html-integration]].

  A <a for="/">policy</a> may also be declared inline in an HTML document via a
  <{meta}> element's <{meta/http-equiv}> attribute, as described in
  [[#meta-element]].

  <h3 id="csp-header">
    The `Content-Security-Policy` HTTP Response Header Field
  </h3>

  The <dfn export id="header-content-security-policy" http-header>`Content-Security-Policy`</dfn>
  HTTP response header field is the preferred mechanism for delivering a policy from a server to a
  client. The header's value is represented by the following ABNF [[!RFC5234]]:

  <pre>
    Content-Security-Policy = 1#<a grammar>serialized-policy</a>
  </pre>

  <div class="example">
    <pre>
      <a http-header>Content-Security-Policy</a>: script-src 'self';
                               report-to csp-reporting-endpoint
    </pre>
  </div>

  A server MAY send different `Content-Security-Policy` header field
  values with different <a>representations</a> of the same resource.

  A server SHOULD NOT send more than one HTTP response header field named
  "`Content-Security-Policy`" with a given <a>resource
  representation</a>.

  When the user agent receives a `Content-Security-Policy` header field, it
  MUST <a lt="parse a serialized CSP">parse</a> and <a>enforce</a> each
  <a>serialized CSP</a> it contains as described in [[#fetch-integration]],
  [[#html-integration]].

  <h3 id="cspro-header">
    The `Content-Security-Policy-Report-Only` HTTP Response Header Field
  </h3>

  The <dfn export id="header-content-security-policy-report-only" http-header>`Content-Security-Policy-Report-Only`</dfn>
  HTTP response header field allows web developers to experiment with policies by monitoring (but
  not enforcing) their effects. The header's value is represented by the following ABNF
  [[!RFC5234]]:

  <pre>
    Content-Security-Policy-Report-Only = 1#<a grammar>serialized-policy</a>
  </pre>

  This header field allows developers to piece together their security policy in
  an iterative fashion, deploying a report-only policy based on their best
  estimate of how their site behaves, watching for violation reports, and then
  moving to an enforced policy once they've gained confidence in that behavior.

  <div class="example">
    <pre>
      <a http-header>Content-Security-Policy-Report-Only</a>: script-src 'self';
                                           report-to csp-reporting-endpoint
    </pre>
  </div>

  A server MAY send different `Content-Security-Policy-Report-Only`
  header field values with different <a>representations</a> of the same
  resource.

  A server SHOULD NOT send more than one HTTP response header field named
  "`Content-Security-Policy-Report-Only`" with a given <a>resource
  representation</a>.

  When the user agent receives a `Content-Security-Policy-Report-Only` header
  field, it MUST <a lt="parse a serialized CSP">parse</a> and <a>monitor</a>
  each <a>serialized CSP</a> it contains as described in
  [[#fetch-integration]] and [[#html-integration]].

  Note: The <a http-header>`Content-Security-Policy-Report-Only`</a> header is
  <strong>not</strong> supported inside a <{meta}> element.

  <h3 id="meta-element">
    The `<meta>` element
  </h3>

  A {{Document}} may deliver a policy via one or more HTML <{meta}> elements
  whose <{meta/http-equiv}> attributes are an <a>ASCII case-insensitive</a>
  match for the string "`Content-Security-Policy`". For example:

  <div class="example">
    <pre highlight="html">
      &lt;meta http-equiv="Content-Security-Policy" content="script-src 'self'"&gt;
    </pre>
  </div>

  Implementation details can be found in HTML's <a>Content Security Policy
  state</a> `http-equiv` processing instructions [[!HTML]].

  Note: The <a http-header>`Content-Security-Policy-Report-Only`</a> header is <em>not</em>
  supported inside a <{meta}> element. Neither are the `report-uri`,
  `frame-ancestors`, and `sandbox` directives.

  Authors are <em>strongly encouraged</em> to place <{meta}> elements as early
  in the document as possible, because policies in <{meta}> elements are not
  applied to content which precedes them. In particular, note that resources
  fetched or prefetched using the `Link` HTTP response header
  field, and resources fetched or prefetched using <{link}> and <{script}>
  elements which precede a <{meta}>-delivered policy will not be blocked.

  Note: A policy specified via a <{meta}> element will be enforced along with
  any other policies active for the protected resource, regardless
  of where they're specified. The general impact of enforcing multiple
  policies is described in [[#multiple-policies]].

  Note: Modifications to the <{meta/content}> attribute of a <{meta}> element
  after the element has been parsed will be ignored.
</section>

<!-- Big Text: Integration -->
<section>
  <h2 id="integrations">Integrations</h2>

  <em>This section is non-normative.</em>

  This document defines a set of algorithms which are used in other
  specifications in order to implement the functionality. These
  integrations are outlined here for clarity, but those external
  documents are the normative references which ought to be consulted for
  detailed information.

  <h3 id="fetch-integration">
    Integration with Fetch
  </h3>

  A number of <a>directives</a> control resource loading in one way or
  another. This specification provides algorithms which allow Fetch to make
  decisions about whether or not a particular <a for="/">request</a> should be blocked
  or allowed, and about whether a particular <a>response</a> should be replaced
  with a <a>network error</a>.

  1.  [[#should-block-request]] is called as part of step #5 of its <a>Main
      Fetch</a> algorithm. This allows directives' <a>pre-request checks</a>
      to be executed against each <a for="/">request</a> before it hits the network,
      and against each redirect that a <a for="/">request</a> might go through on its
      way to reaching a resource.

  2.  [[#should-block-response]] is called as part of step #13 of its <a>Main
      Fetch</a> algorithm. This allows directives' <a>post-request checks</a>
      and <a>response checks</a> to be executed on the <a>response</a> delivered
      from the network or from a Service Worker.

  A <a for="/">policy</a> is generally enforced upon a <a for="/">global object</a>, but the
  user agent needs to <a lt="parse a serialized CSP">parse</a> any policy
  delivered via an HTTP response header field before any <a for="/">global object</a>
  is created in order to handle directives that require knowledge of a
  <a>response</a>'s details. To that end:

  1.  A <a>response</a> has an associated <a for="response">CSP list</a> which
      contains any policy objects delivered in the <a>response</a>'s
      <a for="response">header list</a>.

  2.  [[#set-response-csp-list]] is called in the <a>HTTP fetch</a> and
      <a>HTTP-network fetch</a> algorithms.

      Note: These two calls should ensure that a <a>response</a>'s
      <a for="response">CSP list</a> is set, regardless of how the
      <a>response</a> is created. If we hit the network (via <a>HTTP-network
      fetch</a>, then we parse the policy before we handle the `Set-Cookie`
      header. If we get a response from a Service Worker (via <a>HTTP fetch</a>,
      we'll process its <a for="response">CSP list</a> before handing the
      response back to our caller.

  <h4 id="set-response-csp-list" algorithm>
    Set |response|'s `CSP list`
  </h4>

  Given a <a>response</a> (|response|), this algorithm evaluates its
  <a for="response">header list</a> for <a>serialized CSP</a> values, and
  populates its <a for="response">CSP list</a> accordingly:

  1.  Set |response|'s <a for="response">CSP list</a> to the
      empty list.

  2.  Let |policies| be the result of executing
      [[#parse-serialized-policy-list]] on the result of
      <a lt="parse a header value">parsing</a> `Content-Security-Policy`
      in |response|'s <a for="response">header list</a>, with a disposition
      of "`enforce`".

  3.  Append to |policies| the result of executing
      [[#parse-serialized-policy-list]] on the result of
      <a lt="parse a header value">parsing</a>
      `Content-Security-Policy-Report-Only` in |response|'s
      <a for="response">header list</a>, with a disposition of "`report`".


  4.  For each |policy| in |policies|:

      1.  Insert |policy| into |response|'s
          <a for="response">CSP list</a>.

  <h4 id="report-for-request" algorithm>
    Report Content Security Policy violations for |request|
  </h4>

  Given a <a for="/">request</a> (|request|), this algorithm reports violations based
  on <a for="request">client</a>'s "report only" policies.

  1.  Let |CSP list| be |request|'s
      <a for="request">client</a>'s <a for="environment settings object">global object</a>'s
      <a for="global object">CSP list</a>.

  2.  For each |policy| in |CSP list|:

      1.  If |policy|'s <a for="policy">disposition</a> is "`enforce`",
          then skip to the next |policy|.

      2.  Let |violates| be the result of executing
          [[#does-request-violate-policy]] on |request| and |policy|.

      3.  If |violates| is not "`Does Not Violate`", then execute
          [[#report-violation]] on the result of executing
          [[#create-violation-for-request]] on |request|, |policy|, and
          |violates|.

  <h4 id="should-block-request" algorithm>
    Should |request| be blocked by Content Security Policy?
  </h4>

  Given a <a for="/">request</a> (|request|), this algorithm returns
  `Blocked` or `Allowed` and reports violations based on |request|'s
  <a for="request">client</a>'s Content Security Policy.

  1.  Let |CSP list| be |request|'s
      <a for="request">client</a>'s <a for="environment settings object">global object</a>'s
      <a for="global object">CSP list</a>.

  2.  Let |result| be "`Allowed`".

  3.  For each |policy| in |CSP list|:

      1.  If |policy|'s <a for="policy">disposition</a> is "`report`",
          then skip to the next |policy|.

      2.  Let |violates| be the result of executing
          [[#does-request-violate-policy]] on |request| and |policy|.

      3.  If |violates| is not "`Does Not Violate`", then:

          1.  Execute [[#report-violation]] on the result of executing
              [[#create-violation-for-request]] on |request|, |policy|, and
              |violates|.

          2.  Set |result| to "`Blocked`".

  4.  Return |result|.

  <h4 id="should-block-response" algorithm>
    Should |response| to |request| be blocked by Content
    Security Policy?
  </h4>

  Given a <a>response</a> (|response|) and a <a for="/">request</a>
  (|request|), this algorithm returns `Blocked` or
  `Allowed`, and reports violations based on |request|'s
  <a for="request">client</a>'s Content Security Policy.

  1.  Let |CSP list| be |request|'s
      <a for="request">client</a>'s <a for="environment settings object">global object</a>'s
      <a for="global object">CSP list</a>.

  2.  Let |result| be "`Allowed`".

  3.  For each |policy| in |CSP list|:

      1.  For each |directive| in |policy|:

          1.  If the result of executing |directive|'s
              <a for="directive">post-request check</a> is "`Blocked`", then:

              1.  Execute [[#report-violation]] on the result of executing
                  [[#create-violation-for-request]] on |request|, |policy|, and
                  |directive|.

              2.  If |policy|'s <a for="policy">disposition</a> is "`enforce`",
                  then set |result| to "`Blocked`".

      Note: This portion of the check verifies that the page can load the
      response. That is, that a Service Worker hasn't substituted a file which
      would violate the page's CSP.

  4.  For each |policy| in |response|'s <a for="response">CSP list</a>:

      1.  For each |directive| in |policy|:

          1.  If the result of executing |directive|'s
              <a for="directive">response check</a> on |request|, |response|,
              and |policy| is "`Blocked`", then:

              1.  Execute [[#report-violation]] on the result of executing
                  [[#create-violation-for-request]] on |request|, |policy|, and
                  |directive|.

              2.  If |policy|'s <a for="policy">disposition</a> is "`enforce`",
                  then set |result| to "`Blocked`".

      Note: This portion of the check allows policies delivered with the
      response to determine whether the response is allowed to be delivered.

  5.  Return |result|.


  <h3 id="html-integration">
    Integration with HTML
  </h3>

  1.  The {{Document}} and {{WorkerGlobalScope}} objects have a
      <dfn for="global object" id="global-object-csp-list">CSP list</dfn>,
      which holds all the <a for="/">policy</a> objects which are active for a given
      context. This list is empty unless otherwise specified, and is populated
      via the [[#initialize-global-object-csp]] algorithm.

      ISSUE(w3c/html#187): This concept is missing from W3C's Workers.

  2.  A <a for="/">policy</a> is <dfn export>enforced</dfn> or <dfn export>monitored</dfn> for a
      <a for="/">global object</a> by inserting it into the <a for="/">global object</a>'s
      <a for="global object">CSP list</a>.

  3.  [[#initialize-global-object-csp]] is called during the <a>initializing a
      new `Document` object</a> and <a>run a worker</a> algorithms in order to
      bind a set of <a for="/">policy</a> objects associated with a <a>response</a> to a
      newly created <a for="/">global object</a>.

  4.  [[#should-block-inline]] is called during the <a>prepare a script</a> and
      <a>update a `style` block</a> algorithms in order to determine whether or
      not an inline script or style block is allowed to execute/render.

  5.  [[#should-block-inline]] is called during handling of inline event
      handlers (like `onclick`) and inline `style` attributes in order to
      determine whether or not they ought to be allowed to execute/render.

  6.  <a for="/">policy</a> is <a>enforced</a> during processing of the <{meta}>
      element's <{meta/http-equiv}>.

  7.  A {{Document}}'s <dfn>embedding document</dfn> is the {{Document}}
      <a lt="nested through">through which</a> the {{Document}}'s
      <a>browsing context</a> is nested.

  8.  HTML populates each <a for="/">request</a>'s <a for="request">cryptographic nonce
      metadata</a> and <a>parser metadata</a> with relevant data from the
      elements responsible for resource loading.

      ISSUE(whatwg/html#198): Stylesheet loading is not yet integrated with
      Fetch in W3C's HTML.

      ISSUE(whatwg/html#968): Stylesheet loading is not yet integrated with
      Fetch in WHATWG's HTML.

  9.  [[#allow-base-for-document]] is called during <{base}>'s <a>set the frozen
      base URL</a> algorithm to ensure that the <{base/href}> attribute's value
      is valid.

  10.  [[#should-plugin-element-be-blocked-a-priori-by-content-security-policy]]
      is called during the processing of <{object}>, <{embed}>, and <{applet}>
      elements to determine whether they may trigger a fetch.

      Note: Fetched plugin resources are handled in [[#should-block-response]].

      ISSUE(w3c/html#547): This hook is missing from W3C's HTML.

  11. [[#should-block-navigation-request]] is called during the <a>process a
      navigate fetch</a> algorithm, and [[#should-block-navigation-response]]
      is called during the <a>process a navigate response</a> algorithm to
      apply directive's navigation checks, as well as inline checks for
      navigations to `javascript:`.

      ISSUE(w3c/html#548): W3C's HTML is not based on Fetch, and does not
      have a <a>process a navigate response</a> algorithm into which to hook.

  <h4 id="initialize-document-csp" algorithm>
    Initialize a `Document`'s `CSP list`
  </h4>

  Given a {{Document}} (|document|), and a <a>response</a> (|response|), the
  user agent performs the following steps in order to initialize |document|'s
  <a for="Document">CSP list</a>:

  1.  If |response|'s <a for="response">url</a>'s <a for="url">scheme</a> is a
      <a>local scheme</a>:

      1.  Let |documents| be an empty list.

      2.  If |document| has an <a>embedding document</a> (|embedding|), then add
          |embedding| to |documents|.

      3.  If |document| has an <a>opener browsing context</a>, then add its
          <a>active document</a> to |documents|.

      4.  For each |doc| in |documents|:

          1.  For each |policy| in |doc|'s <a for="Document">CSP list</a>:

              1.  Insert an alias to |policy| in |document|'s
                  <a for="Document">CSP list</a>.

      Note: <a>local scheme</a> includes `about:`, and this algorithm will
      therefore alias the <a>embedding document</a>'s policies for <a>an iframe
      `srcdoc` `Document`</a>.

      Note: We do all this to ensure that a page cannot bypass its <a for="/">policy</a>
      by embedding a frame or popping up a new window containing content it
      controls (`blob:` resources, or `document.write()`).

  2.  For each |policy| in |response|'s <a for="response">CSP list</a>, insert
      |policy| into |document|'s <a for="Document">CSP list</a>.

  3.  For each |policy| in |document|'s <a for="Document">CSP list</a>:

      1.  For each |directive| in |policy|:

          1.  Execute |directive|'s <a for="directive">initialization</a>
              algorithm on |document| and |response|.

  <h4 id="initialize-global-object-csp" algorithm>
    Initialize a global object's `CSP list`
  </h4>

  Given a <a for="/">global object</a> (|global|), and a <a>response</a>
  (|response|), the user agent performs the following steps in order
  to initialize |global|'s <a for="global object">CSP list</a>:

  1.  If |response|'s <a for="response">url</a>'s <a for="url">scheme</a> is a
      <a>local scheme</a>, or if |global| is a {{DedicatedWorkerGlobalScope}}:

      1.  Let |documents| be an empty list.

      2.  Add each of |global|'s
          <a lt="the worker's documents">document</a>s to |documents|.

      4.  For each |document| in |documents|:

          1.  For each |policy| in |document|'s <a for="/">global
              object</a>'s <a for="global object">CSP list</a>:

              1.  Insert an alias to |policy| in |global|'s
                  <a for="global object">CSP list</a>.

      Note: <a>local scheme</a> includes `about:`, and this algorithm will
      therefore alias the <a>embedding document</a>'s policies for <a>an iframe
      `srcdoc` `Document`</a>.

  2.  If |global| is a {{SharedWorkerGlobalScope}} or {{ServiceWorkerGlobalScope}}:

      1.  For each |policy| in |response|'s
          <a for="response">CSP list</a>, insert |policy| into
          |global|'s <a for="global object">CSP list</a>.

  <h4 id="should-block-inline" algorithm>
    Should |element|'s inline |type| behavior be blocked by Content Security Policy?
  </h4>

  Given an {{Element}} (|element|), a string (|type|), and a string (|source|)
  this algorithm returns "`Allowed`" if the element is allowed to have inline
  definition of a particular type of behavior (script execution, style
  application, event handlers, etc.), and "`Blocked`" otherwise:

  Note: The valid values for |type| are "`script`", "`script attribute`",
  "`style`", and "`style attribute`".

  1.  Assert: |element| is not `null`.

  2.  Let |result| be "`Allowed`".

  3.  For each |policy| in |element|'s {{Document}}'s <a for="/">global object</a>'s
      <a for="global object">CSP list</a>:

      1.  For each |directive| in |policy|:

          1.  If |directive|'s <a for="directive">inline check</a> returns
              "`Allowed`" when executed upon |element|, |type|, and |source|,
              skip to the next |directive|.

          2.  Otherwise, let |violation| be the result of executing
              [[#create-violation-for-global]] on the <a>current settings
              object</a>'s <a for="environment settings object">global object</a>, |policy|,
              and "`style-src`" if |type| is "`style`" or "`style-attribute`",
              or "`script-src`" otherwise.

          3.  Set |violation|'s <a for="violation">resource</a> to "`inline`".

          4.  Set |violation|'s <a for="violation">element</a> to |element|.

          5.  Execute [[#report-violation]] on |violation|.

          6.  If |policy|'s <a for="policy">disposition</a> is "`enforce`", then
              set |result| to "`Blocked`".

  4.  Return |result|.

  <h4 id="should-block-navigation-request" algorithm>
    Should |navigation request| of |type| from |source| in |target| be blocked
    by Content Security Policy?
  </h4>

  Given a <a for="/">request</a> (|navigation request|), a string (|type|, either
  "`form-submission`" or "`other`"), and two <a>browsing contexts</a> (|source|
  and |target|), this algorithm return "`Blocked`" if the active policy blocks
  the navigation, and "`Allowed`" otherwise:

  <ol class="algorithm">
    1.  Let |result| be "`Allowed`".

    2.  For each |policy| in |source|'s <a>active document</a>'s
        <a for="Document">CSP list</a>:

        1.  For each |directive| in |policy|:

            1.  If |directive|'s <a for="directive">pre-navigation check</a>
                returns "`Allowed`" when executed upon |navigation request|,
                |type|, |source|, and |target|, skip to the next |directive|.

            2.  Otherwise, let |violation| be the result of executing
                [[#create-violation-for-global]] on |source|'s <a>relevant global
                object</a>, |policy|, and |directive|'s <a for="directive">name</a>.

            3.  Set |violation|'s <a for="violation">resource</a> to |navigation
                request|'s <a for="response">URL</a>.

            4.  Execute [[#report-violation]] on |violation|.

            5.  If |policy|'s <a for="policy">disposition</a> is "`enforce`", then
                set |result| to "`Blocked`".

    3.  If |result| is "`Allowed`", and if |navigation request|'s
        <a for="request">url</a>'s <a for="url">scheme</a> is `javascript`:

        1.  For each |policy| in |source|'s <a>active document</a>'s
            <a for="Document">CSP List</a>:

            1.  For each |directive| in |policy|:

                1.  If |directive|'s <a for="directive">inline check</a>
                    returns "`Allowed`" when executed upon |navigation request|,
                    |type|, |source|, and |target|, skip to the next |directive|.

            2.  Otherwise, let |violation| be the result of executing
                [[#create-violation-for-global]] on |source|'s <a>relevant global
                object</a>, |policy|, and |directive|'s <a for="directive">name</a>.

            3.  Set |violation|'s <a for="violation">resource</a> to |navigation
                request|'s <a for="response">URL</a>.

            4.  Execute [[#report-violation]] on |violation|.

            5.  If |policy|'s <a for="policy">disposition</a> is "`enforce`", then
                set |result| to "`Blocked`".

    4.  Return |result|.
  </ol>

  <h4 id="should-block-navigation-response" algorithm>
    Should |navigation response| to |navigation request| of |type| from |source|
    in |target| be blocked by Content Security Policy?
  </h4>

  Given a <a for="/">request</a> (|navigation request|),, a string (|type|, either
  "`form-submission`" or "`other`"), a <a>response</a> |navigation
  response|, and two <a>browsing contexts</a> (|source| and |target|), this algorithm
  returns "`Blocked`" if the active policy blocks the navigation, and "`Allowed`"
  otherwise:

  <ol class="algorithm">
    1.  Let |result| be "`Allowed`".

    2.  For each |policy| in |navigation response|'s
        <a for="response">CSP list</a>:

        1.  For each |directive| in |policy|:

            1.  If |directive|'s <a for="directive">navigation response check</a>
                returns "`Allowed`" when executed upon |navigation request|, |type|,
                |navigation response|, |source|, and |target|, skip to the next
                |directive|.

            2.  Otherwise, let |violation| be the result of executing
                [[#create-violation-for-global]] on `null`, |policy|, and
                |directive|'s <a for="directive">name</a>.

                Note: We use `null` for the global object, as no global exists:
                we haven't processed the navigation to create a Document yet.

            3.  Set |violation|'s <a for="violation">resource</a> to |navigation
                response|'s <a for="response">URL</a>.

            4.  Execute [[#report-violation]] on |violation|.

            5.  If |policy|'s <a for="policy">disposition</a> is "`enforce`", then
                set |result| to "`Blocked`".

    3.  Return |result|.
  </ol>

  <h3 id="ecma-integration">Integration with ECMAScript</h3>

  ECMAScript defines a {{HostEnsureCanCompileStrings()}} abstract operation
  which allows the host environment to block the compilation of strings into
  ECMAScript code. This document defines an implementation of that abstract
  operation thich examines the relevant <a for="global object">CSP list</a>
  to determine whether such compilation ought to be blocked.

  <h4 id="can-compile-strings" algorithm dfn>
    EnsureCSPDoesNotBlockStringCompilation(|callerRealm|, |calleeRealm|)
  </h4>

  Given two <a>realms</a> (|callerRealm| and |calleeRealm|), this algorithm
  returns normally if string compilation is allowed, and throws an "`EvalError`"
  if not:

  1.  Let |globals| be a list containing |callerRealm|'s
      <a for="Realm">global object</a> and |calleeRealm|'s
      <a for="Realm">global object</a>.

  2.  For each |global| in |globals|:

      1.  For each |policy| in |global|'s <a for="global object">CSP list</a>:

          1.  Let |source-list| be null.

          2.  If |policy| contains a <a>directive</a> whose
              <a for="directive">name</a> is "`script-src`", then set |source-list|
              to that <a>directive</a>'s <a for="directive">value</a>.

              Otherwise if |policy| contains a <a>directive</a> whose
              <a for="directive">name</a> is "`default-src`", then set |source-list|
              to that directive's <a for="directive">value</a>.

          3.  If |source-list| is non-null, and does not contain a <a>source
              expression</a> which is an <a>ASCII case-insensitive</a> match for the
              string "<a grammar>`'unsafe-eval'`</a>", then throw an `EvalError`
              exception.
</section>

<!-- Big Text: Reporting -->
<section>
  <h2 id="reporting">
    Reporting
  </h2>

  When one or more of a <a for="/">policy</a>'s directives is violated, a <dfn export>violation
  report</dfn> may be generated and sent out to a reporting endpoint associated
  with the <a for="/">policy</a>.

  <h3 id="violation-events">
    Violation DOM Events
  </h3>

  <pre class="idl">
    enum SecurityPolicyViolationEventDisposition {
      "enforce", "report"
    };

    [Constructor(DOMString type, optional SecurityPolicyViolationEventInit eventInitDict)]
    interface SecurityPolicyViolationEvent : Event {
        readonly    attribute DOMString      documentURI;
        readonly    attribute DOMString      referrer;
        readonly    attribute DOMString      blockedURI;
        readonly    attribute DOMString      violatedDirective;
        readonly    attribute DOMString      effectiveDirective;
        readonly    attribute DOMString      originalPolicy;
        readonly    attribute DOMString      sourceFile;
        readonly    attribute SecurityPolicyViolationEventDisposition      disposition;
        readonly    attribute unsigned short statusCode;
        readonly    attribute long           lineNumber;
        readonly    attribute long           columnNumber;
    };

    dictionary SecurityPolicyViolationEventInit : EventInit {
        DOMString      documentURI;
        DOMString      referrer;
        DOMString      blockedURI;
        DOMString      violatedDirective;
        DOMString      effectiveDirective;
        DOMString      originalPolicy;
        DOMString      sourceFile;
        SecurityPolicyViolationEventDisposition      disposition;
        unsigned short statusCode;
        long           lineNumber;
        long           columnNumber;
    };
  </pre>

  <h3 id="deprecated-serialize-violation">
    Obtain the deprecated serialization of |violation|
  </h3>

  Given a <a>violation</a> (|violation|), this algorithm returns a JSON text
  string representation of the violation, suitable for submission to a reporting
  endpoint associated with the deprecated <a>`report-uri`</a> directive.

  1.  Let |object| be a new JavaScript object with properties initialized as
      follows:

      :  "`document-uri`"
      :: The result of executing the <a>URL serializer</a> on |violation|'s
         <a for="violation">url</a>, with the `exclude fragment` flag set.
      :  "`referrer`"
      :: The result of executing the <a>URL serializer</a> on |violation|'s
         <a for="violation">referrer</a>, with the `exclude fragment` flag set.
      :  "`blocked-uri`"
      :: The result of executing the <a>URL serializer</a> on |violation|'s
         <a for="violation">resource</a>, with the `exclude fragment` flag set.
      :  "`effective-directive`"
      :: |violation|'s <a for="violation">effective directive</a>
      :  "`violated-directive`"
      :: |violation|'s <a for="violation">effective directive</a>
      :  "`original-policy`"
      :: The <a lt="serialized CSP">serialization</a> of |violation|'s
         <a for="violation">policy</a>
      :  "`disposition`"
      :: The <a for="policy">disposition</a> of |violation|'s
         <a for="violation">policy</a>
      :  "`status-code`"
      :: |violation|'s <a for="violation">status</a>

  2.  If |violation|'s <a for="violation">source file</a> is not `null`:

      1.  Set |object|'s "`source-file`" property to the result of executing
          the <a>URL serializer</a> on |violation|'s <a for="violation">source
          file</a>, with the `exclude fragment` flag set.

      2.  Set |object|'s "`line-number`" property to |violation|'s
          <a for="violation">line number</a>.

      3.  Set |object|'s "`column-number`" property to |violation|'s
          <a for="violation">column number</a>.

  3.  Return the result of executing {{JSON.stringify()}} on |object|.

  <h3 id="report-violation" algorithm>
    Report a |violation|
  </h3>

  Given a <a>violation</a> (|violation|), this algorithm reports it to the
  endpoint specified in |violation|'s <a for="violation">policy</a>, and
  fires a {{SecurityPolicyViolationEvent}} at |violation|'s
  <a for="violation">global object</a>.

  1.  Let |global| be |violation|'s <a for="violation">global object</a>.

  2.  Let |target| be |violation|'s <a for="violation">element</a>.

  3.  <a>Queue a task</a> to run the following steps:

      Note: We "queue a task" here to ensure that the event targeting and dispatch
      happens after JavaScript completes execution of the task responsible for a
      given violation (which might manipulate the DOM).

      1.  If |target| is not `null`, and |global| is a {{Window}}, and |target|'s
          <a>shadow-including root</a> is not |global|'s <a>associated
          `Document`</a>, set |target| to `null`.

          Note: This ensures that we fire events only at elements <a>connected</a>
          to |violation|'s <a for="violation">policy</a>'s {{Document}}. If a
          violation is caused by an element which isn't connected to that
          document, we'll fire the event at the document rather than the element
          in order to ensure that the violation is visible to the document's
          listeners.

      2.  If |target| is `null`:

          1.  Set |target| be |violation|'s <a for="violation">global object</a>.

          2.  If |target| is a {{Window}}, set |target| to |target|'s <a>associated
              `Document`</a>.

      3.  <a>Fire an event</a> named `securitypolicyviolation`
          that uses the {{SecurityPolicyViolationEvent}} interface at |target| with
          its attributes initialized as follows:

          :  {{SecurityPolicyViolationEvent/documentURI}}
          :: |violation|'s <a for="violation">url</a>
          :  {{SecurityPolicyViolationEvent/referrer}}
          :: |violation|'s <a for="violation">referrer</a>
          :  {{SecurityPolicyViolationEvent/blockedURI}}
          :: |violation|'s <a for="violation">resource</a>
          :  {{SecurityPolicyViolationEvent/effectiveDirective}}
          :: |violation|'s <a for="violation">effective directive</a>
          :  {{SecurityPolicyViolationEvent/violatedDirective}}
          :: |violation|'s <a for="violation">effective directive</a>
          :  {{SecurityPolicyViolationEvent/originalPolicy}}
          :: |violation|'s <a for="violation">policy</a>
          :  {{SecurityPolicyViolationEvent/disposition}}
          :: |violation|'s <a for="violation">disposition</a>
          :  {{SecurityPolicyViolationEvent/sourceFile}}
          :: |violation|'s <a for="violation">source file</a>
          :  {{SecurityPolicyViolationEvent/statusCode}}
          :: |violation|'s <a for="violation">status</a>
          :  {{SecurityPolicyViolationEvent/lineNumber}}
          :: |violation|'s <a for="violation">line number</a>
          :  {{SecurityPolicyViolationEvent/columnNumber}}
          :: |violation|'s <a for="violation">column number</a>
          :  {{Event/bubbles}}
          :: `true`
          :  {{Event/composed}}
          :: `true`

          Note: Both {{SecurityPolicyViolationEvent/effectiveDirective}} and
          {{SecurityPolicyViolationEvent/violatedDirective}} are the same value.
          This is intentional to maintain backwards compatibility.

          Note: We set the {{Event/composed}} attribute, which means that this event
          can be captured on its way into, and will bubble its way out of a shadow
          tree. {{Event/target}}, et al will be automagically scoped correctly for
          the main tree.

      4.  If |violation|'s <a for="violation">policy</a>'s <a for="policy">directive
          set</a> contains a <a>directive</a> named "<a>`report-uri`</a>"
          (|directive|):

          1.  If |violation|'s <a for="violation">policy</a>'s
              <a for="policy">directive set</a> contains a <a>directive</a> named
              "<a>`report-to`</a>", skip the remaining substeps.

          2.  Let |endpoint| be the result of executing the <a>URL parser</a> with |directive|'s
              <a for="directive">value</a> as the input, and |violation|'s
              <a for="violation">url</a> as the <a>base URL</a>.

          3.  If |endpoint| is not a valid URL, skip the remaining substeps.

          4.  Let |request| be a new <a for="/">request</a>, initialized as follows:

              :   <a for="request">method</a>
              ::  "`POST`"
              :   <a for="request">url</a>
              ::  |violation|'s <a for="violation">url</a>
              :   <a for="request">origin</a>
              ::  |violation|'s <a for="violation">global object</a>'s <a>relevant settings
                  object</a>'s <a for="environment settings object">origin</a>
              :   <a for="request">window</a>
              ::  "`no-window`"
              :   <a for="request">client</a>
              ::  |violation|'s <a for="violation">global object</a>'s <a>relevant
                  settings object</a>
              :   <a for="request">destination</a>
              ::  "`report`"
              :   <a for="request">initiator</a>
              ::  ""
              :   <a for="request">type</a>
              ::  ""
              :   <a for="request">credentials mode</a>
              ::  "`same-origin`"
              :   <a for="request">keepalive flag</a>
              ::  "`true`"
              :   <a for="request">header list</a>
              ::  A header list containing a single header whose name is
                  "`Content-Type`", and value is "`application/csp-report`"
              :   <a for="request">body</a>
              ::  The result of executing [[#deprecated-serialize-violation]] on
                  |violation|
              :   <a for="request">redirect mode</a>
              ::  "`error`"

              Note: |request|'s <a for="request">mode</a> defaults to "`no-cors`"; the response is ignored entirely.

          5.  <a for="/">Fetch</a> |request|. The result will be ignored.

          Note: All of this should be considered deprecated. It sends a single
          request per violation, which simply isn't scalable. As soon as this
          behavior can be removed from user agents, it will be.

          Note: `report-uri` only takes effect if `report-to` is not present. That
          is, the latter overrides the former, allowing for backwards compatibility
          with browsers that don't support the new mechanism.

      5.  If |violation|'s <a for="violation">policy</a>'s <a for="policy">directive
          set</a> contains a <a>directive</a> named "<a>`report-to`</a>"
          (|directive|):

          1.  Let |group| be |directive|'s <a for="directive">value</a>.

          2.  Let |settings object| be |violation|'s <a for="violation">global
              object</a>'s <a>relevant settings object</a>.

          3.  Execute [[!REPORTING]]'s <a lt="queue report">Queue |data| as
              |type| for |endpoint group| on |settings|</a> algorithm with the
              following arguments:

              :   |data|
              ::  |violation|
              :   |type|
              ::  "CSP"
              :   |endpoint group|
              ::  |group|
              :   |settings|
              ::  |settings object|
</section>

<!-- Big Text: Directives -->
<section>
  <h2 id="csp-directives">
    Content Security Policy Directives
  </h2>

  This specification defines a number of types of <a>directives</a> which allow
  developers to control certain aspects of their sites' behavior. This document
  defines directives which govern resource fetching (in [[#directives-fetch]]),
  directives which govern the state of a document (in [[#directives-document]]),
  directives which govern aspects of navigation (in [[#directives-navigation]]),
  and directives which govern reporting (in [[#directives-reporting]]). These
  form the core of Content Security Policy; other directives are defined in a
  modular fashion in ancillary documents (see [[#directives-elsewhere]] for
  examples).

  To mitigate the risk of cross-site scripting attacks, web developers SHOULD
  include directives that regulate sources of script and plugins. They can do
  so by including:

  *   Both the <a>script-src</a> and <a>object-src</a> directives, or
  *   a <a>default-src</a> directive

  In either case, developers SHOULD NOT include either
  <a grammar>`'unsafe-inline'`</a>, or `data:` as valid
  sources in their policies. Both enable XSS attacks by allowing code to be
  included directly in the document itself; they are best avoided completely.

  <h3 id="directives-fetch">
    Fetch Directives
  </h3>

  <dfn export>Fetch directives</dfn> control the locations from which certain resource
  types may be loaded. For instance, <a>script-src</a> allows developers to allow
  trusted sources of script to execute on a page, while <a>font-src</a> controls the
  sources of web fonts.

  <h4 id="directive-child-src">`child-src`</h4>

  The <a>`child-src`</a> directive is <em>deprecated</em>. Authors who wish to regulate
  nested browsing contexts and workers SHOULD use the <a>`frame-src`</a> and
  <a>`worker-src`</a> directives, respectively.

  The <dfn export>`child-src`</dfn> directive governs the creation of <a>nested browsing
  contexts</a> (e.g. <{iframe}> and <{frame}> navigations) and Worker execution
  contexts. The syntax for the directive's name and value is described by the
  following ABNF:

  <pre>
    directive-name  = "child-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  This directive controls <a for="/">requests</a> which will populate a frame or a
  worker. More formally, <a for="/">requests</a> falling into one of the
  following categories:

  *  <a for="request">destination</a> is "`document`", and whose
     <a for="request">target browsing context</a> is a <a>nested browsing
     context</a> (e.g. requests which will populate an <{iframe}> or <{frame}>
     element)

  *  <a for="request">destination</a> is either "`serviceworker`",
     "`sharedworker`", or "`worker`" (which are fed to the <a>run a worker</a>
     algorithm for {{ServiceWorker}}, {{SharedWorker}}, and {{Worker}},
     respectively).

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      Content-Security-Policy: <a>child-src</a> https://example.com/
    </pre>

    Fetches for the following code will all return network errors, as the URLs
    provided do not match `child-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;iframe src="https://not-example.com"&gt;&lt;/iframe&gt;
      &lt;script&gt;
        var blockedWorker = new Worker("data:application/javascript,...");
      &lt;/script&gt;
    </pre>
  </div>

  <h5 algorithm id="child-src-pre-request">
    `child-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):

  1.  Let |name| be the result of executing
      [[#effective-directive-for-a-request]] on |request|.

  2.  If |name| is not `frame-src`, return "`Allowed`".

  3.  If |policy| contains a directive whose <a for="directive">name</a>
      is |name|, return "`Allowed`"

  4.  Return the result of executing the <a for="directive">pre-request
      check</a> for the <a>directive</a> whose <a for="directive">name</a>
      is |name| on |request| and |policy|, using this directive's
      <a for="directive">value</a> for the comparison.

  <h5 algorithm id="child-src-post-request">
    `child-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Let |name| be the result of executing
      [[#effective-directive-for-a-request]] on |request|.

  2.  If |name| is not `frame-src`, return "`Allowed`".

  3.  If |policy| contains a directive whose <a for="directive">name</a>
      is |name|, return "`Allowed`"

  4.  Return the result of executing the <a for="directive">post-request
      check</a> for the <a>directive</a> whose <a for="directive">name</a>
      is |name| on |request|, |response|, and |policy|, using this directive's
      <a for="directive">value</a> for the comparison.

  <h4 id="directive-connect-src">`connect-src`</h4>

  The <dfn export>connect-src</dfn> directive restricts the URLs which can be loaded
  using script interfaces. The syntax for the directive's name and value is
  described by the following ABNF:

  <pre>
    directive-name  = "connect-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  This directive controls <a for="/">requests</a> which transmit or receive data from
  other origins. This includes APIs like `fetch()`, [[XHR]], [[EVENTSOURCE]],
  [[BEACON]], and <{a}>'s <{a/ping}>. This directive <em>also</em> controls
  WebSocket [[WEBSOCKETS]] connections, though those aren't technically part
  of Fetch.

  <div class="example">
    JavaScript offers a few mechanisms that directly connect to an external
    server to send or receive information. `EventSource` maintains an open
    HTTP connection to a server in order to receive push notifications,
    `WebSockets` open a bidirectional communication channel between your
    browser and a server, and `XMLHttpRequest` makes arbitrary HTTP requests
    on your behalf. These are powerful APIs that enable useful functionality,
    but also provide tempting avenues for data exfiltration.

    The `connect-src` directive allows you to ensure that these and similar
    sorts of connections are only opened to origins you trust. Sending a
    policy that defines a list of source expressions for this directive is
    straightforward. For example, to limit connections to only
    `https://example.com`, send the following header:

    <pre>
      Content-Security-Policy: <a>connect-src</a> https://example.com/
    </pre>

    Fetches for the following code will all return network errors, as the URLs
    provided do not match `connect-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;a ping="https://not-example.com"&gt;...
      &lt;script&gt;
        var xhr = new XMLHttpRequest();
        xhr.open('GET', 'https://not-example.com/');
        xhr.send();

        var ws = new WebSocket("https://not-example.com/");

        var es = new EventSource("https://not-example.com/");

        navigator.sendBeacon("https://not-example.com/", { ... });
      &lt;/script&gt;
    </pre>
  </div>


  <h5 algorithm id="connect-src-pre-request">
    `connect-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">initiator</a> is "`fetch`", or its
      <a for="request">type</a> is "" and <a for="request">destination</a> is
      "`subresource`":

      1.  If the result of executing [[#match-request-to-source-list]] on
          |request| and this directive's <a for="directive">value</a> is
          "`Does Not Match`", return "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm id="connect-src-post-request">
    `connect-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">initiator</a> is "`fetch`", or its
      <a for="request">type</a> is "" and <a for="request">destination</a> is
      "`subresource`":

      1.  If the result of executing [[#match-response-to-source-list]] on
          |response|, |request|, and this directive's
          <a for="directive">value</a> is "`Does Not Match`", return
          "`Blocked`".

  3.  Return "`Allowed`".

  <h4 id="directive-default-src">`default-src`</h4>

  The <dfn export>default-src</dfn> directive serves as a fallback for the other
  <a>fetch directives</a>. The syntax for the directive's name and value is described by
  the following ABNF:

  <pre>
    directive-name  = "default-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  If a <a>default-src</a> directive is present in a policy, its value will be
  used as the policy's default source list. That is, given `default-src 'none';
  script-src 'self'`, script requests will use `'self'` as the <a>source
  list</a> to match against. Other requests will use `'none'`. This is spelled
  out in more detail in the [[#should-block-request]] and
  [[#should-block-response]] algorithms.

  <div class="example">
    The following header:

    <pre>
      <a>Content-Security-Policy</a>: <a>default-src</a> <a grammar>'self'</a>
    </pre>

    will have the same behavior as the following header:

    <pre>
      <a>Content-Security-Policy</a>: <a>connect-src</a> <a grammar>'self'</a>;
                               <a>font-src</a> <a grammar>'self'</a>;
                               <a>frame-src</a> <a grammar>'self'</a>;
                               <a>img-src</a> <a grammar>'self'</a>;
                               <a>manifest-src</a> <a grammar>'self'</a>;
                               <a>media-src</a> <a grammar>'self'</a>;
                               <a>object-src</a> <a grammar>'self'</a>;
                               <a>script-src</a> <a grammar>'self'</a>;
                               <a>style-src</a> <a grammar>'self'</a>;
                               <a>worker-src</a> <a grammar>'self'</a>
    </pre>

    That is, when `default-src` is set, every <a>fetch directive</a> that isn't
    explicitly set will fall back to the value `default-src` specifies.
  </div>
  <div class="example">
    There is no inheritance. If a `script-src` directive is explicitly
    specified, for example, then the value of `default-src` has no influence on
    script requests. That is, the following header:

    <pre>
      <a>Content-Security-Policy</a>: <a>default-src</a> <a grammar>'self'</a>; <a>script-src</a> https://example.com
    </pre>

    will have the same behavior as the following header:

    <pre>
      <a>Content-Security-Policy</a>: <a>connect-src</a> <a grammar>'self'</a>;
                               <a>font-src</a> <a grammar>'self'</a>;
                               <a>frame-src</a> <a grammar>'self'</a>;
                               <a>img-src</a> <a grammar>'self'</a>;
                               <a>manifest-src</a> <a grammar>'self'</a>;
                               <a>media-src</a> <a grammar>'self'</a>;
                               <a>object-src</a> <a grammar>'self'</a>;
                               <a>script-src</a> https://example.com;
                               <a>style-src</a> <a grammar>'self'</a>;
                               <a>worker-src</a> <a grammar>'self'</a>
    </pre>

    Given this behavior, one good way to build a policy for a site would be to
    begin with a `default-src` of `'none'`, and to build up a policy from there
    which allowed only those resource types which are necessary for the
    particular page the policy will apply to.
  </div>

  <h5 algorithm id="default-src-pre-request">
    `default-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):

  1.  Let |name| be the result of executing
      [[#effective-directive-for-a-request]] on |request|.

  2.  If |name| is `null`, return "`Allowed`".

  3.  If |policy| contains a <a>directive</a> whose <a for="directive">name</a>
      is |name|, return "`Allowed`".

  4.  If |name| is "`frame-src`", and |policy| contains a <a>directive</a> whose
      <a for="directive">name</a> is "`child-src`", return "`Allowed`".

  5.  If |name| is "`worker-src`", and |policy| contains a <a>directive</a> whose
      <a for="directive">name</a> is "`script-src`", return "`Allowed`".

  6.  Otherwise, return the result of executing the
      <a for="directive">pre-request check</a> for the <a>directive</a> whose
      <a for="directive">name</a> is |name| on |request| and |policy|, using
      this directive's <a for="directive">value</a> for the comparison.

  <h5 algorithm id="default-src-post-request">
    `default-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Let |name| be the result of executing
      [[#effective-directive-for-a-request]] on |request|.

  2.  If |name| is `null`, return "`Allowed`".

  3.  If |policy| contains a <a>directive</a> whose <a for="directive">name</a>
      is |name|, return "`Allowed`".

  4.  If |name| is "`frame-src`", and |policy| contains a <a>directive</a> whose
      <a for="directive">name</a> is "`child-src`", return "`Allowed`".

  5.  If |name| is "`worker-src`", and |policy| contains a <a>directive</a> whose
      <a for="directive">name</a> is "`script-src`", return "`Allowed`".

  6.  Otherwise, return the result of executing the
      <a for="directive">post-request check</a> for the <a>directive</a> whose
      <a for="directive">name</a> is |name| on |request|, |response|, and
      |policy|, using this directive's <a for="directive">value</a> for the
      comparison.

  <h4 id="directive-font-src">`font-src`</h4>

  The <dfn export>font-src</dfn> directive restricts the URLs from which font resources
  may be loaded. The syntax for the directive's name and value is described by
  the following ABNF:

  <pre>
    directive-name  = "font-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>
  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      Content-Security-Policy: <a>font-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `font-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;style&gt;
        @font-face {
          font-family: "Example Font";
          src: url("https://not-example.com/font");
        }
        body {
          font-family: "Example Font";
        }
      &lt;/style&gt;
    </pre>
  </div>

  <h5 algorithm id="font-src-pre-request">
    `font-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is "`font`":

      1.  If the result of executing [[#match-request-to-source-list]] on
          |request| and this directive's <a for="directive">value</a> is
          "`Does Not Match`", return "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm id="font-src-post-request">
    `font-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is "`font`":

      1.  If the result of executing [[#match-response-to-source-list]] on
          |response|, |request|, and this directive's
          <a for="directive">value</a> is "`Does Not Match`", return
          "`Blocked`".

  3.  Return "`Allowed`".

  <h4 id="directive-frame-src">`frame-src`</h4>

  The <dfn export>frame-src</dfn> directive restricts the URLs which may be loaded into
  <a>nested browsing contexts</a>. The syntax for the directive's name and value
  is described by the following ABNF:

  <pre>
    directive-name  = "frame-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      Content-Security-Policy: <a>frame-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `frame-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;iframe src="https://not-example.com/"&gt;
      &lt;/iframe&gt;
    </pre>
  </div>

  <h5 algorithm id="frame-src-pre-request">
    `frame-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is "`document`" and
      <a for="request">target browsing context</a> is a <a>nested browsing
      context</a>:

      1.  If the result of executing [[#match-request-to-source-list]] on
          |request| and this directive's <a for="directive">value</a> is
          "`Does Not Match`", return "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm id="frame-src-post-request">
    `frame-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is "`document`" and
      <a for="request">target browsing context</a> is a <a>nested browsing
      context</a>:

      1.  If the result of executing [[#match-response-to-source-list]] on
          |response|, |request|, and this directive's
          <a for="directive">value</a> is "`Does Not Match`", return
          "`Blocked`".

  3.  Return "`Allowed`".

  <h4 id="directive-img-src">`img-src`</h4>

  The <dfn export>img-src</dfn> directive restricts the URLs from which image resources
  may be loaded. The syntax for the directive's name and value is described by
  the following ABNF:

  <pre>
    directive-name  = "img-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  This directive controls <a for="/">requests</a> which load images. More formally, this
  includes <a for="/">requests</a> whose <a for="request">type</a> is "`image`"
  [[FETCH]].

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      Content-Security-Policy: <a>img-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `img-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;img src="https://not-example.com/img"&gt;
    </pre>
  </div>

  <h5 algorithm id="img-src-pre-request">
    `img-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is "`image`":

      1.  If the result of executing [[#match-request-to-source-list]] on
          |request| and this directive's <a for="directive">value</a> is
          "`Does Not Match`", return "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm id="img-src-post-request">
    `img-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is "`image`":

      1.  If the result of executing [[#match-response-to-source-list]] on
          |response|, |request|, and this directive's
          <a for="directive">value</a> is "`Does Not Match`", return
          "`Blocked`".

  3.  Return "`Allowed`".

  <h4 id="directive-manifest-src">`manifest-src`</h4>

  The <dfn export>manifest-src</dfn> directive restricts the URLs from which application
  manifests may be loaded [[APPMANIFEST]]. The syntax for the directive's name
  and value is described by the following ABNF:

  <pre>
    directive-name  = "manifest-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      Content-Security-Policy: <a>manifest-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `manifest-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;link rel="manifest" href="https://not-example.com/manifest"&gt;
    </pre>
  </div>

  <h5 algorithm id="manifest-src-pre-request">
    `manifest-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is "", and its
      <a for="request">initiator</a> is "`manifest`":

      1.  If the result of executing [[#match-request-to-source-list]] on
          |request| and this directive's <a for="directive">value</a> is
          "`Does Not Match`", return "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm id="manifest-src-post-request">
    `manifest-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is "", and its
      <a for="request">initiator</a> is "`manifest`":

      1.  If the result of executing [[#match-response-to-source-list]] on
          |response|, |request|, and this directive's
          <a for="directive">value</a> is "`Does Not Match`", return
          "`Blocked`".

  3.  Return "`Allowed`".

  <h4 id="directive-media-src">`media-src`</h4>

  The <dfn export>media-src</dfn> directive restricts the URLs from which video, audio,
  and associated text track resources may be loaded. The syntax for the
  directive's name and value is described by the following ABNF:

  <pre>
    directive-name  = "media-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      Content-Security-Policy: <a>media-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `media-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;audio src="https://not-example.com/audio"&gt;&lt;/audio&gt;
      &lt;video src="https://not-example.com/video"&gt;
          &lt;track kind="subtitles" src="https://not-example.com/subtitles"&gt;
      &lt;/video&gt;
    </pre>
  </div>

  <h5 algorithm id="media-src-pre-request">
    `media-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is one of "`audio`", "`video`",
      or "`track`":

      1.  If the result of executing [[#match-request-to-source-list]] on
          |request| and this directive's <a for="directive">value</a> is
          "`Does Not Match`", return "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm id="media-src-post-request">
    `media-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is one of "`audio`", "`video`",
      or "`track`":

      1.  If the result of executing [[#match-response-to-source-list]] on
          |response|, |request|, and this directive's
          <a for="directive">value</a> is "`Does Not Match`", return
          "`Blocked`".

  3.  Return "`Allowed`".

  <h4 id="directive-object-src">`object-src`</h4>

  The <dfn export>object-src</dfn> directive restricts the URLs from which plugin
  content may be loaded. The syntax for the directive's name and value is
  described by the following ABNF:

  <pre>
    directive-name  = "object-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      Content-Security-Policy: <a>object-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `object-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;embed src="https://not-example.com/flash"&gt;&lt;/embed&gt;
      &lt;object data="https://not-example.com/flash"&gt;&lt;/object&gt;
      &lt;applet archive="https://not-example.com/flash"&gt;&lt;/applet&gt;
    </pre>
  </div>

  If plugin content is loaded without an associated URL (perhaps an <{object}>
  element lacks a <{object/data}> attribute, but loads some default plugin based
  on the specified `type`), it MUST be blocked if `object-src`'s value is
  `'none'`, but will otherwise be allowed.

  Note: The `object-src` directive acts upon any request made on behalf of
  an <{object}>, <{embed}>, or <{applet}> element. This includes requests
  which would populate the <a>nested browsing context</a> generated by the
  former two (also including navigations). This is true even when the data is
  semantically equivalent to content which would otherwise be restricted by
  another directive, such as an <{object}> element with a `text/html` MIME
  type.

  Note: When a plugin resource is navigated to directly (that is, as a <a>plugin document</a> in the
  <a>top-level browsing context</a> or a <a>nested browsing context</a>, and not as an embedded
  subresource via <{embed}>, <{object}>, or <{applet}>), any <a for="/">policy</a> delivered along
  with that resource will be applied to the <a>plugin document</a>. This means, for instance, that
  developers can prevent the execution of arbitrary resources as plugin content by delivering the
  policy `object-src 'none'` along with a response. Given plugins' power (and the
  sometimes-interesting security model presented by Flash and others), this could mitigate the risk
  of attack vectors like
  <a href="https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/">Rosetta Flash</a>.

  <h5 algorithm id="object-src-pre-request">
    `object-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is "", and its
      <a for="request">destination</a> is "`unknown`":

      1.  If the result of executing [[#match-request-to-source-list]] on
          |request| and this directive's <a for="directive">value</a> is
          "`Does Not Match`", return "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm id="object-src-post-request">
    `object-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is "", and its
      <a for="request">destination</a> is "`unknown`":

      1.  If the result of executing [[#match-response-to-source-list]] on
          |response|, |request|, and this directive's
          <a for="directive">value</a> is "`Does Not Match`", return
          "`Blocked`".

  3.  Return "`Allowed`".

  <h4 id="directive-script-src">`script-src`</h4>

  The <dfn export>script-src</dfn> directive restricts the locations from which scripts
  may be executed. This includes not only URLs loaded directly into <{script}>
  elements, but also things like inline script blocks and XSLT stylesheets
  [[XSLT]] which can trigger script execution. The syntax for the directive's
  name and value is described by the following ABNF:

  <pre>
    directive-name  = "script-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  The `script-src` directive governs four things:

  1.  Script <a for="/">requests</a> MUST pass through [[#should-block-request]].

  2.  Script <a>responses</a> MUST pass through [[#should-block-response]].

  3.  Inline <{script}> blocks MUST pass through [[#should-block-inline]]. Their
      behavior will be blocked unless every policy allows inline script, either
      implicitly by not specifying a `script-src` (or `default-src`) directive,
      or explicitly, by specifying "`unsafe-inline`", a
      <a grammar>nonce-source</a> or a <a grammar>hash-source</a> that matches
      the inline block.

  4.  The following JavaScript execution sinks are gated on the "`unsafe-eval`"
      source expression:

      *   {{eval()}}
      *   {{Function()}}
      *   {{setTimeout()}} with an initial argument which is not callable.
      *   {{setInterval()}} with an initial argument which is not callable.

      Note: If a user agent implements non-standard sinks like `setImmediate()`
      or `execScript()`, they SHOULD also be gated on "`unsafe-eval`".

  <h5 algorithm id="script-src-pre-request">
    `script-src` Pre-request check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):

  1.  If the result of executing [[#effective-directive-for-a-request]] on |request|
      is "`worker-src`", and |policy| contains a <a>directive</a> whose
      <a for="directive">name</a> is "`worker-src`", return "`Allowed`".

      Note: If `worker-src` is present, we'll defer to it when handling worker requests.

  2.  If |request|'s <a for="request">type</a> is "`script`", and its
      <a for="request">destination</a> is "`subresource`":

      1.  If the result of executing [[#match-nonce-to-source-list]] on
          |request|'s <a for="request">cryptographic nonce metadata</a> and this
          directive's <a for="directive">value</a> is "`Matches`", return
          "`Allowed`".

      2.  Let |integrity expressions| be the set of <a>source expressions</a> in
          this directive's <a for="directive">value</a> that match the
          <a grammar>hash-source</a> grammar.

      3.  If |integrity expressions| is not empty:

          1.  Let |integrity sources| be the result of executing the algorithn
              defined in [[SRI#parse-metadata]] on |request|'s
              <a for="request">integrity metadata</a>. [[!SRI]]

          2.  If |integrity sources| is "`no metadata`" or an empty set, skip
              the remaining substeps.

          3.  Let |bypass due to integrity match| be `true`.

          4.  For each |source| in |integrity sources|:

              1.  If this directive's <a for="directive">value</a> does not
                  contain a <a>source expression</a> whose
                  <a grammar>hash-algorithm</a> is a <a>case-sensitive</a> match
                  for |source|'s `hash-algo` component, and whose
                  <a grammar>base64-value</a> is a <a>case-sensitive</a> match
                  for |source|'s `base64-value`, then set |bypass due to
                  integrity match| to `false`.

          5.  If |bypass due to integrity match| is `true`, return
              "`Allowed`".

          Note: Here, we verify only that the |request| contains a set of
          <a for="request">integrity metadata</a> which is a subset of the
          <a grammar>hash-source</a> <a>source expressions</a> specified by
          this directive. We rely on the browser's enforcement of Subresource
          Integrity [[!SRI]] to block non-matching resources upon response.

      3.  If this directive's <a for="directive">value</a> contains a <a>source
          expression</a> that is an <a>ASCII case-insensitive</a> match for
          the "<a grammar>`'strict-dynamic'`</a>" <a grammar>keyword-source</a>:

          1.  If the |request|'s <a for="request">parser metadata</a> is
              <a>"parser-inserted"</a>, return "`Blocked`".

              Otherwise, return "`Allowed`".

              Note: "<a grammar>`'strict-dynamic'`</a>" is explained in more detail
              in [[#strict-dynamic-usage]].

      4.  If the result of executing [[#match-request-to-source-list]] on
          |request| and this directive's <a for="directive">value</a> is
          "`Does Not Match`", return "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm id="script-src-post-request">
    `script-src` Post-request check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  If the result of executing [[#effective-directive-for-a-request]] on |request|
      is "`worker-src`", and |policy| contains a <a>directive</a> whose
      <a for="directive">name</a> is "`worker-src`", return "`Allowed`".

      Note: If `worker-src` is present, we'll defer to it when handling worker requests.

  2.  If |request|'s <a for="request">type</a> is "`script`", and its
      <a for="request">destination</a> is "`subresource`":

      1.  If the result of executing [[#match-nonce-to-source-list]] on
          |request|'s <a for="request">cryptographic nonce metadata</a> and this
          directive's <a for="directive">value</a> is "`Matches`", return
          "`Allowed`".

      2.  If this directive's <a for="directive">value</a> contains
          "<a grammar>`'strict-dynamic'`</a>", and |request|'s
          <a for="request">parser metadata</a> is not <a>"parser-inserted"</a>,
          return "`Allowed`".

      3.  If the result of executing [[#match-response-to-source-list]] on
          |response|, |request|, and this directive's
          <a for="directive">value</a> is "`Does Not Match`", return
          "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm id="script-src-inline">
    `script-src` Inline Check
  </h5>

  This directive's <a for="directive">inline check</a> algorithm is as follows:

  Given an {{Element}} (|element|), a string (|type|), and a string (|source|):

  1.  If |type| is "`script attribute`" or "`script`":

      1.  Assert: |element| is not `null`.

      2.  If the result of executing [[#match-element-to-source-list]] on
          |element|, this directive's <a for="directive">value</a>, |type|,
          and |source|, is "`Does Not Match`", return "`Blocked`".

  2.  If |type| is "`navigation`":

      1.  Let |unsafe-inline flag| be `false`.

      2.  For each |expression| in this directive's
          <a for="directive">value</a>:

          1.  If |expression| matches the <a grammar>`nonce-source`</a> or
              <a grammar>`hash-source`</a> grammar, return "`Blocked`".

          2.  If |expression| matches the <a grammar>keyword-source</a>
              "<a grammar>`'strict-dynamic'`</a>", return "`Blocked`".

          3.  If |expression| matches the <a grammar>keyword-source</a>
              "<a grammar>`'unsafe-inline'`</a>", set |unsafe-inline flag| to `true`.

      3.  If |unsafe-inline flag| is `false`, return "`Blocked`".

      Note: Navigating to a `javascript:` URL is allowed only in the presence
      of "<a grammar>`'unsafe-inline'`</a>" that isn't overridden by a nonce,
      hash, or "<a grammar>`'strict-dynamic'`</a>".

  3.  Return "`Allowed`".

  <h4 id="directive-style-src">`style-src`</h4>

  The <dfn export>style-src</dfn> directive restricts the locations from which style
  may be applied to a {{Document}}. The syntax for the directive's name and
  value is described by the following ABNF:

  <pre>
    directive-name  = "style-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  The `style-src` directive governs several things:

  1.  Style <a for="/">requests</a> MUST pass through [[#should-block-request]]. This
      includes:

      1.  Stylesheet requests originating from a <{link}> element.
      2.  Stylesheet requests originating from the <a at-rule>`@import`</a>
          rule.
      3.  Stylesheet requests originating from a `Link` HTTP response header
          field [[!RFC5988]].

  2.  <a>Responses</a> to style requests MUST pass through
      [[#should-block-response]].

  3.  Inline <{style}> blocks MUST pass through [[#should-block-inline]]. The
      styles will be blocked unless every policy allows inline style, either
      implicitly by not specifying a `style-src` (or `default-src`) directive,
      or explicitly, by specifying "`unsafe-inline`", a
      <a grammar>nonce-source</a> or a <a grammar>hash-source</a> that matches
      the inline block.

  4.  The following CSS algorithms are gated on the `unsafe-eval` source
      expression:

      1.  <a>insert a CSS rule</a>
      2.  <a>parse a CSS rule</a>,
      3.  <a>parse a CSS declaration block</a>
      4.  <a>parse a group of selectors</a>

      This would include, for example, all invocations of CSSOM's various
      <code>cssText</code> setters and <code>insertRule</code> methods
      [[!CSSOM]] [[!HTML]].

      ISSUE: This needs to be better explained.

  <h5 algorithm id="style-src-pre-request">
    `style-src` Pre-request Check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is "`style`":

      1.  If the result of executing [[#match-nonce-to-source-list]] on
          |request|'s <a for="request">cryptographic nonce metadata</a> and this
          directive's <a for="directive">value</a> is "`Matches`", return
          "`Allowed`".

      2.  If the result of executing [[#match-request-to-source-list]] on
          |request| and this directive's <a for="directive">value</a> is
          "`Does Not Match`", return "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm id="style-src-post-request">
    `style-src` Post-request Check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">type</a> is "`style`":

      1.  If the result of executing [[#match-nonce-to-source-list]] on
          |request|'s <a for="request">cryptographic nonce metadata</a> and this
          directive's <a for="directive">value</a> is "`Matches`", return
          "`Allowed`".

      2.  If the result of executing [[#match-response-to-source-list]] on
          |response|, |request|, and this directive's
          <a for="directive">value</a> is "`Does Not Match`", return
          "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm id="style-src-inline">
    `style-src` Inline Check
  </h5>

  This directive's <a for="directive">inline check</a> algorithm is as follows:

  Given an {{Element}} (|element|), a string (|type|), and a string (|source|):

  1.  If |type| is "`style`" or "`style attribute`":

      1.  If the result of executing [[#match-element-to-source-list]] on
          |element|, this directive's <a for="directive">value</a>, |type|,
          and |source|, is "`Does Not Match`", return "`Blocked`".

  3.  Return "`Allowed`".

  This directive's <a for="directive">initialization</a> algorithm is as follows:

  ISSUE: Do something interesting to the execution context in order to lock down
  interesting CSSOM algorithms. I don't think CSSOM gives us any hooks here, so
  let's work with them to put something reasonable together.

  <h4 id="directive-worker-src">`worker-src`</h4>

  The <dfn export>worker-src</dfn> directive restricts the URLs which may be loaded as
  a {{Worker}}, {{SharedWorker}}, or {{ServiceWorker}}. The syntax for the
  directive's name and value is described by the following ABNF:

  <pre>
    directive-name  = "worker-src"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      Content-Security-Policy: <a>worker-src</a> https://example.com/
    </pre>

    Fetches for the following code will return a network errors, as the URL
    provided do not match `worker-src`'s <a>source list</a>:

    <pre highlight="html">
      &lt;script&gt;
        var blockedWorker = new Worker("data:application/javascript,...");
        blockedWorker = new SharedWorker("https://not-example.com/");
        navigator.serviceWorker.register('https://not-example.com/sw.js');
      &lt;/script&gt;
    </pre>
  </div>

  <h5 algorithm id="worker-src-pre-request">
    `worker-src` Pre-request Check
  </h5>

  This directive's <a for="directive">pre-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">destination</a> is one of
      "`serviceworker`", "`sharedworker`", or "`worker`":

      4.  If the result of executing [[#match-request-to-source-list]] on
          |request| and this directive's <a for="directive">value</a> is
          "`Does Not Match`", return "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm id="worker-src-post-request">
    `worker-src` Post-request Check
  </h5>

  This directive's <a for="directive">post-request check</a> is as follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">destination</a> is one of
      "`serviceworker`", "`sharedworker`", or "`worker`":

      1.  If the result of executing [[#match-response-to-source-list]] on
          |response|, |request|, and this directive's
          <a for="directive">value</a> is "`Does Not Match`", return
          "`Blocked`".

  3.  Return "`Allowed`".

  <h3 id="directives-document">
    Document Directives
  </h3>

  The following directives govern the properties of a document or worker
  environment to which a policy applies.

  <h4 id="directive-base-uri">`base-uri`</h4>

  The <dfn export>base-uri</dfn> directive restricts the {{URL}}s which can be used in
  a {{Document}}'s <{base}> element. The syntax for the directive's name and
  value is described by the following ABNF:

  <pre>
    directive-name  = "base-uri"
    directive-value = <a grammar>serialized-source-list</a>
  </pre>

  The following algorithm is called during HTML's <a>set the frozen base url</a>
  algorithm in order to monitor and enforce this directive:

  <h5 id="allow-base-for-document" algorithm>
    Is |base| allowed for |document|?
  </h5>

  Given a {{URL}} (|base|), and a {{Document}} (|document|), this algorithm
  returns "`Allowed`" if |base| may be used as the value of a <{base}>
  element's <{base/href}> attribute, and "`Blocked`" otherwise:

  1.  For each |policy| in |document|'s <a for="/">global object</a>'s
      <a for="global object">csp list</a>:

      1.  Let |source list| be `null`.

      2.  If a <a>directive</a> whose <a for="directive">name</a> is
          "`base-uri`" is present in |policy|'s <a for="policy">directive
          set</a>, set |source list| to that <a>directive</a>'s
          <a for="directive">value</a>.

      3.  If |source list| is `null`, skip to the next |policy|.

      4.  If the result of executing [[#match-url-to-source-list]]
          on |base|, |source list|, |document|'s  <a>relevant settings
          object</a>'s origin, and `0` is "`Does Not Match`":

          1.  Let |violation| be the result of executing
              [[#create-violation-for-global]] on |document|'s <a for="/">global
              object</a>, |policy|, and "<a>`base-uri`</a>".

          2.  Set |violation|'s <a for="violation">resource</a> to "`inline`".

          3.  Execute [[#report-violation]] on |violation|.

          4.  If |policy|'s <a for="policy">disposition</a> is "`enforce`",
              return "`Blocked`".

  2.  Return "`Allowed`".

  <h4 id="directive-plugin-types">`plugin-types`</h4>

  The <dfn export>plugin-types</dfn> directive restricts the set of plugins that
  can be embedded into a document by limiting the types of resources which can
  be loaded. The directive's syntax is described by the following ABNF grammar:

  <pre dfn-type="grammar" link-type="grammar">
    directive-name  = "plugin-types"
    directive-value = <a>media-type-list</a>

    <dfn>media-type-list</dfn> = <a>media-type</a> *( <a>RWS</a> <a>media-type</a> )
    <dfn>media-type</dfn> = <a>type</a> "/" <a>subtype</a>
    ; <a>type</a> and <a>subtype</a> are defined in RFC 2045
  </pre>

  If a `plugin-types` directive is present, instantiation of an <{embed}> or
  <{object}> element will fail if any of the following conditions hold:

  1.  The element does not explicitly declare a <a>valid MIME type</a> via a
      <{embed/type}> attribute.

  2.  The declared type does not match one of the items in the directive's
      value.

  3.  The fetched resource does not match the declared type.

  <div class="example">
    Given a page with the following Content Security Policy:

    <pre>
      Content-Security-Policy: <a>plugin-types</a> application/pdf
    </pre>

    Fetches for the following code will all return network errors:

    <pre highlight="html">
      &lt;!-- No 'type' declaration --&gt;
      &lt;object data="https://example.com/flash"&gt;&lt;/object&gt;

      &lt;!-- Non-matching 'type' declaration --&gt;
      &lt;object data="https://example.com/flash" type="application/x-shockwave-flash"&gt;&lt;/object&gt;

      &lt;!-- Non-matching resource --&gt;
      &lt;object data="https://example.com/flash" type="application/pdf"&gt;&lt;/object&gt;
    </pre>

    If the page allowed Flash content by sending the following header:

    <pre>
      Content-Security-Policy: <a>plugin-types</a> application/x-shockwave-flash
    </pre>

    Then the second item above would load successfully:

    <pre highlight="html">
      &lt;!-- Matching 'type' declaration and resource --&gt;
      &lt;object data="https://example.com/flash" type="application/x-shockwave-flash"&gt;&lt;/object&gt;
    </pre>
  </div>

  <h5 algorithm dfn>
    `plugin-types` Post-Request Check
  </h5>

  This directive's <a for="directive">post-request check</a> algorithm is as
  follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Assert: |policy| is unused.

  2.  If |request|'s <a for="request">destination</a> is either "`object`"
      or "`embed`":

      1.  Let |type| be the result of <a lt="extract a MIME type">extracting a
          MIME type</a> from |response|'s <a for="response">header list</a>.

      2.  If |type| is not an <a>ASCII case-insensitive</a> match for any item
          in this directive's <a for="directive">value</a>, return "`Blocked`".

  3.  Return "`Allowed`".

  <h5 algorithm dfn>
    Should |plugin element| be blocked <i lang="la">a priori</i> by Content
    Security Policy?:
  </h5>

  Given an {{Element}} (|plugin element|), this algorithm returns "`Blocked`"
  or "`Allowed`" based on the element's `type` attribute and the policy applied to
  its document:

  <ol class="algorithm">
    1.  For each |policy| in |plugin element|'s <a>node document</a>'s
        <a for="Document">CSP list</a>:

        1.  If |policy| contains a <a>directive</a> (|directive|) whose name is
            `plugin-types`:

            1.  Let |type| be "`application/x-java-applet`" if |plugin element|
                is an <{applet}> element, or |plugin element|'s `type` attribute's
                value if present, or "`null`" otherwise.

            2.  Return "`Blocked`" if any of the following are true:

                1.  |type| is `null`.

                2.  |type| is not a <a>valid MIME type</a>.

                3.  |type| is not an <a>ASCII case-insensitive</a> match for any
                    item in |directive|'s <a for="directive">value</a>.

    2.  Return "`Allowed`".
  </ol>

  <h4 id="directive-sandbox">`sandbox`</h4>

  The <dfn export>sandbox</dfn> directive specifies an HTML sandbox policy which the
  user agent will apply to a resource, just as though it had been included in
  an <{iframe}> with a <{iframe/sandbox}> property.

  The directive's syntax is described by the following ABNF grammar, with
  the additional requirement that each token value MUST be one of the
  keywords defined by HTML specification as allowed values for the <{iframe}>
  <{iframe/sandbox}> attribute [[!HTML]].

  <pre dfn-type="grammar" link-type="grammar">
    directive-name  = "sandbox"
    directive-value = "" / <a>token</a> *( <a>RWS</a> <a>token</a> )
  </pre>

  This directive has no reporting requirements; it will be ignored entirely when
  delivered in a <a http-header>`Content-Security-Policy-Report-Only`</a> header, or within
  a <{meta}> element.

  <h5 algorithm id="sandbox-response">
    `sandbox` Response Check
  </h5>

  This directive's <a for="directive">response check</a> algorithm is as
  follows:

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|response|), and a
  <a for="/">policy</a> (|policy|):

  1.  Assert: |response| is unused.

  2.  If |policy|'s <a for="policy">disposition</a> is not "`enforce`", then
      return "`Allowed`".

  3.  If |request|'s <a for="request">destination</a> is one of
      "`serviceworker`", "`sharedworker`", or "`worker`":

      1.  If the result of the <a>Parse a sandboxing directive</a> algorithm
          using this directive's <a for="directive">value</a> as the input
          contains either the <a>sandboxed scripts browsing context flag</a> or
          the <a>sandboxed origin browsing context flag</a> flags, return
          "`Blocked`".

          Note: This will need to change if we allow Workers to be sandboxed into
          unique origins, which seems like a pretty reasonable thing to do.

  4.  Return "`Allowed`".

  <h5 algorithm id="sandbox-init">
    `sandbox` Initialization
  </h5>

  This directive's <a for="directive">initialization</a> algorithm is
  responsible for adjusting a {{Document}}'s <a>forced sandboxing flag set</a>
  according to the <a>`sandbox`</a> values present in its policies, as
  follows:

  Given a {{Document}} or <a for="/">global object</a> (|context|), a <a>response</a>
  (|response|), and a <a for="/">policy</a> (|policy|):

  1.  Assert: |response| is unused.

  2.  If |policy|'s <a for="policy">disposition</a> is not "`enforce`", or
      |context| is not a {{Document}}, then abort this algorithm.

      Note: This will need to change if we allow Workers to be sandboxed,
      which seems like a pretty reasonable thing to do.

  3.  <a>Parse a sandboxing directive</a> using this directive's
      <a for="directive">value</a> as the input, and |context|'s <a>forced
      sandboxing flag set</a> as the output.

  <h4 id="directive-disown-opener">`disown-opener`</h4>

  The <dfn export>`disown-opener`</dfn> directive ensures that a resource
  will <a>disown its opener</a> when navigated to. The directive's syntax is
  described by the following ABNF grammar:

  <pre dfn-type="grammar" link-type="grammar">
    directive-name  = "disown-opener"
    directive-value = ""
  </pre>

  This directive has no reporting requirements; it will be ignored entirely when
  delivered in a <a http-header>`Content-Security-Policy-Report-Only`</a> header, or within
  a <{meta}> element.

  ISSUE: Not sure this is the right model. We need to ensure that we take care
  of <a href="https://github.com/w3c/webappsec/issues/139">the inverse</a> as
  well, and there might be a cleverer syntax that could encompass both a
  document's opener, and a document's openees. `disown-openee` is weird.
  Maybe `disown 'opener' 'openee'`? Do we need origin restrictions on either/both?

  <h5 algorithm id="disown-opener-init">
    `disown-opener` Initialization
  </h5>

  This directive's <a for="directive">initialization</a> algorithm is as
  follows:

  Given a {{Document}} or <a for="/">global object</a> (|context|), a <a>response</a>
  (|response|), and a <a for="/">policy</a> (|policy|):

  1.  Assert: |response| and |policy| are unused.

  2.  If |context|'s <a>responsible browsing context</a> has an <a>opener browsing
      context</a>, <a>disown its opener</a>.

  ISSUE: What should this do in an <{iframe}>? Anything?

  <h3 id="directives-navigation">
    Navigation Directives
  </h3>

  <h4 id="directive-form-action">`form-action`</h4>

  The <dfn export>form-action</dfn> directive restricts the {{URL}}s which can be used
  as the target of a form submissions from a given context. The directive's syntax is
  described by the following ABNF grammar:

  <pre dfn-type="grammar" link-type="grammar" class="abnf">
    directive-name  = "form-action"
    directive-value = <a>serialized-source-list</a>
  </pre>

  <h5 algorithm id="form-action-pre-navigate">
    `form-action` Pre-Navigation Check
  </h5>

  Given a <a for="/">request</a> (|request|), a string (|type|, "`form-submission` or
  "`other`") and two <a>browsing contexts</a> (|source| and |target|), this
  algorithm returns "`Blocked`" if one or more of the ancestors of |target|
  violate the `frame-ancestors` directive delivered with the response, and
  "`Allowed`" otherwise. This constitutes the `form-action`' directive's
  <a>pre-navigation check</a>:

  <ol class="algorithm">
    1.  Assert: |source| and |target| are unused in this algorithm, as
        `form-action` is concerned only with details of the outgoing request.

    2.  If |type| is "`form-submission`":

        1.  If the result of executing [[#match-request-to-source-list]] on
            |request| and this directive's <a for="directive">value</a> is
            "`Does Not Match`", return "`Blocked`".

    3.  Return "`Allowed`".
  </ol>

  <h4 id="directive-frame-ancestors">`frame-ancestors`</h4>

  The <dfn export>frame-ancestors</dfn> directive restricts the {{URL}}s which can
  embed the resource using <{frame}>, <{iframe}>, <{object}>, <{embed}>, or
  <{applet}> element. Resources can use this directive to avoid many UI
  Redressing [[UISECURITY]] attacks, by avoiding the risk of being embedded into
  potentially hostile contexts.

  The directive's syntax is described by the following ABNF grammar:

  <pre dfn-type="grammar" link-type="grammar">
    directive-name  = "frame-ancestors"
    directive-value = <a>ancestor-source-list</a>

    <dfn>ancestor-source-list</dfn> = ( <a>ancestor-source</a> *( <a>RWS</a> <a>ancestor-source</a>) ) / "<a>'none'</a>"
    <dfn>ancestor-source</dfn>      = <a>scheme-source</a> / <a>host-source</a> / "<a>'self'</a>"
  </pre>

  The `frame-ancestors` directive MUST be ignored when contained in a policy
  declared via a <{meta}> element.

  Note: The `frame-ancestors` directive's syntax is similar to a <a>source
  list</a>, but `frame-ancestors` will not fall back to the `default-src`
  directive's value if one is specified. That is, a policy that declares
  `default-src 'none'` will still allow the resource to be embedded by anyone.

  <h5 algorithm id="frame-ancestors-navigation-response">
    `frame-ancestors` Navigation Response Check
  </h5>

  Given a <a for="/">request</a> (|request|), a <a>response</a> (|navigation response|)
  and two <a>browsing contexts</a> (|source| and |target|), this algorithm
  returns "`Blocked`" if one or more of the ancestors of |target| violate the
  `frame-ancestors` directive delivered with the response, and "`Allowed`"
  otherwise. This constitutes the `frame-ancestors`' directive's <a>navigation
  response check</a>:

  <ol class="algorithm">
    1.  Assert: |request|, |navigation response|, and |source| are unused in
        this algorithm, as `frame-ancestors` is concerned only with |target|'s
        ancestors.

    2.  If |target| is not a <a>nested browsing context</a>, return "`Allowed`".

    3.  Let |current| be |target|.

    4.  While |current| has a <a>parent browsing context</a> (|parent|):

        1.  Set |current| to |parent|.

        2.  Let |origin| be the result of executing the <a>URL parser</a> on the
            <a lt="unicode serialization of an origin">unicode serialization</a>
            of |parent|'s <a>active document</a>'s <a>relevant settings
            object</a>'s <a for="environment settings object">origin</a>.

        3.  If [[#match-url-to-source-list]] returns `Does Not Match` when
            executed upon |origin|, this directive's
            <a for="directive">value</a>, |navigation response|'s
            <a for="response">url</a>'s {{URL/origin}}, and `0`, return
            "`Blocked`".

    5.  Return "`Allowed`".
  </ol>

  <h4 id="directive-navigation-to">`navigation-to`</h4>

  The <dfn export>navigation-to</dfn> directive restricts the {{URL}}s to which
  a document can navigate by any means (<{a}>, <{form}>, `window.location`,
  `window.open`, etc.). The directive's syntax is described by the following ABNF grammar:

  <pre dfn-type="grammar" link-type="grammar" class="abnf">
    directive-name  = "navigation-to"
    directive-value = <a>serialized-source-list</a>
  </pre>

  ISSUE: Should we use `ancestor-source-list` (basically, origins as opposed to
  paths?) It doesn't appear that blocking navigation targets is any worse than
  blocking any other request type with regard to leakage. Given the redirect
  behavior, this devolves to an origin check in the presence of a malicious
  party anyway...

  <h5 algorithm id="navigation-to-pre-navigate">
    `navigation-to` Pre-Navigation Check
  </h5>

  Given a <a for="/">request</a> (|request|), a string (|type|, "`form-submission` or
  "`other`") and two <a>browsing contexts</a> (|source| and |target|), this
  algorithm returns "`Blocked`" if the navigation violates the `navigation-to`
  directive's constraints, and "`Allowed`" otherwise. This constitutes the
  `navigation-to`' directive's <a>pre-navigation check</a>:

  <ol class="algorithm">
    1.  Assert: |source| and |target| are unused in this algorithm, as
        `navigation-to` is concerned only with details of the outgoing request.
        Likewise, |type| is unused, as all navigation requests are treated
        identically.

    2.  If the result of executing [[#match-request-to-source-list]] on
        |request| and this directive's <a for="directive">value</a> is
        "`Does Not Match`", return "`Blocked`".

    3.  Return "`Allowed`".
  </ol>

  <h3 id="directives-reporting">
    Reporting Directives
  </h3>

  Various algorithms in this document hook into the reporting process by
  constructing a <a>violation</a> object via [[#create-violation-for-request]]
  or [[#create-violation-for-global]], and passing that object to
  [[#report-violation]] to deliver the report.

  <h4 id="directive-report-uri">`report-uri`</h4>

  <div class="note">
    Note: The <a>`report-uri`</a> directive is deprecated. Please use the
    <a>`report-to`</a> directive instead. If the latter directive is present,
    this directive will be ignored. To ensure backwards compatibility, we
    suggest specifying both, like this:

    <div class="example">
      <pre>
        <a>Content-Security-Policy</a>: ...; <a>report-uri</a> https://endpoint.com; <a>report-to</a> groupname
      </pre>
    </div>
  </div>

  The <dfn export>`report-uri`</dfn> directive defines a set of endpoints to which
  <a>violation reports</a> will be sent when particular behaviors are prevented.

  <pre link-type="grammar">
    directive-name  = "report-uri"
    directive-value = <a>uri-reference</a> *( <a>RWS</a> <a>uri-reference</a> )

    ; The <a>uri-reference</a> grammar is defined in Section 4.1 of RFC 3986.
  </pre>

  The directive has no effect in and of itself, but only gains meaning in
  combination with other directives.

  <h4 id="directive-report-to">`report-to`</h4>

  The <dfn export>`report-to`</dfn> directive defines a <a lt="group">reporting
  group</a> to which violation reports ought to be sent [[REPORTING]]. The
  directive's behavior is defined in [[#report-violation]]. The directive's name
  and value are described by the following ABNF:

  <pre>
    directive-name  = "report-to"
    directive-value = <a grammar>token</a>
  </pre>

  <h3 id="directives-elsewhere">
    Directives Defined in Other Documents
  </h3>

  This document defines a core set of directives, and sets up a framework for
  modular extension by other specifications. At the time this document was
  produced, the following stable documents extend CSP:

  * [[MIX]] defines `block-all-mixed-content`
  * [[UPGRADE-INSECURE-REQUESTS]] defines `upgrade-insecure-requests`
  * [[SRI]] defines `require-sri-for`

  Extensions to CSP MUST register themselves via the process outlined in
  [[!RFC7762]]. In particular, note the criteria discussed in Section 4.2 of
  that document.

  New directives SHOULD use the <a for="directive">pre-request check</a>,
  <a for="directive">post-request check</a>, <a for="directive">response
  check</a>, and <a for="directive">initialization</a> hooks in order to
  integrate themselves into Fetch and HTML.

  <h3 id="algorithms">Matching Algorithms</h3>

  <h4 id="matching-urls">URL Matching</h4>

  <h5 id="does-request-violate-policy" algorithm>
    Does |request| violate |policy|?
  </h5>

  Given a <a for="/">request</a> (|request|) and a <a for="/">policy</a> (|policy|), this
  algorithm returns the violated <a>directive</a> if the request violates the
  policy, and "`Does Not Violate`" otherwise.

  1.  Let |violates| be "`Does Not Violate`".

  2.  For each |directive| in |policy|:

      1.  Let |result| be the result of executing |directive|'s
          <a for="directive">pre-request check</a> on |request| and |policy|.

      2.  If |result| is "`Blocked`", then let |violates| be |directive|.

  3.  Return |violates|.

  <h5 id="match-nonce-to-source-list" algorithm>
    Does |nonce| match |source list|?
  </h5>

  Given a <a for="/">request</a>'s <a for="request">cryptographic nonce metadata</a>
  (|nonce|) and a <a>source list</a> (|source list|), this algorithm returns
  "`Matches`" if the nonce matches one or more source expressions in the list,
  and "`Does Not Match`" otherwise:

  1.  Assert: |source list| is not `null`.

  2.  If |nonce| is the empty string, return "`Does Not Match`".

  3.  For each |expression| in |source list|:

      1.  If |expression| matches the <a grammar>`nonce-source`</a> grammar,
          and |nonce| is a <a>case-sensitive</a> match for |expression|'s
          <a grammar>`base64-value`</a> part, return "`Matches`".

  4.  Return "`Does Not Match`".

  <h5 id="match-request-to-source-list" algorithm>
    Does |request| match |source list|?
  </h5>

  Given a <a for="/">request</a> (|request|), and a <a>source list</a> (|source list|),
  this algorithm returns the result of executing [[#match-url-to-source-list]]
  on |request|'s <a for="request">current url</a>, |source list|, |request|'s
  <a for="request">origin</a>, and |request|'s <a for="request">redirect
  count</a>.

  Note: This is generally used in <a>directives</a>' <a>pre-request check</a>
  algorithms to verify that a given <a for="/">request</a> is reasonable.

  <h5 id="match-response-to-source-list" algorithm>
    Does |response| to |request| match |source list|?
  </h5>

  Given a <a for="/">request</a> (|request|), and a <a>source list</a> (|source list|),
  this algorithm returns the result of executing [[#match-url-to-source-list]]
  on |response|'s <a for="response">url</a>, |source list|, |request|'s
  <a for="request">origin</a>, and |request|'s <a for="request">redirect
  count</a>.

  Note: This is generally used in <a>directives</a>' <a>post-request check</a>
  algorithms to verify that a given <a>response</a> is reasonable.

  <h5 id="match-url-to-source-list" algorithm>
    Does |url| match |source list| in |origin| with |redirect count|?
  </h5>

  Given a {{URL}} (|url|), a <a>source list</a> (|source list|), an
  <a for="/">origin</a> (|origin|), and a number (|redirect count|), this
  algorithm returns "`Matches`" if the URL matches one or more source
  expressions in |source list|, or "`Does Not Match`" otherwise:

  1.  Assert: |source list| is not `null`.

  2.  If |source list| is an empty list, return "`Does Not Match`".

  3.  If |source list| contains a single item which is an <a>ASCII
      case-insensitive</a> match for the string "`'none'`", return "`Does Not
      Match`".

      Note: An empty source list (that is, a directive without a value: `script-src`,
      as opposed to `script-src host1`) is equivalent to a source list containing `'none'`,
      and will not match any URL.

  4.  For each |expression| in |source list|:

      1.  If [[#match-url-to-source-expression]] returns "`Matches`" when
          executed upon |url|, |expression|, |origin|, and |redirect count|, return
          "`Matches`".

  5.  Return "`Does Not Match`".

  <h5 id="match-url-to-source-expression" algorithm>
    Does |url| match |expression| in |origin| with |redirect count|?
  </h5>

  Given a {{URL}} (|url|), a <a>source expression</a> (|expression|), an
  <a for="/">origin</a> (|origin|), and a number (|redirect count|), this algorithm
  returns "`Matches`" if |url| matches |expression|, and "`Does Not Match`"
  otherwise.

  Note: |origin| is the <a for="/">origin</a> of the resource relative to which the
  |expression| should be resolved. "`'self'`", for instance, will have distinct
  meaning depending on that bit of context.

  1.  If |expression| is the string "*", return "`Matches`" if one or more of
      the following conditions is met:

      1. |url|'s <a for="url">scheme</a> is a <a>network scheme</a>.

      2. |url|'s <a for="url">scheme</a> is the same as |origin|'s <a for="origin">scheme</a>.

      Note: This logic means that in order to allow resource from a non-<a>network scheme</a>,
      it has to be either explicitly specified (e.g.
      `default-src * data: custom-scheme-1: custom-scheme-2:`,
      or the protected resource must be loaded from the same scheme.

  2.  If |expression| matches the <a grammar>`scheme-source`</a> or
      <a grammar>`host-source`</a> grammar:

      1.  If |expression| has a <a grammar>`scheme-part`</a> and 
          [[#match-schemes]] returns "`Does Not Match`" given |expression|'s 
          <a grammar>`scheme-part`</a> and |url|'s <a for="url">scheme</a>, 
          return "`Does Not Match`".

      2.  If |expression| matches the <a grammar>`scheme-source`</a> grammar,
          return "`Matches`".

  3.  If |expression| matches the <a grammar>`host-source`</a> grammar:

      1.  If |url|'s {{URL/host}} is `null`, return "`Does Not Match`".

      2.  If |expression| does not have a <a grammar>`scheme-part`</a> and
          and [[#match-schemes]] returns "`Does Not Match`" given `null` and 
          |url|'s <a for="url">scheme</a>, return "`Does Not Match`".

          Note: As with <a grammar>`scheme-part`</a> above, we allow schemeless
          <a grammar>`host-source`</a> expressions to be upgraded from insecure
          schemes to secure schemes.

      3.  If [[#match-hosts]] returns "`Does Not Match`" given |expression|'s 
          <a grammar>`host-part`</a> and |url|'s {{URL/host}}, return "`Does 
          Not Match`".

      4.  If [[#match-ports]] returns "`Does Not Match`" given |expression|'s 
          <a grammar>`port-part`</a> (or `null` if |expression| does not 
          contain a <a grammar>`port-part`</a>) and |url|'s {{URL/port}}, return 
          "`Does Not Match`".

      5.  If |expression| contains a non-empty <a grammar>`path-part`</a>, and
          |redirect count| is 0, then:

          1.  Let |path| be the resulting of joining |url|'s <a for="url">path</a>
              on the U+002F SOLIDUS character (`/`).

          2.  If [[#match-paths]] returns "`Does Not Match`" given |expression|'s 
              <a grammar>`path-part`</a> and |path|, return "`Does Not Match`".

      6.  Return "`Matches`".

  4.  If |expression| is an <a>ASCII case-insensitive</a> match for "`'self'`",
      return "`Matches`" if one or more of the following conditions is met:

      1.  |origin| is the same as |url|'s {{URL/origin}}

      2.  |origin|'s {{URL/host}} is the same as |url|'s {{URL/host}},
          |origin|'s {{URL/port}} and |url|'s {{URL/port} are either the same
          or the <a>default ports</a> for their respective <a for="url">scheme</a>s, and
          one or more of the following conditions is met:

          1.  |url|'s <a for="url">scheme</a> is "`https`" or "`wss`"
          2.  |origin|'s <a for="url">scheme</a> is "`http`"

      Note: Like the <a grammar>`scheme-part`</a> logic above, the "`'self'`"
      matching algorithm allows upgrades to secure schemes when it is safe to do
      so. We limit these upgrades to endpoints running on the default port for a
      particular scheme or a port that matches the origin of the protected
      resource, as this seems sufficient to deal with upgrades that can be
      reasonably expected to succeed.

  5.  Return "`Does Not Match`".

  <h5 id="match-schemes" algorithm>
    Does `scheme-part` |A| match `scheme-part` |B|?
  </h5>

  Given two <a>ASCII strings</a> (|A| and |B|), this algorithm returns "`Matches`" if |A| matches
  |B|, and returns "`Does Not Match`" otherwise.

  Note: The matching relation is assymetric. That is, |A| matching |B| does not
  mean that |B| will match |A|.

  1.  If one of the following is true, return "`Matches`":

      1.  |A| is an <a>ASCII case-insensitive</a> match for |B|.

      2.  |A| is an <a>ASCII case-insensitive</a> match for "`http`", and |B| 
          is an <a>ASCII case-insensitive</a> match for "`https`".

      3.  |A| is an <a>ASCII case-insensitive</a> match for "`ws`", and |B| 
          is an <a>ASCII case-insensitive</a> match for "`wss`", "`http`", or 
          "`https`".

      4.  |A| is an <a>ASCII case-insensitive</a> match for "`wss`", and |B| 
          is an <a>ASCII case-insensitive</a> match for "`https`".

  2.  Return "`Does Not Match`".

  Note: We always allow a secure upgrade from an explicitly insecure expression.
  That is, script-src http: is treated as equivalent to script-src http: https:,
  script-src http://example.com to script-src http://example.com 
  https://example.com, and connect-src ws: to connect-src ws: wss:.

  ISSUE: Add a reference to https://github.com/diracdeltas/sniffly.

  <h5 id="match-hosts" algorithm>
    Does `host-part` |A| match `host-part` |B|?
  </h5>

  Given two <a>ASCII strings</a> (|A| and |B|), this algorithm returns "`Matches`" if |A| matches
  |B|, and returns "`Does Not Match`" otherwise.

  Note: The matching relation is assymetric. That is, |A| matching |B| does not 
  mean that |B| will match |A|.

  1.  If the first character of |A| is an U+002A ASTERISK character (`*`):

      1.  Let |remaining| be the result of removing the leading ("*") from |A|.

      2.  If |remaining| (including the leading U+002E FULL STOP character 
          (`.`)) is an <a>ASCII case-insensitive</a> match for the rightmost 
          characters of |B|, then return "`Matches`". Otherwise, return 
          "`Does Not Match`".      

  2.  If |A| is not an <a>ASCII case-insensitive</a> match for |B|, return 
      "`Does Not Match`".

  3.  If |A| matches the <a grammar>IPv4address</a> rule from [[!RFC3986]], and
      is not "`127.0.0.1`"; or if |A| is an <a>IPv6 address</a>, return 
      "`Does Not Match`".

      Note: A future version of this specification may allow literal IPv6
      and IPv4 addresses, depending on usage and demand. Given the weak
      security properties of IP addresses in relation to named hosts,
      however, authors are encouraged to prefer the latter whenever
      possible.

  4.  Return "`Matches`".

  <h5 id="match-ports" algorithm>
    Does |port A| match |port B| for |scheme B|?
  </h5>

  Given three <a>ASCII strings</a> (|port A|, |port B|, and |scheme B|), this algorithm returns
  "`Matches`" if |port A| matches |port B|, and returns "`Does Not Match`" otherwise.

  Note: The matching relation is assymetric. That is, |port A| matching |port B| does not mean that
  |port B| will match |port A|.

  1.  If |port A| is empty:

      1.  If |port B| is the <a>default port</a> for |scheme B|, return 
          "`Matches`". Otherwise, return "`Does Not Match`".

  2.  If |port A| is equal to "*", return "`Matches`".

  3.  If |port A| is a <a>case-sensitive</a> match for |port B|, return 
      "`Matches`".

  4.  If |port B| is empty:

      1.  If |port A| is the <a>default port</a> for |scheme B|, return 
          "`Matches`". Otherwise, return "`Does not Match`".

  5. Return "`Does Not Match`".

  <h5 id="match-paths" algorithm>
    Does |path A| match |path B|?
  </h5>

  Given two <a>ASCII strings</a> (|path A| and |path B|), this algorithm returns
  "`Matches`" if |path A| matches |path B|, and returns "`Does Not Match`"
  otherwise.

  Note: The matching relation is assymetric. That is, |path A| matching |path B|
  does not mean that |path B| will match |path A|.

  1.  If |path A| is empty, return "`Matches`".

  2.  If |path A| consists of one character that is equal to the U+002F SOLIDUS
      character (`/`) and |path B| is empty, return "`Matches`".

  3.  Let |exact match| be `false` if the final character of |path A| is the U+002F 
      SOLIDUS character (`/`), and `true` otherwise.

  4.  Let |path list A| and |path list B| be the result of 
      <a lt="strictly split a string">strictly splitting</a> |path A| and |path B| 
      respestively on the U+002F SOLIDUS character (`/`).

  5.  If |path list A| has more items than |path list B|, return 
      "`Does Not Match`".

  6.  If |exact match| is `true`, and |path list A| does not have the same
      number of items as |path list B|, return "`Does Not Match`".

  7.  For each |piece A| in |path list A|:

      1.  Let |piece B| be the next item in |path list B|.

      2.  <a>Percent decode</a> |piece A|.

      3.  <a>Percent decode</a> |piece B|.

      4.  If |piece A| is not a <a>case-sensitive</a> match
          for |piece B|, return "`Does Not Match`".

  8.  Return "`Matches`".

  <h5 id="effective-directive-for-a-request" algorithm>
    Get the effective directive for |request|
  </h5>

  Each <a>fetch directive</a> controls a specific type of <a for="/">request</a>. Given
  a <a for="/">request</a> (|request|), the following algorithm returns either
  `null` or the <a for="directive">name</a> of the request's
  <dfn for="request" export>effective directive</dfn>:

  1.  Switch on |request|'s <a for="request">type</a>, and execute
      the associated steps:

      : ""
      ::
        1.  If the |request|'s <a for="request">initiator</a> is
            "`fetch`", return `connect-src`.
        2.  If the |request|'s <a for="request">initiator</a> is
            "`manifest`", return `manifest-src`.
        3.  If the |request|'s <a for="request">destination</a> is
            "`subresource`", return `connect-src`.
        4.  If the |request|'s <a for="request">destination</a> is
            "`unknown`", return `object-src`.
        5.  If the |request|'s <a for="request">destination</a> is
            "`document`" <em>and</em> the |request|'s
            <a for="request">target browsing context</a> is a <a>nested browsing
            context</a>, return `frame-src`.

      : "`audio`"
      : "`track`"
      : "`video`"
      ::
        1.  Return `media-src`.

      : "`font`"
      ::
        1.  Return `font-src`.

      : "`image`"
      ::
        1.  Return `image-src`.

      : "`style`"
      ::
        1.  Return `style-src`.

      : "`script`"
      ::
        1.  Switch on |request|'s <a for="request">destination</a>, and
            execute the associated steps:

            : "`script`"
            : "`subresource`"
            ::
              1.  Return `script-src`.

            : "`serviceworker`"
            : "`sharedworker`"
            : "`worker`"
            ::
              1.  Return `worker-src`.

  2.  Return `null`.

  <h4 id="matching-elements">Element Matching Algorithms</h4>

  <h5 id="is-element-nonceable" algorithm>
    Is |element| nonceable?
  </h5>

  Given an {{Element}} (|element|), this algorithm returns "`Nonceable`" if
  a <a grammar>`nonce-source`</a> expression can match the element (as discussed
  in [[#security-nonce-stealing]]), and "`Not Nonceable`" if such expressions
  should not be applied.

  1.  If |element| does not have an attribute named "`nonce`", return "`Not
      Nonceable`".

  2.  If |element| is a <{script}> element, then for each |attribute| in
      |element|:

      1.  If |attribute|'s name is an <a>ASCII case-insensitive</a> match for
          the string "<code>&lt;script</code>" or the string
          "<code>&lt;style</code>", return "`Not Nonceable`".

      2.  If |attribute|'s value contains an <a>ASCII case-insensitive</a> match
          the string "<code>&lt;script</code>" or the string
          "<code>&lt;style</code>", return "`Not Nonceable`".

  3.  Return "`Nonceable`".

  ISSUE(w3c/webappsec-csp#98): This processing is meant to mitigate the risk
  of dangling markup attacks that steal the nonce from an existing element
  in order to load injected script. It is fairly expensive, however, as it
  requires that we walk through all attributes and their values in order to
  determine whether the script should execute. Here, we try to minimize the
  impact by doing this check only for <{script}> elements when a nonce is
  present, but we should probably consider this algorithm as "at risk" until
  we know its impact.

  <h5 id="allow-all-inline" algorithm>
    Does a source list allow all inline behavior for |type|?
  </h5>

  A <a>source list</a> 
  <dfn export for="source list" local-lt="allow all inline behavior">allows all inline behavior</dfn>
  of a given |type| if it contains the <a grammar>`keyword-source`</a>
  expression <a grammar>`'unsafe-inline'`</a>, and does not override that
  expression as described in the following algorithm:

  Given a <a>source list</a> (|list|) and a string (|type|), the following
  algorithm returns "`Allows`" if all inline content of a given |type| is 
  allowed and "`Does Not Allow`" otherwise.

  1.  Let |allow all inline| be `false`.

  2.  For each |expression| in |list|:

      1.  If |expression| matches the <a grammar>`nonce-source`</a> or
          <a grammar>`hash-source`</a> grammar, return "`Does Not Allow`".

      2.  If |type| is "`script`" or "`script attribute`" and |expression| 
          matches the <a grammar>keyword-source</a> 
          "<a grammar>`'strict-dynamic'`</a>", return "`Does Not Allow`".

          Note: `'strict-dynamic'` only applies to scripts, not other resource
          types. Usage is explained in more detail in [[#strict-dynamic-usage]].

      3.  If |expression| is an <a>ASCII case-insensitive</a> match for the
          <a grammar>`keyword-source`</a> "<a grammar>`'unsafe-inline'`</a>", 
          set |allow all inline| to `true`.

  3.  If |allow all inline| is `true`, return "`Allows`".
      Otherwise, return "`Does Not Allow`".

  <div class="example">
    <a>Source lists</a> that
    <a for="source list">allow all inline behavior</a>:

    <pre>
      'unsafe-inline' http://a.com http://b.com
      'unsafe-inline'
    </pre>

    <a>Source lists</a> that do not 
    <a for="source list">allow all inline behavior</a> due to
    the presence of nonces and/or hashes, or absence of '`unsafe-inline`':

    <pre>
      'sha512-321cba' 'nonce-abc'
      http://example.com 'unsafe-inline' 'nonce-abc'
    </pre>

     <a>Source lists</a> that do not 
     <a for="source list">allow all inline behavior</a> when |type| is 
     '`script`' or '`script attribute`' due to the presence of 
     '`strict-dynamic`', but <a for="source list">allow all inline behavior</a> 
     otherwise:

     <pre>
      'unsafe-inline' 'strict-dynamic'
      http://example.com 'strict-dynamic' 'unsafe-inline'
    </pre>
  </div>

  <h5 id="match-element-to-source-list" algorithm>
    Does |element| match source list for |type| and |source|?
  </h5>

  Given an {{Element}} (|element|), a <a>source list</a> (|list|), a string
  (|type|), and a string (|source|), this algorithm returns "`Matches`" or
  "`Does Not Match`".

  1.  Assert: |source| contains the value of a <{script}> element's
      {{HTMLScriptElement/text}} IDL attribute, the value of a <{style}>
      element's {{Node/textContent}} IDL attribute, or the value of one of a
      <{script}> element's <a>event handler IDL attribute</a>.

      Note: This means that |source| will be interpreted with the encoding
      of the page in which it is embedded. See the integration points
      in [[#html-integration]] for more detail.

  2.  If [[#allow-all-inline]] returns "`Allows`" given |list| and |type|,
      return "`Matches`".

  3.  If |type| is "`script`" or "`style`", and [[#is-element-nonceable]]
      returns "`Nonceable`" when executed upon |element|:

      1.  For each |expression| in |list|:

          1.  If |expression| matches the <a grammar>`nonce-source`</a> grammar,
              and |element| has a <{script/nonce}> attribute whose value is a
              <a>case-sensitive</a> match for |expression|'s
              <a grammar>`base64-value`</a> part, return "`Matches`".

      Note: Nonces only apply to inline <{script}> and inline <{style}>, not to
      attributes of either element.

  4.  Let |hashes match attributes| be `false`.

  5.  For each |expression| in |list|:

      1.  If |expression| is an <a>ASCII case-insensitive</a> match for the
          <a grammar>`keyword-source`</a> 
          "<a grammar>`'unsafe-hashed-attributes'`</a>", 
          set |hashes match attributes| to `true`. Break out of the loop.

  6.  If |type| is "`script`" or "`style`", or |hashes match attributes| is
      `true`:

      1.  For each |expression| in |list|:

          1.  If |expression| matches the <a grammar>`hash-source`</a> grammar:

              1.  Let |algorithm| be `null`.

              2.  If |expression|'s <a grammar>`hash-algorithm`</a> part is an
                  <a>ASCII case-insensitive</a> match for "sha256", set
                  |algorithm| to <a>SHA-256</a>.

              3.  If |expression|'s <a grammar>`hash-algorithm`</a> part is an
                  <a>ASCII case-insensitive</a> match for "sha384", set
                  |algorithm| to <a>SHA-384</a>.

              4.  If |expression|'s <a grammar>`hash-algorithm`</a> part is an
                  <a>ASCII case-insensitive</a> match for "sha512", set
                  |algorithm| to <a>SHA-512</a>.

              5.  If |algorithm| is not `null`:

                  1.  Let |actual| be the result of <a>base64 encoding</a> the
                      result of applying |algorithm| to |source|.

                  2.  If |actual| is a <a>case-sensitive</a> match for
                      |expression|'s <a grammar>`base64-value`</a> part, return
                      "`Matches`".

      Note: Hashes apply to inline <{script}> and inline <{style}>. If the
      "<a grammar>`'unsafe-hashed-attributes'`</a>" source expression is present,
      they will also apply to event handlers and style attributes.

  7.  Return "`Does Not Match`".
</section>

<!-- Big text: Security -->
<section>
  <h2 id="security-considerations">Security and Privacy Considerations</h2>

  <h3 id="security-nonces">Nonce Reuse</h3>

  Nonces override the other restrictions present in the directive in which
  they're delivered. It is critical, then, that they remain unguessable, as
  bypassing a resource's policy is otherwise trivial.

  If a server delivers a <a grammar>nonce-source</a> expression as part of a
  <a for="/">policy</a>, the server MUST generate a unique value each time it
  transmits a policy. The generated value SHOULD be at least 128 bits long
  (before encoding), and SHOULD be generated via a cryptographically secure
  random number generator in order to ensure that the value is difficult for
  an attacker to predict.

  Note: Using a nonce to allow inline script or style is less secure than
  not using a nonce, as nonces override the restrictions in the directive in
  which they are present. An attacker who can gain access to the nonce can
  execute whatever script they like, whenever they like. That said, nonces
  provide a substantial improvement over <a grammar>'unsafe-inline'</a> when
  layering a content security policy on top of old code. When considering
  <a grammar>'unsafe-inline'</a>, authors are encouraged to consider nonces
  (or hashes) instead.

  <h3 id="security-nonce-stealing">Nonce Stealing</h3>

  Dangling markup attacks such as those discussed in [[FILEDESCRIPTOR-2015]]
  can be used to repurpose a page's legitimate nonces for injections. For
  example, given an injection point before a <{script}> element:

  <pre highlight="html">
    &lt;p&gt;Hello, [INJECTION POINT]&lt;/p&gt;
    &lt;script nonce=abc src=/good.js&gt;&lt;/script&gt;
  </pre>

  If an attacker injects the string "<code>&lt;script src='https://evil.com/evil.js' </code>",
  then the browser will receive the following:

  <pre highlight="html">
    &lt;p&gt;Hello, &lt;script src='https://evil.com/evil.js' &lt;/p&gt;
    &lt;script nonce=abc src=/good.js&gt;&lt;/script&gt;
  </pre>

  It will then parse that code, ending up with a <{script}> element with a
  `src` attribute pointing to a malicious payload, an attribute named `</p>`,
  an attribute named "<code>&lt;script</code>", a `nonce` attribute, and a
  second `src` attribute which is helpfully discarded as duplicate by the parser.

  The [[#is-element-nonceable]] algorithm attempts to mitigate this specific
  attack by walking through <{script}> element attributes, looking for the
  string "<code>&lt;script</code>" or "<code>&lt;style</code>" in their names or values.

  <h3 id="security-css-parsing">CSS Parsing</h3>

  The <a>style-src</a> directive restricts the locations from which the
  protected resource can load styles. However, if the user agent uses a lax CSS
  parsing algorithm, an attacker might be able to trick the user agent into
  accepting malicious "stylesheets" hosted by an otherwise trustworthy origin.

  These attacks are similar to the CSS cross-origin data leakage attack
  described by Chris Evans in 2009 [[CSS-ABUSE]]. User agents SHOULD defend
  against both attacks using the same mechanism: stricter CSS parsing rules for
  style sheets with improper MIME types.

  <h3 id="security-violation-reports">Violation Reports</h3>

  The violation reporting mechanism in this document has been designed to
  mitigate the risk that a malicious web site could use violation reports to
  probe the behavior of other servers. For example, consider a malicious web
  site that allows `https://example.com` as a source of images. If the
  malicious site attempts to load `https://example.com/login` as an image, and
  the `example.com` server redirects to an identity provider (e.g.
  `identityprovider.example.net`), CSP will block the request. If violation
  reports contained the full blocked URL, the violation report might contain
  sensitive information contained in the redirected URL, such as session
  identifiers or purported identities. For this reason, the user agent includes
  only the URL of the original request, not the redirect target.
</section>

<!-- Big text: Authoring -->
<section>
  <h2 id="authoring-considerations">Authoring Considerations</h2>

  <h3 id="multiple-policies">
    The effect of multiple policies
  </h3>

  <em>This section is not normative.</em>

  The above sections note that when multiple policies are present, each must be
  enforced or reported, according to its type. An example will help clarify how
  that ought to work in practice. The behavior of an `XMLHttpRequest`
  might seem unclear given a site that, for whatever reason, delivered the
  following HTTP headers:

  <div class="example">
    <pre>
      Content-Security-Policy: default-src 'self' http://example.com http://example.net;
                               connect-src 'none';
      Content-Security-Policy: connect-src http://example.com/;
                               script-src http://example.com/
    </pre>
  </div>

  Is a connection to example.com allowed or not? The short answer is that the
  connection is not allowed. Enforcing both policies means that a potential
  connection would have to pass through both unscathed. Even though the second
  policy would allow this connection, the first policy contains
  `connect-src 'none'`, so its enforcement blocks the connection. The
  impact is that adding additional policies to the list of policies to enforce
  can <em>only</em> further restrict the capabilities of the protected resource.

  To demonstrate that further, consider a script tag on this page. The first
  policy would lock scripts down to `'self'`, `http://example.com` and
  `http://example.net` via the `default-src` directive. The second, however,
  would only allow script from `http://example.com/`. Script will only load if
  it meets both policy’s criteria: in this case, the only origin that can match
  is `http://example.com`, as both policies allow it.

  <h3 id="strict-dynamic-usage">
    Usage of "`'strict-dynamic'`"
  </h3>

  Host- and path-based policies are tough to get right, especially on sprawling origins like CDNs.
  The <a href="https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22#107-bytes">solutions
  to Cure53's H5SC Minichallenge 3: "Sh*t, it's CSP!"</a> [[H5SC3]] are good examples of the
  kinds of bypasses which such policies can enable, and though CSP is capable of mitigating these
  bypasses via exhaustive declaration of specific resources, those lists end up being brittle,
  awkward, and difficult to implement and maintain.

  The "<a grammar>`'strict-dynamic'`</a>" source expression aims to make Content
  Security Policy simpler to deploy for existing applications who have a high
  degree of confidence in the scripts they load directly, but low confidence in
  their ability to provide a reasonable list of resources to load up front.

  If present in a <a>`script-src`</a> or <a>`default-src`</a> directive, it has
  two main effects:

  1.  <a grammar>host-source</a> and <a grammar>scheme-source</a>
      expressions, as well as the "<a grammar>`'unsafe-inline'`</a>"
      and "<a grammar>`'self'`</a> <a grammar>keyword-source</a>s will be
      ignored when loading script.

      <a grammar>hash-source</a> and <a grammar>nonce-source</a> expressions
      will be honored.

  2.  Script requests which are triggered by non-<a>"parser-inserted"</a>
      <{script}> elements are allowed.

  The first change allows you to deploy "<a grammar>`'strict-dynamic'`</a> in a
  backwards compatible way, without requiring user-agent sniffing: the policy
  `'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'` will act like
  `'unsafe-inline' https:` in browsers that support CSP1, `https:
  'nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV'` in browsers that support CSP2, and
  `'nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV' 'strict-dynamic'` in browsers that
  support CSP3.

  The second allows scripts which are given access to the page via nonces or
  hashes to bring in their dependencies without adding them explicitly to the
  page's policy.

  <div class="example">
    Suppose MegaCorp, Inc. deploys the following policy:

    <pre>
      <a>Content-Security-Policy</a>: <a>script-src</a> 'nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV' <a grammar>'strict-dynamic'</a>
    </pre>

    And serves the following HTML with that policy active:

    <pre highlight="html">
      ...
      &lt;script src="https://cdn.example.com/script.js" nonce="DhcnhD3khTMePgXwdayK9BsMqXjhguVV" &gt;&lt;/script&gt;
      ...
    </pre>

    This will generate a request for `https://cdn.example.com/script.js`, which
    will not be blocked because of the matching <{script/nonce}> attribute.

    If `script.js` contains the following code:

    <pre highlight="javascript">
      var s = document.createElement('script');
      s.src = 'https://othercdn.not-example.net/dependency.js';
      document.head.appendChild('s');

      document.write('&lt;scr' + 'ipt src='/sadness.js'&gt;&lt;/scr' + 'ipt&gt;');
    </pre>

    `dependency.js` will load, as the <{script}> element created by
    `createElement()` is not <a>"parser-inserted"</a>.

    `sadness.js` will <em>not</em> load, however, as `document.write()` produces
    <{script}> elements which are <a>"parser-inserted"</a>.
  </div>

  <section class="wip">
    <h3 id="unsafe-hashed-attributes-usage">
      Usage of "`'unsafe-hashed-attributes'`"
    </h3>

    <em>This section is not normative.</em>
    
    ISSUE(w3c/webappsec-csp#13): Work in progress.

    Legacy websites and websites with legacy dependencies might find it difficult
    to entirely externalize event handlers. These sites could enable such handlers
    by allowing `'unsafe-inline'`, but that's a big hammer with a lot of
    associated risk (and cannot be used in conjunction with nonces or hashes).

    The "<a grammar>`'unsafe-hashed-attributes'`</a>" source expression aims to make
    CSP deployment simpler and safer in these situations by allowing developers
    to enable specific handlers via hashes.

    <div class="example">
      MegaCorp, Inc. can't quite get rid of the following HTML on anything
      resembling a reasonable schedule:

      <pre highlight="html">
        &lt;button id="action" onclick="doSubmit()"&gt;
      </pre>

      Rather than reducing security by specifying "`'unsafe-inline'`", they decide to use
      "`'unsafe-hashed-attributes'`" along with a hash source expression, as follows:

      <pre>
        <a>Content-Security-Policy</a>:  <a>script-src</a> <a grammar>'unsafe-hashed-attributes'</a> 'sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY='
      </pre>
    </div>
  </section>

  <section>
    <h3 id="external-hash">
      Allowing external JavaScript via hashes
    </h3>

    In [[CSP2]], hash <a>source expressions</a> could only match inlined
    script, but now that Subresource Integrity is widely deployed, we can expand
    the scope to enable externalized JavaScript as well.

    If multiple sets of integrity metadata are specified for a <{script}>, the
    request will match a policy's <a grammar>hash-source</a>s if and only if
    <em>each</em> item in a <{script}>'s integrity metadata matches the policy.

    <div class="example">
      MegaCorp, Inc. wishes to allow two specific scripts on a page in a way
      that ensures that the content matches their expectations. They do so by
      setting the following policy:

      <pre>
        Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'
      </pre>

      In the presence of that policy, the following <{script}> elements would be
      allowed to execute because they contain only integrity metadata that matches
      the policy:

      <pre highlight="html">
        &lt;script integrity="sha256-abc123" ...&gt;&lt;/script&gt;
        &lt;script integrity="sha512-321cba" ...&gt;&lt;/script&gt;
        &lt;script integrity="sha256-abc123 sha512-321cba" ...&gt;&lt;/script&gt;
      </pre>

      While the following <{script}> elements would not execute because they
      contain valid metadata that does not match the policy (even though other
      metadata does match):

      <pre highlight="html">
        &lt;script integrity="<b>sha384-xyz789</b>" ...&gt;&lt;/script&gt;
        &lt;script integrity="<b>sha384-xyz789</b> sha512-321cba" ...&gt;&lt;/script&gt;
        &lt;script integrity="sha256-abc123 <b>sha384-xyz789</b> sha512-321cba" ...&gt;&lt;/script&gt;
      </pre>

      Metadata that is not recognized (either because it's entirely invalid, or
      because it specifies a not-yet-supported hashing algorithm) does not affect
      the behavior described here. That is, the following elements would be
      allowed to execute in the presence of the above policy, as the additional
      metadata is invalid and therefore wouldn't allow a script whose content
      wasn't listed explicitly in the policy to execute:

      <pre highlight="html">
        &lt;script integrity="sha256-abc123 <b>sha1024-abcd</b>" ...&gt;&lt;/script&gt;
        &lt;script integrity="sha512-321cba <b>entirely-invalid</b>" ...&gt;&lt;/script&gt;
        &lt;script integrity="sha256-abc123 <b>not-a-hash-at-all</b> sha512-321cba" ...&gt;&lt;/script&gt;
      </pre>
    </div>
  </section>
</section>

<section>
  <h2 id="implementation-considerations">Implementation Considerations</h2>

  <h3 id="extensions">Vendor-specific Extensions and Addons</h3>

  <a for="/">Policy</a> enforced on a resource SHOULD NOT interfere with the operation
  of user-agent features like addons, extensions, or bookmarklets. These kinds
  of features generally advance the user's priority over page authors, as
  espoused in [[HTML-DESIGN]].

  Moreover, applying CSP to these kinds of features produces a substantial
  amount of noise in violation reports, significantly reducing their value to
  developers.

  Chrome, for example, excludes the `chrome-extension:` scheme from CSP checks,
  and does some work to ensure that extension-driven injections are allowed,
  regardless of a page's policy.
</section>

<!-- Big Text: IANA -->
<section>
  <h2 id="iana-considerations">IANA Considerations</h2>

  <h3 id="iana-registry">
    Directive Registry
  </h3>

  The Content Security Policy Directive registry should be updated with the
  following directives and references [[!RFC7762]]:

  :   <a>`base-uri`</a>
  ::  This document (see [[#directive-base-uri]])
  :   <a>`child-src`</a>
  ::  This document (see [[#directive-child-src]])
  :   <a>`connect-src`</a>
  ::  This document (see [[#directive-connect-src]])
  :   <a>`default-src`</a>
  ::  This document (see [[#directive-default-src]])
  :   <a>`disown-opener`</a>
  ::  This document (see [[#directive-disown-opener]])
  :   <a>`font-src`</a>
  ::  This document (see [[#directive-font-src]])
  :   <a>`form-action`</a>
  ::  This document (see [[#directive-form-action]])
  :   <a>`frame-ancestors`</a>
  ::  This document (see [[#directive-frame-ancestors]])
  :   <a>`frame-src`</a>
  ::  This document (see [[#directive-frame-src]])
  :   <a>`img-src`</a>
  ::  This document (see [[#directive-img-src]])
  :   <a>`manifest-src`</a>
  ::  This document (see [[#directive-manifest-src]])
  :   <a>`media-src`</a>
  ::  This document (see [[#directive-media-src]])
  :   <a>`object-src`</a>
  ::  This document (see [[#directive-object-src]])
  :   <a>`plugin-types`</a>
  ::  This document (see [[#directive-plugin-types]])
  :   <a>`report-uri`</a>
  ::  This document (see [[#directive-report-uri]])
  :   <a>`report-to`</a>
  ::  This document (see [[#directive-report-to]])
  :   <a>`sandbox`</a>
  ::  This document (see [[#directive-sandbox]])
  :   <a>`script-src`</a>
  ::  This document (see [[#directive-script-src]])
  :   <a>`style-src`</a>
  ::  This document (see [[#directive-style-src]])
  :   <a>`worker-src`</a>
  ::  This document (see [[#directive-worker-src]])

  <h3 id="iana-headers">
    Headers
  </h3>

  The permanent message header field registry should be updated
  with the following registrations: [[!RFC3864]]

  <h4 id="iana-csp">Content-Security-Policy</h4>

  <dl>
    <dt>Header field name</dt>
    <dd>Content-Security-Policy</dd>

    <dt>Applicable protocol</dt>
    <dd>http</dd>

    <dt>Status</dt>
    <dd>standard</dd>

    <dt>Author/Change controller</dt>
    <dd>W3C</dd>

    <dt>Specification document</dt>
    <dd>This specification (See [[#csp-header]])</dd>
  </dl>

  <h4 id="iana-cspro">Content-Security-Policy-Report-Only</h4>

  <dl>
    <dt>Header field name</dt>
    <dd>Content-Security-Policy-Report-Only</dd>

    <dt>Applicable protocol</dt>
    <dd>http</dd>

    <dt>Status</dt>
    <dd>standard</dd>

    <dt>Author/Change controller</dt>
    <dd>W3C</dd>

    <dt>Specification document</dt>
    <dd>This specification (See [[#cspro-header]])</dd>
  </dl>
</section>

<section>
  <h2 id="acknowledgements">Acknowledgements</h2>

  Lots of people are awesome. For instance:

  * Mario and all of Cure53.

  * Artur Janc, Michele Spagnuolo, Lukas Weichselbaum, Jochen Eisinger, and the
    rest of Google's CSP Cabal.
</section>