WD.html

<!doctype html><html lang="en">
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
  <title>Content Security Policy Level 3</title>
  <meta content="WD" name="w3c-status">
  <link href="https://www.w3.org/StyleSheets/TR/2016/W3C-WD" rel="stylesheet" type="text/css">
  <meta content="Bikeshed version fbf1456a756299b3ff6d248d0857ec87f2e68cd7" name="generator">
  <link href="https://www.w3.org/TR/CSP3/" rel="canonical">
  <meta content="4ba38508fb23a7ba4517458ed1a8535879ad358f" name="document-revision">
<style>
  ul.toc ul ul ul {
    margin: 0 0 0 2em;
  }
  ul.toc ul ul ul span.secno {
    margin-left: -9em;
  }

  a[href^="http:"]:after {
    color: red;
    content: "🔓";
  }

  .wip {
    margin: 1em auto;

    background: #FCFAEE;
    border: 0.5em;
    border-left-style: solid;
    border-color: #E0CB52;
    padding: 0.5em;
  }

  .wip::before {
    content: "Work In Progress: ";
    display: block;
    color: #827017;
  }
  section.wip {
    padding-left: 2em;
  }

</style>
<style>/* style-md-lists */

/* This is a weird hack for me not yet following the commonmark spec
   regarding paragraph and lists. */
[data-md] > :first-child {
    margin-top: 0;
}
[data-md] > :last-child {
    margin-bottom: 0;
}</style>
<style>/* style-selflinks */

.heading, .issue, .note, .example, li, dt {
    position: relative;
}
a.self-link {
    position: absolute;
    top: 0;
    left: calc(-1 * (3.5rem - 26px));
    width: calc(3.5rem - 26px);
    height: 2em;
    text-align: center;
    border: none;
    transition: opacity .2s;
    opacity: .5;
}
a.self-link:hover {
    opacity: 1;
}
.heading > a.self-link {
    font-size: 83%;
}
li > a.self-link {
    left: calc(-1 * (3.5rem - 26px) - 2em);
}
dfn > a.self-link {
    top: auto;
    left: auto;
    opacity: 0;
    width: 1.5em;
    height: 1.5em;
    background: gray;
    color: white;
    font-style: normal;
    transition: opacity .2s, background-color .2s, color .2s;
}
dfn:hover > a.self-link {
    opacity: 1;
}
dfn > a.self-link:hover {
    color: black;
}

a.self-link::before            { content: "¶"; }
.heading > a.self-link::before { content: "§"; }
dfn > a.self-link::before      { content: "#"; }</style>
<style>/* style-counters */

body {
    counter-reset: example figure issue;
}
.issue {
    counter-increment: issue;
}
.issue:not(.no-marker)::before {
    content: "Issue " counter(issue);
}

.example {
    counter-increment: example;
}
.example:not(.no-marker)::before {
    content: "Example " counter(example);
}
.invalid.example:not(.no-marker)::before,
.illegal.example:not(.no-marker)::before {
    content: "Invalid Example" counter(example);
}

figcaption {
    counter-increment: figure;
}
figcaption:not(.no-marker)::before {
    content: "Figure " counter(figure) " ";
}</style>
<style>/* style-autolinks */

.css.css, .property.property, .descriptor.descriptor {
    color: #005a9c;
    font-size: inherit;
    font-family: inherit;
}
.css::before, .property::before, .descriptor::before {
    content: "‘";
}
.css::after, .property::after, .descriptor::after {
    content: "’";
}
.property, .descriptor {
    /* Don't wrap property and descriptor names */
    white-space: nowrap;
}
.type { /* CSS value <type> */
    font-style: italic;
}
pre .property::before, pre .property::after {
    content: "";
}
[data-link-type="property"]::before,
[data-link-type="propdesc"]::before,
[data-link-type="descriptor"]::before,
[data-link-type="value"]::before,
[data-link-type="function"]::before,
[data-link-type="at-rule"]::before,
[data-link-type="selector"]::before,
[data-link-type="maybe"]::before {
    content: "‘";
}
[data-link-type="property"]::after,
[data-link-type="propdesc"]::after,
[data-link-type="descriptor"]::after,
[data-link-type="value"]::after,
[data-link-type="function"]::after,
[data-link-type="at-rule"]::after,
[data-link-type="selector"]::after,
[data-link-type="maybe"]::after {
    content: "’";
}

[data-link-type].production::before,
[data-link-type].production::after,
.prod [data-link-type]::before,
.prod [data-link-type]::after {
    content: "";
}

[data-link-type=element],
[data-link-type=element-attr] {
    font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
    font-size: .9em;
}
[data-link-type=element]::before { content: "<" }
[data-link-type=element]::after  { content: ">" }

[data-link-type=biblio] {
    white-space: pre;
}</style>
<style>/* style-dfn-panel */

        .dfn-panel {
            position: absolute;
            z-index: 35;
            height: auto;
            width: -webkit-fit-content;
            width: fit-content;
            max-width: 300px;
            max-height: 500px;
            overflow: auto;
            padding: 0.5em 0.75em;
            font: small Helvetica Neue, sans-serif, Droid Sans Fallback;
            background: #DDDDDD;
            color: black;
            border: outset 0.2em;
        }
        .dfn-panel:not(.on) { display: none; }
        .dfn-panel * { margin: 0; padding: 0; text-indent: 0; }
        .dfn-panel > b { display: block; }
        .dfn-panel a { color: black; }
        .dfn-panel a:not(:hover) { text-decoration: none !important; border-bottom: none !important; }
        .dfn-panel > b + b { margin-top: 0.25em; }
        .dfn-panel ul { padding: 0; }
        .dfn-panel li { list-style: inside; }
        .dfn-panel.activated {
            display: inline-block;
            position: fixed;
            left: .5em;
            bottom: 2em;
            margin: 0 auto;
            max-width: calc(100vw - 1.5em - .4em - .5em);
            max-height: 30vh;
        }

        .dfn-paneled { cursor: pointer; }
        </style>
<style>/* style-syntax-highlighting */
pre.idl.highlight { color: #708090; }
.highlight:not(.idl) { background: hsl(24, 20%, 95%); }
code.highlight { padding: .1em; border-radius: .3em; }
pre.highlight, pre > code.highlight { display: block; padding: 1em; margin: .5em 0; overflow: auto; border-radius: 0; }
.highlight .c { color: #708090 } /* Comment */
.highlight .k { color: #990055 } /* Keyword */
.highlight .l { color: #000000 } /* Literal */
.highlight .n { color: #0077aa } /* Name */
.highlight .o { color: #999999 } /* Operator */
.highlight .p { color: #999999 } /* Punctuation */
.highlight .cm { color: #708090 } /* Comment.Multiline */
.highlight .cp { color: #708090 } /* Comment.Preproc */
.highlight .c1 { color: #708090 } /* Comment.Single */
.highlight .cs { color: #708090 } /* Comment.Special */
.highlight .kc { color: #990055 } /* Keyword.Constant */
.highlight .kd { color: #990055 } /* Keyword.Declaration */
.highlight .kn { color: #990055 } /* Keyword.Namespace */
.highlight .kp { color: #990055 } /* Keyword.Pseudo */
.highlight .kr { color: #990055 } /* Keyword.Reserved */
.highlight .kt { color: #990055 } /* Keyword.Type */
.highlight .ld { color: #000000 } /* Literal.Date */
.highlight .m { color: #000000 } /* Literal.Number */
.highlight .s { color: #a67f59 } /* Literal.String */
.highlight .na { color: #0077aa } /* Name.Attribute */
.highlight .nc { color: #0077aa } /* Name.Class */
.highlight .no { color: #0077aa } /* Name.Constant */
.highlight .nd { color: #0077aa } /* Name.Decorator */
.highlight .ni { color: #0077aa } /* Name.Entity */
.highlight .ne { color: #0077aa } /* Name.Exception */
.highlight .nf { color: #0077aa } /* Name.Function */
.highlight .nl { color: #0077aa } /* Name.Label */
.highlight .nn { color: #0077aa } /* Name.Namespace */
.highlight .py { color: #0077aa } /* Name.Property */
.highlight .nt { color: #669900 } /* Name.Tag */
.highlight .nv { color: #222222 } /* Name.Variable */
.highlight .ow { color: #999999 } /* Operator.Word */
.highlight .mb { color: #000000 } /* Literal.Number.Bin */
.highlight .mf { color: #000000 } /* Literal.Number.Float */
.highlight .mh { color: #000000 } /* Literal.Number.Hex */
.highlight .mi { color: #000000 } /* Literal.Number.Integer */
.highlight .mo { color: #000000 } /* Literal.Number.Oct */
.highlight .sb { color: #a67f59 } /* Literal.String.Backtick */
.highlight .sc { color: #a67f59 } /* Literal.String.Char */
.highlight .sd { color: #a67f59 } /* Literal.String.Doc */
.highlight .s2 { color: #a67f59 } /* Literal.String.Double */
.highlight .se { color: #a67f59 } /* Literal.String.Escape */
.highlight .sh { color: #a67f59 } /* Literal.String.Heredoc */
.highlight .si { color: #a67f59 } /* Literal.String.Interpol */
.highlight .sx { color: #a67f59 } /* Literal.String.Other */
.highlight .sr { color: #a67f59 } /* Literal.String.Regex */
.highlight .s1 { color: #a67f59 } /* Literal.String.Single */
.highlight .ss { color: #a67f59 } /* Literal.String.Symbol */
.highlight .vc { color: #0077aa } /* Name.Variable.Class */
.highlight .vg { color: #0077aa } /* Name.Variable.Global */
.highlight .vi { color: #0077aa } /* Name.Variable.Instance */
.highlight .il { color: #000000 } /* Literal.Number.Integer.Long */
</style>
 <body class="h-entry">
  <div class="head">
   <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
   <h1>Content Security Policy Level 3</h1>
   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">W3C Working Draft, <time class="dt-updated" datetime="2017-12-01">1 December 2017</time></span></h2>
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="https://www.w3.org/TR/2017/WD-csp3-20171201/">https://www.w3.org/TR/2017/WD-csp3-20171201/</a>
     <dt>Latest published version:
     <dd><a href="https://www.w3.org/TR/CSP3/">https://www.w3.org/TR/CSP3/</a>
     <dt>Editor's Draft:
     <dd><a href="https://w3c.github.io/webappsec-csp/">https://w3c.github.io/webappsec-csp/</a>
     <dt>Previous Versions:
     <dd><a href="https://www.w3.org/TR/2016/WD-CSP3-20160913/" rel="prev">https://www.w3.org/TR/2016/WD-CSP3-20160913/</a>
     <dt>Version History:
     <dd><a href="https://github.com/w3c/webappsec-csp/commits/master/index.src.html">https://github.com/w3c/webappsec-csp/commits/master/index.src.html</a>
     <dt>Feedback:
     <dd><span><a href="mailto:public-webappsec@w3.org?subject=%5Bcsp3%5D%20YOUR%20TOPIC%20HERE">public-webappsec@w3.org</a> with subject line “<kbd>[csp3] <i data-lt="">… message topic …</i></kbd>” (<a href="https://lists.w3.org/Archives/Public/public-webappsec/" rel="discussion">archives</a>)</span>
     <dt class="editor">Editor:
     <dd class="editor p-author h-card vcard" data-editor-id="56384"><a class="p-name fn u-email email" href="mailto:mkwst@google.com">Mike West</a> (<span class="p-org org">Google Inc.</span>)
     <dt>Participate:
     <dd><a href="https://github.com/w3c/webappsec-csp/issues/new">File an issue</a> (<a href="https://github.com/w3c/webappsec-csp/issues">open issues</a>)
     <dt>Tests:
     <dd><a href="https://github.com/web-platform-tests/wpt/tree/master/content-security-policy">web-platform-tests content-security-policy/</a> (<a href="https://github.com/web-platform-tests/wpt/labels/content-security-policy">ongoing work</a>)
    </dl>
   </div>
   <div data-fill-with="warning"></div>
   <p class="copyright" data-fill-with="copyright"><a href="https://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2017 <a href="https://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="https://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="https://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="https://www.keio.ac.jp/">Keio</a>, <a href="http://ev.buaa.edu.cn/">Beihang</a>). W3C <a href="https://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="https://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="https://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply. </p>
   <hr title="Separator for header">
  </div>
  <div class="p-summary" data-fill-with="abstract">
   <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>
   <p>This document defines a mechanism by which web developers can control the

resources which a particular page can fetch or execute, as well as a number
of security-relevant policy decisions.</p>
  </div>
  <h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>
  <div data-fill-with="status">
   <p> <em>This section describes the status of this document at the time of
  its publication. Other documents may supersede this document. A list of
  current W3C publications and the latest revision of this technical report
  can be found in the <a href="https://www.w3.org/TR/">W3C technical reports
  index at https://www.w3.org/TR/.</a></em> </p>
   <p> This document was published by the <a href="https://www.w3.org/2011/webappsec/">Web Application Security Working Group</a> as a Working Draft. This document is intended to become a W3C Recommendation. </p>
   <p> The (<a href="https://lists.w3.org/Archives/Public/public-webappsec/">archived</a>) public mailing list <a href="mailto:public-webappsec@w3.org?Subject=%5Bcsp3%5D%20PUT%20SUBJECT%20HERE">public-webappsec@w3.org</a> (see <a href="https://www.w3.org/Mail/Request">instructions</a>)
	is preferred for discussion of this specification.
	When sending e-mail,
	please put the text “csp3” in the subject,
	preferably like this:
	“[csp3] <em>…summary of comment…</em>” </p>
   <p> Publication as a Working Draft does not imply endorsement by the W3C
  Membership. This is a draft document and may be updated, replaced or
  obsoleted by other documents at any time. It is inappropriate to cite this
  document as other than work in progress. </p>
   <p> This document was produced by the <a href="https://www.w3.org/2011/webappsec/">Web Application Security Working Group</a>. </p>
   <p> This document was produced by a group operating under
	the <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent Policy</a>.
	W3C maintains a <a href="https://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the group;
	that page also includes instructions for disclosing a patent.
	An individual who has actual knowledge of a patent which the individual believes contains <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a> must disclose the information in accordance with <a href="https://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the W3C Patent Policy</a>. </p>
   <p> This document is governed by the <a href="https://www.w3.org/2017/Process-20170301/" id="w3c_process_revision">1 March 2017 W3C Process Document</a>. </p>
   <p></p>
  </div>
  <div data-fill-with="at-risk">
   <p>The following features are at-risk, and may be dropped during the CR period: </p>
   <ul>
    <li>The <a href="#is-element-nonceable">§6.6.2.1 Is element nonceable?</a> algorithm.
   </ul>
   <p>“At-risk” is a W3C Process term-of-art, and does not necessarily imply that the feature is in danger of being dropped or delayed. It means that the WG believes the feature may have difficulty being interoperably implemented in a timely manner, and marking it as such allows the WG to drop the feature if necessary when transitioning to the Proposed Rec stage, without having to publish a new Candidate Rec without the feature first.</p>
  </div>
  <nav data-fill-with="table-of-contents" id="toc">
   <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
   <ol class="toc" role="directory">
    <li>
     <a href="#intro"><span class="secno">1</span> <span class="content">Introduction</span></a>
     <ol class="toc">
      <li>
       <a href="#examples"><span class="secno">1.1</span> <span class="content">Examples</span></a>
       <ol class="toc">
        <li><a href="#example-basic"><span class="secno">1.1.1</span> <span class="content">Control Execution</span></a>
       </ol>
      <li><a href="#goals"><span class="secno">1.2</span> <span class="content">Goals</span></a>
      <li><a href="#changes-from-level-2"><span class="secno">1.3</span> <span class="content">Changes from Level 2</span></a>
     </ol>
    <li>
     <a href="#framework"><span class="secno">2</span> <span class="content">Framework</span></a>
     <ol class="toc">
      <li><a href="#framework-infrastructure"><span class="secno">2.1</span> <span class="content">Infrastructure</span></a>
      <li>
       <a href="#framework-policy"><span class="secno">2.2</span> <span class="content">Policies</span></a>
       <ol class="toc">
        <li><a href="#parse-serialized-policy"><span class="secno">2.2.1</span> <span class="content"> Parse a serialized CSP </span></a>
        <li><a href="#parse-serialized-policy-list"><span class="secno">2.2.2</span> <span class="content"> Parse a serialized CSP list </span></a>
       </ol>
      <li>
       <a href="#framework-directives"><span class="secno">2.3</span> <span class="content">Directives</span></a>
       <ol class="toc">
        <li><a href="#framework-directive-source-list"><span class="secno">2.3.1</span> <span class="content">Source Lists</span></a>
       </ol>
      <li>
       <a href="#framework-violation"><span class="secno">2.4</span> <span class="content">Violations</span></a>
       <ol class="toc">
        <li><a href="#create-violation-for-global"><span class="secno">2.4.1</span> <span class="content"> Create a violation object for <var>global</var>, <var>policy</var>, and <var>directive</var> </span></a>
        <li><a href="#create-violation-for-request"><span class="secno">2.4.2</span> <span class="content"> Create a violation object for <var>request</var>, <var>policy</var>, and <var>directive</var> </span></a>
       </ol>
     </ol>
    <li>
     <a href="#policy-delivery"><span class="secno">3</span> <span class="content"> Policy Delivery </span></a>
     <ol class="toc">
      <li><a href="#csp-header"><span class="secno">3.1</span> <span class="content"> The <code>Content-Security-Policy</code> HTTP Response Header Field </span></a>
      <li><a href="#cspro-header"><span class="secno">3.2</span> <span class="content"> The <code>Content-Security-Policy-Report-Only</code> HTTP Response Header Field </span></a>
      <li><a href="#meta-element"><span class="secno">3.3</span> <span class="content"> The <code>&lt;meta></code> element </span></a>
     </ol>
    <li>
     <a href="#integrations"><span class="secno">4</span> <span class="content">Integrations</span></a>
     <ol class="toc">
      <li>
       <a href="#fetch-integration"><span class="secno">4.1</span> <span class="content"> Integration with Fetch </span></a>
       <ol class="toc">
        <li><a href="#set-response-csp-list"><span class="secno">4.1.1</span> <span class="content"> Set <var>response</var>’s <code>CSP list</code> </span></a>
        <li><a href="#report-for-request"><span class="secno">4.1.2</span> <span class="content"> Report Content Security Policy violations for <var>request</var> </span></a>
        <li><a href="#should-block-request"><span class="secno">4.1.3</span> <span class="content"> Should <var>request</var> be blocked by Content Security Policy? </span></a>
        <li><a href="#should-block-response"><span class="secno">4.1.4</span> <span class="content"> Should <var>response</var> to <var>request</var> be blocked by Content
    Security Policy? </span></a>
       </ol>
      <li>
       <a href="#html-integration"><span class="secno">4.2</span> <span class="content"> Integration with HTML </span></a>
       <ol class="toc">
        <li><a href="#initialize-document-csp"><span class="secno">4.2.1</span> <span class="content"> Initialize a <code>Document</code>'s <code>CSP list</code> </span></a>
        <li><a href="#initialize-global-object-csp"><span class="secno">4.2.2</span> <span class="content"> Initialize a global object’s <code>CSP list</code> </span></a>
        <li><a href="#get-csp-of-object"><span class="secno">4.2.3</span> <span class="content"> Retrieve the <span>CSP list</span> of an <var>object</var> </span></a>
        <li><a href="#should-block-inline"><span class="secno">4.2.4</span> <span class="content"> Should <var>element</var>’s inline <var>type</var> behavior be blocked by Content Security Policy? </span></a>
        <li><a href="#should-block-navigation-request"><span class="secno">4.2.5</span> <span class="content"> Should <var>navigation request</var> of <var>type</var> from <var>source</var> in <var>target</var> be blocked
    by Content Security Policy? </span></a>
        <li><a href="#should-block-navigation-response"><span class="secno">4.2.6</span> <span class="content"> Should <var>navigation response</var> to <var>navigation request</var> of <var>type</var> from <var>source</var> in <var>target</var> be blocked by Content Security Policy? </span></a>
       </ol>
      <li>
       <a href="#ecma-integration"><span class="secno">4.3</span> <span class="content">Integration with ECMAScript</span></a>
       <ol class="toc">
        <li><a href="#can-compile-strings"><span class="secno">4.3.1</span> <span class="content"> EnsureCSPDoesNotBlockStringCompilation(<var>callerRealm</var>, <var>calleeRealm</var>, <var>source</var>) </span></a>
       </ol>
     </ol>
    <li>
     <a href="#reporting"><span class="secno">5</span> <span class="content"> Reporting </span></a>
     <ol class="toc">
      <li><a href="#violation-events"><span class="secno">5.1</span> <span class="content"> Violation DOM Events </span></a>
      <li><a href="#deprecated-serialize-violation"><span class="secno">5.2</span> <span class="content"> Obtain the deprecated serialization of <var>violation</var> </span></a>
      <li><a href="#report-violation"><span class="secno">5.3</span> <span class="content"> Report a <var>violation</var> </span></a>
     </ol>
    <li>
     <a href="#csp-directives"><span class="secno">6</span> <span class="content"> Content Security Policy Directives </span></a>
     <ol class="toc">
      <li>
       <a href="#directives-fetch"><span class="secno">6.1</span> <span class="content"> Fetch Directives </span></a>
       <ol class="toc">
        <li>
         <a href="#directive-child-src"><span class="secno">6.1.1</span> <span class="content"><code>child-src</code></span></a>
         <ol class="toc">
          <li><a href="#child-src-pre-request"><span class="secno">6.1.1.1</span> <span class="content"> <code>child-src</code> Pre-request check </span></a>
          <li><a href="#child-src-post-request"><span class="secno">6.1.1.2</span> <span class="content"> <code>child-src</code> Post-request check </span></a>
         </ol>
        <li>
         <a href="#directive-connect-src"><span class="secno">6.1.2</span> <span class="content"><code>connect-src</code></span></a>
         <ol class="toc">
          <li><a href="#connect-src-pre-request"><span class="secno">6.1.2.1</span> <span class="content"> <code>connect-src</code> Pre-request check </span></a>
          <li><a href="#connect-src-post-request"><span class="secno">6.1.2.2</span> <span class="content"> <code>connect-src</code> Post-request check </span></a>
         </ol>
        <li>
         <a href="#directive-default-src"><span class="secno">6.1.3</span> <span class="content"><code>default-src</code></span></a>
         <ol class="toc">
          <li><a href="#default-src-pre-request"><span class="secno">6.1.3.1</span> <span class="content"> <code>default-src</code> Pre-request check </span></a>
          <li><a href="#default-src-post-request"><span class="secno">6.1.3.2</span> <span class="content"> <code>default-src</code> Post-request check </span></a>
         </ol>
        <li>
         <a href="#directive-font-src"><span class="secno">6.1.4</span> <span class="content"><code>font-src</code></span></a>
         <ol class="toc">
          <li><a href="#font-src-pre-request"><span class="secno">6.1.4.1</span> <span class="content"> <code>font-src</code> Pre-request check </span></a>
          <li><a href="#font-src-post-request"><span class="secno">6.1.4.2</span> <span class="content"> <code>font-src</code> Post-request check </span></a>
         </ol>
        <li>
         <a href="#directive-frame-src"><span class="secno">6.1.5</span> <span class="content"><code>frame-src</code></span></a>
         <ol class="toc">
          <li><a href="#frame-src-pre-request"><span class="secno">6.1.5.1</span> <span class="content"> <code>frame-src</code> Pre-request check </span></a>
          <li><a href="#frame-src-post-request"><span class="secno">6.1.5.2</span> <span class="content"> <code>frame-src</code> Post-request check </span></a>
         </ol>
        <li>
         <a href="#directive-img-src"><span class="secno">6.1.6</span> <span class="content"><code>img-src</code></span></a>
         <ol class="toc">
          <li><a href="#img-src-pre-request"><span class="secno">6.1.6.1</span> <span class="content"> <code>img-src</code> Pre-request check </span></a>
          <li><a href="#img-src-post-request"><span class="secno">6.1.6.2</span> <span class="content"> <code>img-src</code> Post-request check </span></a>
         </ol>
        <li>
         <a href="#directive-manifest-src"><span class="secno">6.1.7</span> <span class="content"><code>manifest-src</code></span></a>
         <ol class="toc">
          <li><a href="#manifest-src-pre-request"><span class="secno">6.1.7.1</span> <span class="content"> <code>manifest-src</code> Pre-request check </span></a>
          <li><a href="#manifest-src-post-request"><span class="secno">6.1.7.2</span> <span class="content"> <code>manifest-src</code> Post-request check </span></a>
         </ol>
        <li>
         <a href="#directive-media-src"><span class="secno">6.1.8</span> <span class="content"><code>media-src</code></span></a>
         <ol class="toc">
          <li><a href="#media-src-pre-request"><span class="secno">6.1.8.1</span> <span class="content"> <code>media-src</code> Pre-request check </span></a>
          <li><a href="#media-src-post-request"><span class="secno">6.1.8.2</span> <span class="content"> <code>media-src</code> Post-request check </span></a>
         </ol>
        <li>
         <a href="#directive-object-src"><span class="secno">6.1.9</span> <span class="content"><code>object-src</code></span></a>
         <ol class="toc">
          <li><a href="#object-src-pre-request"><span class="secno">6.1.9.1</span> <span class="content"> <code>object-src</code> Pre-request check </span></a>
          <li><a href="#object-src-post-request"><span class="secno">6.1.9.2</span> <span class="content"> <code>object-src</code> Post-request check </span></a>
         </ol>
        <li>
         <a href="#directive-script-src"><span class="secno">6.1.10</span> <span class="content"><code>script-src</code></span></a>
         <ol class="toc">
          <li><a href="#script-src-pre-request"><span class="secno">6.1.10.1</span> <span class="content"> <code>script-src</code> Pre-request check </span></a>
          <li><a href="#script-src-post-request"><span class="secno">6.1.10.2</span> <span class="content"> <code>script-src</code> Post-request check </span></a>
          <li><a href="#script-src-inline"><span class="secno">6.1.10.3</span> <span class="content"> <code>script-src</code> Inline Check </span></a>
         </ol>
        <li>
         <a href="#directive-style-src"><span class="secno">6.1.11</span> <span class="content"><code>style-src</code></span></a>
         <ol class="toc">
          <li><a href="#style-src-pre-request"><span class="secno">6.1.11.1</span> <span class="content"> <code>style-src</code> Pre-request Check </span></a>
          <li><a href="#style-src-post-request"><span class="secno">6.1.11.2</span> <span class="content"> <code>style-src</code> Post-request Check </span></a>
          <li><a href="#style-src-inline"><span class="secno">6.1.11.3</span> <span class="content"> <code>style-src</code> Inline Check </span></a>
         </ol>
        <li>
         <a href="#directive-worker-src"><span class="secno">6.1.12</span> <span class="content"><code>worker-src</code></span></a>
         <ol class="toc">
          <li><a href="#worker-src-pre-request"><span class="secno">6.1.12.1</span> <span class="content"> <code>worker-src</code> Pre-request Check </span></a>
          <li><a href="#worker-src-post-request"><span class="secno">6.1.12.2</span> <span class="content"> <code>worker-src</code> Post-request Check </span></a>
         </ol>
       </ol>
      <li>
       <a href="#directives-document"><span class="secno">6.2</span> <span class="content"> Document Directives </span></a>
       <ol class="toc">
        <li>
         <a href="#directive-base-uri"><span class="secno">6.2.1</span> <span class="content"><code>base-uri</code></span></a>
         <ol class="toc">
          <li><a href="#allow-base-for-document"><span class="secno">6.2.1.1</span> <span class="content"> Is <var>base</var> allowed for <var>document</var>? </span></a>
         </ol>
        <li>
         <a href="#directive-plugin-types"><span class="secno">6.2.2</span> <span class="content"><code>plugin-types</code></span></a>
         <ol class="toc">
          <li><a href="#plugin-types-post-request-check"><span class="secno">6.2.2.1</span> <span class="content"> <code>plugin-types</code> Post-Request Check </span></a>
          <li><a href="#should-plugin-element-be-blocked-a-priori-by-content-security-policy"><span class="secno">6.2.2.2</span> <span class="content"> Should <var>plugin element</var> be blocked <i lang="la">a priori</i> by Content
    Security Policy?: </span></a>
         </ol>
        <li>
         <a href="#directive-sandbox"><span class="secno">6.2.3</span> <span class="content"><code>sandbox</code></span></a>
         <ol class="toc">
          <li><a href="#sandbox-response"><span class="secno">6.2.3.1</span> <span class="content"> <code>sandbox</code> Response Check </span></a>
          <li><a href="#sandbox-init"><span class="secno">6.2.3.2</span> <span class="content"> <code>sandbox</code> Initialization </span></a>
         </ol>
        <li>
         <a href="#directive-disown-opener"><span class="secno">6.2.4</span> <span class="content"><code>disown-opener</code></span></a>
         <ol class="toc">
          <li><a href="#disown-opener-init"><span class="secno">6.2.4.1</span> <span class="content"> <code>disown-opener</code> Initialization </span></a>
         </ol>
       </ol>
      <li>
       <a href="#directives-navigation"><span class="secno">6.3</span> <span class="content"> Navigation Directives </span></a>
       <ol class="toc">
        <li>
         <a href="#directive-form-action"><span class="secno">6.3.1</span> <span class="content"><code>form-action</code></span></a>
         <ol class="toc">
          <li><a href="#form-action-pre-navigate"><span class="secno">6.3.1.1</span> <span class="content"> <code>form-action</code> Pre-Navigation Check </span></a>
         </ol>
        <li>
         <a href="#directive-frame-ancestors"><span class="secno">6.3.2</span> <span class="content"><code>frame-ancestors</code></span></a>
         <ol class="toc">
          <li><a href="#frame-ancestors-navigation-response"><span class="secno">6.3.2.1</span> <span class="content"> <code>frame-ancestors</code> Navigation Response Check </span></a>
          <li><a href="#frame-ancestors-and-frame-options"><span class="secno">6.3.2.2</span> <span class="content"> Relation to <code>X-Frame-Options</code> </span></a>
         </ol>
        <li>
         <a href="#directive-navigation-to"><span class="secno">6.3.3</span> <span class="content"><code>navigation-to</code></span></a>
         <ol class="toc">
          <li><a href="#navigation-to-pre-navigate"><span class="secno">6.3.3.1</span> <span class="content"> <code>navigation-to</code> Pre-Navigation Check </span></a>
         </ol>
       </ol>
      <li>
       <a href="#directives-reporting"><span class="secno">6.4</span> <span class="content"> Reporting Directives </span></a>
       <ol class="toc">
        <li><a href="#directive-report-uri"><span class="secno">6.4.1</span> <span class="content"><code>report-uri</code></span></a>
        <li><a href="#directive-report-to"><span class="secno">6.4.2</span> <span class="content"><code>report-to</code></span></a>
       </ol>
      <li><a href="#directives-elsewhere"><span class="secno">6.5</span> <span class="content"> Directives Defined in Other Documents </span></a>
      <li>
       <a href="#algorithms"><span class="secno">6.6</span> <span class="content">Matching Algorithms</span></a>
       <ol class="toc">
        <li>
         <a href="#matching-urls"><span class="secno">6.6.1</span> <span class="content">URL Matching</span></a>
         <ol class="toc">
          <li><a href="#does-request-violate-policy"><span class="secno">6.6.1.1</span> <span class="content"> Does <var>request</var> violate <var>policy</var>? </span></a>
          <li><a href="#match-nonce-to-source-list"><span class="secno">6.6.1.2</span> <span class="content"> Does <var>nonce</var> match <var>source list</var>? </span></a>
          <li><a href="#match-request-to-source-list"><span class="secno">6.6.1.3</span> <span class="content"> Does <var>request</var> match <var>source list</var>? </span></a>
          <li><a href="#match-response-to-source-list"><span class="secno">6.6.1.4</span> <span class="content"> Does <var>response</var> to <var>request</var> match <var>source list</var>? </span></a>
          <li><a href="#match-url-to-source-list"><span class="secno">6.6.1.5</span> <span class="content"> Does <var>url</var> match <var>source list</var> in <var>origin</var> with <var>redirect count</var>? </span></a>
          <li><a href="#match-url-to-source-expression"><span class="secno">6.6.1.6</span> <span class="content"> Does <var>url</var> match <var>expression</var> in <var>origin</var> with <var>redirect count</var>? </span></a>
          <li><a href="#match-schemes"><span class="secno">6.6.1.7</span> <span class="content"> <code>scheme-part</code> matching </span></a>
          <li><a href="#match-hosts"><span class="secno">6.6.1.8</span> <span class="content"> <code>host-part</code> matching </span></a>
          <li><a href="#match-ports"><span class="secno">6.6.1.9</span> <span class="content"> <code>port-part</code> matching </span></a>
          <li><a href="#match-paths"><span class="secno">6.6.1.10</span> <span class="content"> <code>path-part</code> matching </span></a>
          <li><a href="#effective-directive-for-a-request"><span class="secno">6.6.1.11</span> <span class="content"> Get the effective directive for <var>request</var> </span></a>
         </ol>
        <li>
         <a href="#matching-elements"><span class="secno">6.6.2</span> <span class="content">Element Matching Algorithms</span></a>
         <ol class="toc">
          <li><a href="#is-element-nonceable"><span class="secno">6.6.2.1</span> <span class="content"> Is <var>element</var> nonceable? </span></a>
          <li><a href="#allow-all-inline"><span class="secno">6.6.2.2</span> <span class="content"> Does a source list allow all inline behavior for <var>type</var>? </span></a>
          <li><a href="#match-element-to-source-list"><span class="secno">6.6.2.3</span> <span class="content"> Does <var>element</var> match source list for <var>type</var> and <var>source</var>? </span></a>
         </ol>
       </ol>
     </ol>
    <li>
     <a href="#security-considerations"><span class="secno">7</span> <span class="content">Security and Privacy Considerations</span></a>
     <ol class="toc">
      <li><a href="#security-nonces"><span class="secno">7.1</span> <span class="content">Nonce Reuse</span></a>
      <li><a href="#security-nonce-stealing"><span class="secno">7.2</span> <span class="content">Nonce Stealing</span></a>
      <li><a href="#security-nonce-retargeting"><span class="secno">7.3</span> <span class="content">Nonce Retargeting</span></a>
      <li><a href="#security-css-parsing"><span class="secno">7.4</span> <span class="content">CSS Parsing</span></a>
      <li><a href="#security-violation-reports"><span class="secno">7.5</span> <span class="content">Violation Reports</span></a>
      <li><a href="#source-list-paths-and-redirects"><span class="secno">7.6</span> <span class="content">Paths and Redirects</span></a>
      <li><a href="#security-secure-upgrades"><span class="secno">7.7</span> <span class="content">Secure Upgrades</span></a>
      <li><a href="#security-inherit-csp"><span class="secno">7.8</span> <span class="content"> CSP Inheriting to avoid bypasses </span></a>
     </ol>
    <li>
     <a href="#authoring-considerations"><span class="secno">8</span> <span class="content">Authoring Considerations</span></a>
     <ol class="toc">
      <li><a href="#multiple-policies"><span class="secno">8.1</span> <span class="content"> The effect of multiple policies </span></a>
      <li><a href="#strict-dynamic-usage"><span class="secno">8.2</span> <span class="content"> Usage of "<code>'strict-dynamic'</code>" </span></a>
      <li><a href="#unsafe-hashed-attributes-usage"><span class="secno">8.3</span> <span class="content"> Usage of "<code>'unsafe-hashed-attributes'</code>" </span></a>
      <li><a href="#external-hash"><span class="secno">8.4</span> <span class="content"> Allowing external JavaScript via hashes </span></a>
     </ol>
    <li>
     <a href="#implementation-considerations"><span class="secno">9</span> <span class="content">Implementation Considerations</span></a>
     <ol class="toc">
      <li><a href="#extensions"><span class="secno">9.1</span> <span class="content">Vendor-specific Extensions and Addons</span></a>
     </ol>
    <li>
     <a href="#iana-considerations"><span class="secno">10</span> <span class="content">IANA Considerations</span></a>
     <ol class="toc">
      <li><a href="#iana-registry"><span class="secno">10.1</span> <span class="content"> Directive Registry </span></a>
      <li>
       <a href="#iana-headers"><span class="secno">10.2</span> <span class="content"> Headers </span></a>
       <ol class="toc">
        <li><a href="#iana-csp"><span class="secno">10.2.1</span> <span class="content">Content-Security-Policy</span></a>
        <li><a href="#iana-cspro"><span class="secno">10.2.2</span> <span class="content">Content-Security-Policy-Report-Only</span></a>
       </ol>
     </ol>
    <li><a href="#acknowledgements"><span class="secno">11</span> <span class="content">Acknowledgements</span></a>
    <li>
     <a href="#conformance"><span class="secno"></span> <span class="content">Conformance</span></a>
     <ol class="toc">
      <li><a href="#conventions"><span class="secno"></span> <span class="content">Document conventions</span></a>
      <li><a href="#conformant-algorithms"><span class="secno"></span> <span class="content">Conformant Algorithms</span></a>
     </ol>
    <li>
     <a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
     <ol class="toc">
      <li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a>
      <li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
     </ol>
    <li>
     <a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ol class="toc">
      <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ol>
    <li><a href="#idl-index"><span class="secno"></span> <span class="content">IDL Index</span></a>
    <li><a href="#issues-index"><span class="secno"></span> <span class="content">Issues Index</span></a>
   </ol>
  </nav>
  <main>
   <section>
    <h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#intro"></a></h2>
    <p><em>This section is not normative.</em></p>
    <p>This document defines <dfn data-dfn-type="dfn" data-export="" id="content-security-policy">Content Security Policy<a class="self-link" href="#content-security-policy"></a></dfn> (CSP), a tool
  which developers can use to lock down their applications in various ways,
  mitigating the risk of content injection vulnerabilities such as cross-site scripting, and
  reducing the privilege with which their applications execute.</p>
    <p>CSP is not intended as a first line of defense against content injection
  vulnerabilities. Instead, CSP is best used as defense-in-depth. It reduces
  the harm that a malicious injection can cause, but it is not a replacement for
  careful input validation and output encoding.</p>
    <p>This document is an iteration on Content Security Policy Level 2, with the
  goal of more clearly explaining the interactions between CSP, HTML, and Fetch
  on the one hand, and providing clear hooks for modular extensibility on the
  other. Ideally, this will form a stable core upon which we can build new
  functionality.</p>
    <h3 class="heading settled" data-level="1.1" id="examples"><span class="secno">1.1. </span><span class="content">Examples</span><a class="self-link" href="#examples"></a></h3>
    <h4 class="heading settled" data-level="1.1.1" id="example-basic"><span class="secno">1.1.1. </span><span class="content">Control Execution</span><a class="self-link" href="#example-basic"></a></h4>
    <div class="example" id="example-1451d1f8">
     <a class="self-link" href="#example-1451d1f8"></a> MegaCorp Inc’s developers want to protect themselves against cross-site
    scripting attacks. They can mitigate the risk of script injection by
    ensuring that their trusted CDN is the only origin from which script can
    load and execute. Moreover, they wish to ensure that no plugins can
    execute in their pages' contexts. The following policy has that effect: 
<pre>Content-Security-Policy: script-src https://cdn.example.com/scripts/; object-src 'none'
</pre>
    </div>
    <h3 class="heading settled" data-level="1.2" id="goals"><span class="secno">1.2. </span><span class="content">Goals</span><a class="self-link" href="#goals"></a></h3>
    <p>Content Security Policy aims to do to a few related things:</p>
    <ol>
     <li data-md="">
      <p>Mitigate the risk of content-injection attacks by giving developers
  fairly granular control over</p>
      <ul>
       <li data-md="">
        <p>The resources which can be requested (and subsequently embedded or
  executed) on behalf of a specific <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document">Document</a></code> or <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#worker" id="ref-for-worker">Worker</a></code></p>
       <li data-md="">
        <p>The execution of inline script</p>
       <li data-md="">
        <p>Dynamic code execution (via <code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262#sec-eval-x" id="ref-for-sec-eval-x">eval()</a></code> and similar constructs)</p>
       <li data-md="">
        <p>The application of inline style</p>
      </ul>
     <li data-md="">
      <p>Mitigate the risk of attacks which require a resource to be embedded
  in a malicious context (the "Pixel Perfect" attack described in <a data-link-type="biblio" href="#biblio-timing">[TIMING]</a>, for example) by giving developers granular control over the
  origins which can embed a given resource.</p>
     <li data-md="">
      <p>Provide a policy framework which allows developers to reduce the privilege
  of their applications.</p>
     <li data-md="">
      <p>Provide a reporting mechanism which allows developers to detect flaws
  being exploited in the wild.</p>
    </ol>
    <h3 class="heading settled" data-level="1.3" id="changes-from-level-2"><span class="secno">1.3. </span><span class="content">Changes from Level 2</span><a class="self-link" href="#changes-from-level-2"></a></h3>
    <p>This document describes an evolution of the Content Security Policy Level 2
  specification <a data-link-type="biblio" href="#biblio-csp2">[CSP2]</a>. The following is a high-level overview of the changes:</p>
    <ol>
     <li data-md="">
      <p>The specification has been rewritten from the ground up in terms of the <a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a> specification, which should make it simpler to integrate CSP’s
  requirements and restrictions with other specifications (and with
  Service Workers in particular).</p>
     <li data-md="">
      <p>The <code>child-src</code> model has been substantially altered:</p>
      <ol>
       <li data-md="">
        <p>The <code>frame-src</code> directive, which was deprecated in CSP Level
 2, has been undeprecated, but continues to defer to <code>child-src</code> if
 not present (which defers to <code>default-src</code> in turn).</p>
       <li data-md="">
        <p>A <code>worker-src</code> directive has been added, deferring to <code>script-src</code> if not present (which likewise defers to <code>default-src</code> in turn).</p>
       <li data-md="">
        <p><code>child-src</code> is now deprecated.</p>
       <li data-md="">
        <p>Dedicated workers now always inherit their creator’s policy.</p>
      </ol>
     <li data-md="">
      <p>The URL matching algorithm now treats insecure schemes and ports as
  matching their secure variants. That is, the source expression <code>http://example.com:80</code> will match both <code>http://example.com:80</code> and <code>https://example.com:443</code>.</p>
      <p>Likewise, <code>'self'</code> now matches <code>https:</code> and <code>wss:</code> variants of the page’s
  origin, even on pages whose scheme is <code>http</code>.</p>
     <li data-md="">
      <p>Violation reports generated from inline script or style will now report
  "<code>inline</code>" as the blocked resource. Likewise, blocked <code>eval()</code> execution
  will report "<code>eval</code>" as the blocked resource.</p>
     <li data-md="">
      <p>The <code>manifest-src</code> directive has been added.</p>
     <li data-md="">
      <p>The <code>report-uri</code> directive is deprecated in favor of the new <code>report-to</code> directive, which relies on <a data-link-type="biblio" href="#biblio-reporting">[REPORTING]</a> as infrastructure.</p>
     <li data-md="">
      <p>The <code>'strict-dynamic'</code> source expression will now allow script which
  executes on a page to load more script via non-<a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/scripting.html#parser-inserted" id="ref-for-parser-inserted">"parser-inserted"</a> <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script">script</a></code> elements. Details are in <a href="#strict-dynamic-usage">§8.2 Usage of "'strict-dynamic'"</a>.</p>
     <li data-md="">
      <div class="wip">
        The <code>'unsafe-hashed-attributes'</code> source expression will now allow event
    handlers and style attributes to match hash source expressions. Details
    in <a href="#unsafe-hashed-attributes-usage">§8.3 Usage of "'unsafe-hashed-attributes'"</a>. 
       <p class="issue" id="issue-2f321613"><a class="self-link" href="#issue-2f321613"></a> <code>unsafe-hashed-attributes</code> is a work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/13">&lt;https://github.com/w3c/webappsec-csp/issues/13></a></p>
      </div>
     <li data-md="">
      <p>The <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression">source expression</a> matching has been changed to require explicit presence
  of any non-<a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#network-scheme" id="ref-for-network-scheme">network scheme</a>, rather than <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#local-scheme" id="ref-for-local-scheme">local scheme</a>,
  unless that non-<a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#network-scheme" id="ref-for-network-scheme①">network scheme</a> is the same as the scheme of protected resource,
  as described in <a href="#match-url-to-source-expression">§6.6.1.6 Does url match expression in origin with redirect count?</a>.</p>
     <li data-md="">
      <p>Hash-based source expressions may now match external scripts if the <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script①">script</a></code> element that triggers the request specifies a set of integrity
  metadata which is listed in the current policy. Details in <a href="#external-hash">§8.4 Allowing external JavaScript via hashes</a>.</p>
     <li data-md="">
      <div class="wip">
        The <a data-link-type="dfn" href="#disown-opener" id="ref-for-disown-opener"><code>disown-opener</code></a> directive ensures that a resource can’t be opened
    in such a way as to give another browsing context control over its contents. 
       <p class="issue" id="issue-0915ad11"><a class="self-link" href="#issue-0915ad11"></a> <code>disown-opener</code> is a work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/194">&lt;https://github.com/w3c/webappsec-csp/issues/194></a></p>
      </div>
     <li data-md="">
      <div class="wip">
        The <a data-link-type="dfn" href="#navigation-to" id="ref-for-navigation-to"><code>navigation-to</code></a> directive gives a resource control over the endpoints
    to which it can initiate navigation. 
       <p class="issue" id="issue-a305d3f5"><a class="self-link" href="#issue-a305d3f5"></a> <code>navigation-to</code> is a work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/125">&lt;https://github.com/w3c/webappsec-csp/issues/125></a></p>
      </div>
     <li data-md="">
      <p>Reports generated for inline violations will contain a <a data-link-type="dfn" href="#violation-sample" id="ref-for-violation-sample">sample</a> attribute if the relevant directive contains the <a data-link-type="grammar" href="#grammardef-report-sample" id="ref-for-grammardef-report-sample"><code>'report-sample'</code></a> expression.</p>
    </ol>
   </section>
   <section>
    <h2 class="heading settled" data-level="2" id="framework"><span class="secno">2. </span><span class="content">Framework</span><a class="self-link" href="#framework"></a></h2>
    <h3 class="heading settled" data-level="2.1" id="framework-infrastructure"><span class="secno">2.1. </span><span class="content">Infrastructure</span><a class="self-link" href="#framework-infrastructure"></a></h3>
    <p>This document uses ABNF grammar to specify syntax, as defined in <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a>. It also relies on
  the <code>#rule</code> ABNF extension defined in <a href="https://tools.ietf.org/html/rfc7230#section-7">Section 7</a> of <a data-link-type="biblio" href="#biblio-rfc7230">[RFC7230]</a>.</p>
    <p>This document depends on the Infra Standard for a number of foundational concepts used in its
  algorithms and prose <a data-link-type="biblio" href="#biblio-infra">[INFRA]</a>.</p>
    <h3 class="heading settled" data-level="2.2" id="framework-policy"><span class="secno">2.2. </span><span class="content">Policies</span><a class="self-link" href="#framework-policy"></a></h3>
    <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-local-lt="policy" data-lt="content security policy object" id="content-security-policy-object">policy</dfn> defines allowed
  and restricted behaviors, and may be applied to a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/window-object.html#window" id="ref-for-window">Window</a></code>, <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope" id="ref-for-workerglobalscope">WorkerGlobalScope</a></code>, or <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/worklets-1/#workletglobalscope" id="ref-for-workletglobalscope">WorkletGlobalScope</a></code> as described in <a href="#initialize-global-object-csp">§4.2.2 Initialize a global object’s CSP list</a>.</p>
    <p>Each policy has an associated <dfn class="dfn-paneled" data-dfn-for="policy" data-dfn-type="dfn" data-export="" id="policy-directive-set">directive set</dfn>, which is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set">ordered
  set</a> of <a data-link-type="dfn" href="#directives" id="ref-for-directives">directives</a> that define the policy’s implications when applied.</p>
    <p>Each policy has an associated <dfn class="dfn-paneled" data-dfn-for="policy" data-dfn-type="dfn" data-export="" id="policy-disposition">disposition</dfn>, which is either
  "<code>enforce</code>" or "<code>report</code>".</p>
    <p>Each policy has an associated <dfn class="dfn-paneled" data-dfn-for="policy" data-dfn-type="dfn" data-export="" id="policy-source">source</dfn>, which is either "<code>header</code>"
  or "<code>meta</code>".</p>
    <p>Multiple <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object">policies</a> can be applied to a single resource, and are collected into a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list" id="ref-for-list">list</a> of <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object①">policies</a> known as a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="csp-list">CSP list</dfn>.</p>
    <p>A <a data-link-type="dfn" href="#csp-list" id="ref-for-csp-list">CSP list</a> <dfn data-dfn-type="dfn" data-export="" id="contains-a-header-delivered-content-security-policy">contains a header-delivered Content Security Policy<a class="self-link" href="#contains-a-header-delivered-content-security-policy"></a></dfn> if it <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-contain" id="ref-for-list-contain">contains</a> a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object②">policy</a> whose <a data-link-type="dfn" href="#policy-source" id="ref-for-policy-source">source</a> is "<code>header</code>".</p>
    <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="serialized-csp">serialized CSP</dfn> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string">ASCII string</a> consisting of a semicolon-delimited
  series of <a data-link-type="dfn" href="#serialized-directive" id="ref-for-serialized-directive">serialized directives</a>, adhering to the following ABNF grammar <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a>:</p>
<pre><dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-serialized-policy">serialized-policy</dfn> = <a data-link-type="grammar" href="#grammardef-serialized-directive" id="ref-for-grammardef-serialized-directive">serialized-directive</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3" id="ref-for-section-3.2.3">OWS</a> ";" [ <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3" id="ref-for-section-3.2.3①">OWS</a> <a data-link-type="grammar" href="#grammardef-serialized-directive" id="ref-for-grammardef-serialized-directive①">serialized-directive</a> ] )
                    ; <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3" id="ref-for-section-3.2.3②">OWS</a> is defined in section 3.2.3 of RFC 7230
</pre>
    <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="serialized-csp-list">serialized CSP list</dfn> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string①">ASCII string</a> consisting of a comma-delimited
  series of <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp">serialized CSPs</a>, adhering to the following ABNF grammar <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a>:</p>
<pre><dfn data-dfn-type="grammar" data-export="" id="grammardef-serialized-policy-list">serialized-policy-list<a class="self-link" href="#grammardef-serialized-policy-list"></a></dfn> = 1#<a data-link-type="grammar" href="#grammardef-serialized-policy" id="ref-for-grammardef-serialized-policy">serialized-policy</a>
                    ; The '#' rule is defined in section 7 of RFC 7230
</pre>
    <h4 class="heading settled algorithm" data-algorithm="Parse a serialized CSP" data-level="2.2.1" id="parse-serialized-policy"><span class="secno">2.2.1. </span><span class="content"> Parse a serialized CSP </span><a class="self-link" href="#parse-serialized-policy"></a></h4>
    <p>To <dfn class="dfn-paneled" data-dfn-type="abstract-op" data-export="" id="abstract-opdef-parse-a-serialized-csp">parse a serialized CSP</dfn>, given a <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp①">serialized CSP</a> (<var>serialized</var>), a <a data-link-type="dfn" href="#policy-source" id="ref-for-policy-source①">source</a> (<var>source</var>), and a <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition">disposition</a> (<var>disposition</var>), execute the
  following steps.</p>
    <p>This algorithm returns a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object③">Content Security Policy object</a>. If <var>serialized</var> could not be
  parsed, the object’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set">directive set</a> will be empty.</p>
    <ol class="algorithm">
     <li data-md="">
      <p>Let <var>policy</var> be a new <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object④">policy</a> with an empty <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set①">directive set</a>, a <a data-link-type="dfn" href="#policy-source" id="ref-for-policy-source②">source</a> of <var>source</var>, and a <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition①">disposition</a> of <var>disposition</var>.</p>
     <li data-md="">
      <p>For each <var>token</var> returned by <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#strictly-split" id="ref-for-strictly-split">strictly splitting</a> <var>serialized</var> on
  the U+003B SEMICOLON character (<code>;</code>):</p>
      <ol>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#strip-leading-and-trailing-ascii-whitespace" id="ref-for-strip-leading-and-trailing-ascii-whitespace">Strip leading and trailing ASCII whitespace</a> from <var>token</var>.</p>
       <li data-md="">
        <p>If <var>token</var> is an empty string, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue">continue</a>.</p>
       <li data-md="">
        <p>Let <var>directive name</var> be the result of <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#collect-a-sequence-of-code-points" id="ref-for-collect-a-sequence-of-code-points">collecting a sequence of code points</a> from <var>token</var> which are not <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-whitespace" id="ref-for-ascii-whitespace">ASCII whitespace</a>.</p>
       <li data-md="">
        <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set②">directive set</a> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives①">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name">name</a> is <var>directive name</var>, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue①">continue</a>.</p>
        <p>In this case, the user agent SHOULD notify developers that a duplicate directive was
  ignored. A console warning might be appropriate, for example.</p>
       <li data-md="">
        <p>Let <var>directive value</var> be the result of <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#split-on-ascii-whitespace" id="ref-for-split-on-ascii-whitespace">splitting <var>token</var> on
  ASCII whitespace</a>.</p>
       <li data-md="">
        <p>Let <var>directive</var> be a new <a data-link-type="dfn" href="#directives" id="ref-for-directives②">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name①">name</a> is <var>directive name</var>, and <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value">value</a> is <var>directive value</var>.</p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#set-append" id="ref-for-set-append">Append</a> <var>directive</var> to <var>policy</var>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set③">directive set</a>.</p>
      </ol>
     <li data-md="">
      <p>Return <var>policy</var>.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Parse a serialized CSP list" data-level="2.2.2" id="parse-serialized-policy-list"><span class="secno">2.2.2. </span><span class="content"> Parse a serialized CSP list </span><a class="self-link" href="#parse-serialized-policy-list"></a></h4>
    <p>To <dfn class="dfn-paneled" data-dfn-type="abstract-op" data-export="" id="abstract-opdef-parse-a-serialized-csp-list">parse a serialized CSP list</dfn>, given a <a data-link-type="dfn" href="#serialized-csp-list" id="ref-for-serialized-csp-list">serialized CSP list</a> (<var>list</var>), a <a data-link-type="dfn" href="#policy-source" id="ref-for-policy-source③">source</a> (<var>source</var>), and a <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition②">disposition</a> (<var>disposition</var>), execute the following
  steps.</p>
    <p>This algorithm returns a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list" id="ref-for-list①">list</a> of <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑤">Content Security Policy objects</a>. If <var>list</var> cannot be
  parsed, the returned list will be empty.</p>
    <ol class="algorithm">
     <li data-md="">
      <p>Let <var>policies</var> be an empty <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list" id="ref-for-list②">list</a>.</p>
     <li data-md="">
      <p>For each <var>token</var> returned by <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#split-on-commas" id="ref-for-split-on-commas">splitting <var>list</var> on commas</a>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>policy</var> be the result of <a data-link-type="abstract-op" href="#abstract-opdef-parse-a-serialized-csp" id="ref-for-abstract-opdef-parse-a-serialized-csp">parsing</a> <var>token</var>, with a <a data-link-type="dfn" href="#policy-source" id="ref-for-policy-source④">source</a> of <var>source</var>, and <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition③">disposition</a> of <var>disposition</var>.</p>
       <li data-md="">
        <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set④">directive set</a> is empty, <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#iteration-continue" id="ref-for-iteration-continue②">continue</a>.</p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-append" id="ref-for-list-append">Append</a> <var>policy</var> to <var>policies</var>.</p>
      </ol>
     <li data-md="">
      <p>Return <var>policies</var>.</p>
    </ol>
    <h3 class="heading settled" data-level="2.3" id="framework-directives"><span class="secno">2.3. </span><span class="content">Directives</span><a class="self-link" href="#framework-directives"></a></h3>
    <p>Each <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑥">policy</a> contains an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set①">ordered set</a> of <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="directives">directives</dfn> (its <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set⑤">directive set</a>), each of which controls a specific behavior. The directives
  defined in this document are described in detail in <a href="#csp-directives">§6 Content Security Policy Directives</a>.</p>
    <p>Each <a data-link-type="dfn" href="#directives" id="ref-for-directives③">directive</a> is a <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-name">name</dfn> / <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-value">value</dfn> pair. The <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name②">name</a> is a
  non-empty <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#string" id="ref-for-string">string</a>, and the <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value①">value</a> is a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set②">set</a> of non-empty <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#string" id="ref-for-string①">strings</a>. The <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value②">value</a> MAY be <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-is-empty" id="ref-for-list-is-empty">empty</a>.</p>
    <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="serialized-directive">serialized directive</dfn> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string②">ASCII string</a>, consisting of one or more
  whitespace-delimited tokens, and adhering to the following ABNF <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a>:</p>
<pre><dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-serialized-directive">serialized-directive</dfn> = <a data-link-type="grammar" href="#grammardef-directive-name" id="ref-for-grammardef-directive-name">directive-name</a> [ <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3" id="ref-for-section-3.2.3③">RWS</a> <a data-link-type="grammar" href="#grammardef-directive-value" id="ref-for-grammardef-directive-value">directive-value</a> ]
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-directive-name">directive-name</dfn>       = 1*( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1" id="ref-for-appendix-B.1">ALPHA</a> / <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1" id="ref-for-appendix-B.1①">DIGIT</a> / "-" )
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-directive-value">directive-value</dfn>      = *( %x09 / %x20-%x2B / %x2D-%x3A / %x3C-%7E )
                       ; Directive values may contain whitespace and <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1" id="ref-for-appendix-B.1②">VCHAR</a> characters,
                       ; excluding ";" and ","

; <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3" id="ref-for-section-3.2.3④">RWS</a> is defined in section 3.2.3 of RFC7230. <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1" id="ref-for-appendix-B.1③">ALPHA</a>, <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1" id="ref-for-appendix-B.1④">DIGIT</a>, and
; <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1" id="ref-for-appendix-B.1⑤">VCHAR</a> are defined in Appendix B.1 of RFC 5234.
</pre>
    <p><a data-link-type="dfn" href="#directives" id="ref-for-directives④">Directives</a> have a number of associated algorithms:</p>
    <ol>
     <li data-md="">
      <p>A <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-pre-request-check">pre-request check</dfn>, which takes a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request">request</a> and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑦">policy</a> as an argument, and is executed
  during <a href="#should-block-request">§4.1.3 Should request be blocked by Content Security Policy?</a>. This algorithm returns "<code>Allowed</code>" unless
  otherwise specified.</p>
     <li data-md="">
      <p>A <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-post-request-check">post-request check</dfn>, which takes a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request①">request</a>, a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response">response</a>, and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑧">policy</a> as arguments,
  and is executed during <a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a>. This algorithm returns
  "<code>Allowed</code>" unless otherwise specified.</p>
     <li data-md="">
      <p>A <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-response-check">response check</dfn>, which takes a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request②">request</a>, a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response①">response</a>, and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑨">policy</a> as arguments,
  and is executed during <a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a>. This algorithm returns
  "<code>Allowed</code>" unless otherwise specified.</p>
     <li data-md="">
      <p>An <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-inline-check">inline check</dfn>, which takes an <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#element" id="ref-for-element">Element</a></code> a
  type string, and a soure string as arguments, and is executed during <a href="#should-block-inline">§4.2.4 Should element’s inline type behavior be blocked by Content Security Policy?</a>. This algorithm returns "<code>Allowed</code>" unless
  otherwise specified.</p>
     <li data-md="">
      <p>An <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-initialization">initialization</dfn>, which takes a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document①">Document</a></code> or <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object">global object</a>, a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response②">response</a>, and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object①⓪">policy</a> as arguments. This algorithm is executed during <a href="#initialize-document-csp">§4.2.1 Initialize a Document's CSP list</a>,
  and has no effect unless otherwise specified.</p>
     <li data-md="">
      <p>A <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-pre-navigation-check">pre-navigation check</dfn>, which takes a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request③">request</a>, type string, and two <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context">browsing contexts</a> as arguments, and
  is executed during <a href="#should-block-navigation-request">§4.2.5 Should navigation request of type from source in target be blocked
    by Content Security Policy?</a>. It returns
  "<code>Allowed</code>" unless otherwise specified.</p>
     <li data-md="">
      <p>A <dfn class="dfn-paneled" data-dfn-for="directive" data-dfn-type="dfn" data-export="" id="directive-navigation-response-check">navigation response check</dfn>, which takes a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request④">request</a>, a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response③">response</a> and two <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context①">browsing contexts</a> as
  arguments, and is executed during <a href="#should-block-navigation-response">§4.2.6 Should navigation response to navigation request of type from source
    in target be blocked by Content Security Policy?</a>.
  It returns "<code>Allowed</code>" unless otherwise specified.</p>
    </ol>
    <h4 class="heading settled" data-level="2.3.1" id="framework-directive-source-list"><span class="secno">2.3.1. </span><span class="content">Source Lists</span><a class="self-link" href="#framework-directive-source-list"></a></h4>
    <p>Many <a data-link-type="dfn" href="#directives" id="ref-for-directives⑤">directives</a>' <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value③">values</a> consist of <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="source-lists">source lists</dfn>: <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ordered-set" id="ref-for-ordered-set③">sets</a> of <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#string" id="ref-for-string②">strings</a> which identify content that can be fetched and potentially embedded or
  executed. Each <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#string" id="ref-for-string③">string</a> represents one of the following types of <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="source expression" id="source-expression">source
  expression</dfn>:</p>
    <ol>
     <li data-md="">
      <p>Keywords such as <a data-link-type="grammar" href="#grammardef-none" id="ref-for-grammardef-none"><code>'none'</code></a> and <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self"><code>'self'</code></a> (which match nothing and the current
  URL’s origin, respectively)</p>
     <li data-md="">
      <p>Serialized URLs such as <code>https://example.com/path/to/file.js</code> (which matches a specific file) or <code>https://example.com/</code> (which matches everything on that origin)</p>
     <li data-md="">
      <p>Schemes such as <code>https:</code> (which matches any resource having
  the specified scheme)</p>
     <li data-md="">
      <p>Hosts such as <code>example.com</code> (which matches any resource on
  the host, regardless of scheme) or <code>*.example.com</code> (which
  matches any resource on the host’s subdomains (and any of
  its subdomains' subdomains, and so on))</p>
     <li data-md="">
      <p>Nonces such as <code>'nonce-ch4hvvbHDpv7xCSvXCs3BrNggHdTzxUA'</code> (which can match
  specific elements on a page)</p>
     <li data-md="">
      <p>Digests such as <code>'sha256-abcd...'</code> (which can match specific
  elements on a page)</p>
    </ol>
    <p>A <dfn data-dfn-type="dfn" data-export="" id="serialized-source-list">serialized source list<a class="self-link" href="#serialized-source-list"></a></dfn> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string③">ASCII string</a>, consisting of a
  whitespace-delimited series of <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression①">source expressions</a>, adhering to the following ABNF grammar <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a>:</p>
<pre><dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-serialized-source-list">serialized-source-list</dfn> = ( <a data-link-type="grammar" href="#grammardef-source-expression" id="ref-for-grammardef-source-expression">source-expression</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3" id="ref-for-section-3.2.3⑤">RWS</a> <a data-link-type="grammar" href="#grammardef-source-expression" id="ref-for-grammardef-source-expression①">source-expression</a> ) ) / "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-none">'none'</dfn>"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-source-expression">source-expression</dfn>      = <a data-link-type="grammar" href="#grammardef-scheme-source" id="ref-for-grammardef-scheme-source">scheme-source</a> / <a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source">host-source</a> / <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source">keyword-source</a>
                         / <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source">nonce-source</a> / <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source">hash-source</a>

; Schemes: "https:" / "custom-scheme:" / "another.custom-scheme:"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-scheme-source">scheme-source</dfn> = <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part">scheme-part</a> ":"

; Hosts: "example.com" / "*.example.com" / "https://*.example.com:12/path/to/file.js"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-host-source">host-source</dfn> = [ <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part①">scheme-part</a> "://" ] <a data-link-type="grammar" href="#grammardef-host-part" id="ref-for-grammardef-host-part">host-part</a> [ ":" <a data-link-type="grammar" href="#grammardef-port-part" id="ref-for-grammardef-port-part">port-part</a> ] [ <a data-link-type="grammar" href="#grammardef-path-part" id="ref-for-grammardef-path-part">path-part</a> ]
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-scheme-part">scheme-part</dfn> = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-3.1" id="ref-for-section-3.1">scheme</a>
              ; <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-3.1" id="ref-for-section-3.1①">scheme</a> is defined in section 3.1 of RFC 3986.
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-host-part">host-part</dfn>   = "*" / [ "*." ] 1*<a data-link-type="grammar" href="#grammardef-host-char" id="ref-for-grammardef-host-char">host-char</a> *( "." 1*<a data-link-type="grammar" href="#grammardef-host-char" id="ref-for-grammardef-host-char①">host-char</a> )
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-host-char">host-char</dfn>   = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1" id="ref-for-appendix-B.1⑥">ALPHA</a> / <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1" id="ref-for-appendix-B.1⑦">DIGIT</a> / "-"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-port-part">port-part</dfn>   = 1*<a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1" id="ref-for-appendix-B.1⑧">DIGIT</a> / "*"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-path-part">path-part</dfn>   = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-3.3" id="ref-for-section-3.3">path-absolute</a>
              ; <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-3.3" id="ref-for-section-3.3①">path-absolute</a> is defined in section 3.3 of RFC 3986.

; Keywords:
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-keyword-source">keyword-source</dfn> = "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-self">'self'</dfn>" / "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-unsafe-inline">'unsafe-inline'</dfn>" / "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-unsafe-eval">'unsafe-eval'</dfn>"
                 / "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-strict-dynamic">'strict-dynamic'</dfn>" / "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-unsafe-hashed-attributes">'unsafe-hashed-attributes'</dfn>" /
                 / "<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-report-sample">'report-sample'</dfn>"

; Nonces: 'nonce-[nonce goes here]'
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-nonce-source">nonce-source</dfn>  = "'nonce-" <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value">base64-value</a> "'"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-base64-value">base64-value</dfn>  = 1*( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1" id="ref-for-appendix-B.1⑨">ALPHA</a> / <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc5234#appendix-B.1" id="ref-for-appendix-B.1①⓪">DIGIT</a> / "+" / "/" / "-" / "_" )*2( "=" )

; Digests: 'sha256-[digest goes here]'
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-hash-source">hash-source</dfn>    = "'" <a data-link-type="grammar" href="#grammardef-hash-algorithm" id="ref-for-grammardef-hash-algorithm">hash-algorithm</a> "-" <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value①">base64-value</a> "'"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-hash-algorithm">hash-algorithm</dfn> = "sha256" / "sha384" / "sha512"
</pre>
    <p>The <a data-link-type="grammar" href="#grammardef-host-char" id="ref-for-grammardef-host-char②">host-char</a> production intentionally contains only ASCII
  characters; internationalized domain names cannot be entered directly as part
  of a <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp②">serialized CSP</a>, but instead MUST be Punycode-encoded <a data-link-type="biblio" href="#biblio-rfc3492">[RFC3492]</a>. For example, the domain <code>üüüüüü.de</code> MUST be represented as <code>xn--tdaaaaaa.de</code>.</p>
    <p class="note" role="note"><span>Note:</span> Though IP address do match the grammar above, only <code>127.0.0.1</code> will actually match a URL when used in a source
  expression (see <a href="#match-url-to-source-list">§6.6.1.5 Does url match source list in origin with redirect count?</a> for details). The security
  properties of IP addresses are suspect, and authors ought to prefer hostnames
  whenever possible.</p>
    <p class="note" role="note"><span>Note:</span> The <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value②">base64-value</a> grammar allows both <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4648#section-4" id="ref-for-section-4">base64</a> and <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4648#section-5" id="ref-for-section-5">base64url</a> encoding. These encodings are treated as equivalant when
  processing <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source①">hash-source</a> values. Nonces, however, are strict string matches:
  we use the <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value③">base64-value</a> grammar to limit the characters available, and
  reduce the complexity for the server-side operator (encodings, etc), but the user agent
  doesn’t actually care about any underlying value, nor does it do any decoding of the <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source①">nonce-source</a> value.</p>
    <h3 class="heading settled" data-level="2.4" id="framework-violation"><span class="secno">2.4. </span><span class="content">Violations</span><a class="self-link" href="#framework-violation"></a></h3>
    <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="violation">violation</dfn> represents an action or resource which goes against the
  set of <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object①①">policy</a> objects associated with a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object①">global object</a>.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-global-object">global object</dfn>, which
  is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object②">global object</a> whose <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object①②">policy</a> has been violated.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation①">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-url">url</dfn> which is its <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object">global object</a>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url" id="ref-for-url">URL</a></code>.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation②">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-status">status</dfn> which is a
  non-negative integer representing the HTTP status code of the resource for
  which the global object was instantiated.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation③">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-resource">resource</dfn>, which is
  either <code>null</code>, "<code>inline</code>", "<code>eval</code>", or a <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url" id="ref-for-url①">URL</a></code>. It represents the resource
  which violated the policy.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation④">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-referrer">referrer</dfn>, which is either <code>null</code>, or a <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url" id="ref-for-url②">URL</a></code>. It represents the referrer of the resource whose policy
  was violated.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation⑤">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-policy">policy</dfn>, which is the <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object①③">policy</a> that has been violated.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation⑥">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-disposition">disposition</dfn>, which is the <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition④">disposition</a> of the <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object①④">policy</a> that has been violated.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation⑦">violation</a> has an <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-effective-directive">effective directive</dfn> which is a non-empty string representing the <a data-link-type="dfn" href="#directives" id="ref-for-directives⑥">directive</a> whose
  enforcement caused the violation.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation⑧">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-source-file">source file</dfn>, which is
  either <code>null</code> or a <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url" id="ref-for-url③">URL</a></code>.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation⑨">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-line-number">line number</dfn>, which is
  a non-negative integer.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation①⓪">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-column-number">column number</dfn>, which
  is a non-negative integer.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation①①">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-element">element</dfn>, which is either <code>null</code> or an element.</p>
    <p>Each <a data-link-type="dfn" href="#violation" id="ref-for-violation①②">violation</a> has a <dfn class="dfn-paneled" data-dfn-for="violation" data-dfn-type="dfn" data-export="" id="violation-sample">sample</dfn>,
  which is a string. It is the empty string unless otherwise specified.</p>
    <p class="note" role="note"><span>Note:</span> A <a data-link-type="dfn" href="#violation" id="ref-for-violation①③">violation</a>’s <a data-link-type="dfn" href="#violation-sample" id="ref-for-violation-sample①">sample</a> will be populated with the first 40
  characters of an inline script, event handler, or style that caused an violation. Violations
  which stem from an external file will not include a sample in the violation report.</p>
    <h4 class="heading settled algorithm" data-algorithm="Create a violation object for global, policy, and directive" data-level="2.4.1" id="create-violation-for-global"><span class="secno">2.4.1. </span><span class="content"> Create a violation object for <var>global</var>, <var>policy</var>, and <var>directive</var> </span><a class="self-link" href="#create-violation-for-global"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object③">global object</a> (<var>global</var>), a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object①⑤">policy</a> (<var>policy</var>), and a <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#string" id="ref-for-string④">string</a> (<var>directive</var>), the following algorithm creates a new <a data-link-type="dfn" href="#violation" id="ref-for-violation①④">violation</a> object, and populates it with an initial set of data:</p>
    <ol>
     <li data-md="">
      <p>Let <var>violation</var> be a new <a data-link-type="dfn" href="#violation" id="ref-for-violation①⑤">violation</a> whose <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object①">global
  object</a> is <var>global</var>, <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy">policy</a> is <var>policy</var>, <a data-link-type="dfn" href="#violation-effective-directive" id="ref-for-violation-effective-directive">effective directive</a> is <var>directive</var>, and <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource">resource</a> is <code>null</code>.</p>
     <li data-md="">
      <p>If the user agent is currently executing script, and can extract a source
  file’s URL, line number, and column number from the <var>global</var>, set <var>violation</var>’s <a data-link-type="dfn" href="#violation-source-file" id="ref-for-violation-source-file">source file</a>, <a data-link-type="dfn" href="#violation-line-number" id="ref-for-violation-line-number">line
  number</a>, and <a data-link-type="dfn" href="#violation-column-number" id="ref-for-violation-column-number">column number</a> accordingly.</p>
      <p class="issue" id="issue-c404edb5"><a class="self-link" href="#issue-c404edb5"></a> Is this kind of thing specified anywhere? I didn’t see anything
  that looked useful in <a data-link-type="biblio" href="#biblio-ecma262">[ECMA262]</a>.</p>
      <p class="note" role="note"><span>Note:</span> User agents need to ensure that the <a data-link-type="dfn" href="#violation-source-file" id="ref-for-violation-source-file①">source file</a> is the URL requested by
  the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an
  origin to avoid unintentional leakage.</p>
     <li data-md="">
      <p>If <var>global</var> is a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/window-object.html#window" id="ref-for-window①">Window</a></code> object, set <var>violation</var>’s <a data-link-type="dfn" href="#violation-referrer" id="ref-for-violation-referrer">referrer</a> to <var>global</var>’s <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/window-object.html#dom-document-2" id="ref-for-dom-document-2">document</a></code>'s <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/dom.html#dom-document-referrer" id="ref-for-dom-document-referrer">referrer</a></code>.</p>
     <li data-md="">
      <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-status" id="ref-for-violation-status">status</a> to the HTTP status code
  for the resource associated with <var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object②">global
  object</a>.</p>
      <p class="issue" id="issue-99576800"><a class="self-link" href="#issue-99576800"></a> How, exactly, do we get the status code? We don’t actually store it
  anywhere.</p>
     <li data-md="">
      <p>Return <var>violation</var>.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Create a violation object for request, policy, and directive" data-level="2.4.2" id="create-violation-for-request"><span class="secno">2.4.2. </span><span class="content"> Create a violation object for <var>request</var>, <var>policy</var>, and <var>directive</var> </span><a class="self-link" href="#create-violation-for-request"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑤">request</a> (<var>request</var>), a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object①⑥">policy</a> (<var>policy</var>), and a string
  (<var>directive</var>), the following algorithm creates a new <a data-link-type="dfn" href="#violation" id="ref-for-violation①⑥">violation</a> object,
  and populates it with an initial set of data:</p>
    <ol>
     <li data-md="">
      <p>Let <var>violation</var> be the result of executing <a href="#create-violation-for-global">§2.4.1 Create a violation object for global, policy, and directive</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client" id="ref-for-concept-request-client">client</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global" id="ref-for-concept-settings-object-global">global object</a>, <var>policy</var>, and <var>directive</var>.</p>
     <li data-md="">
      <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource①">resource</a> to <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url" id="ref-for-concept-request-url">url</a>.</p>
      <p class="note" role="note"><span>Note:</span> We use <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url" id="ref-for-concept-request-url①">url</a>, and <em>not</em> its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-current-url" id="ref-for-concept-request-current-url">current url</a>, as the latter might contain information
  about redirect targets to which the page MUST NOT be given access.</p>
     <li data-md="">
      <p>Return <var>violation</var>.</p>
    </ol>
   </section>
   <section>
    <h2 class="heading settled" data-level="3" id="policy-delivery"><span class="secno">3. </span><span class="content"> Policy Delivery </span><a class="self-link" href="#policy-delivery"></a></h2>
    <p>A server MAY declare a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object①⑦">policy</a> for a particular <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc7231#section-3" id="ref-for-section-3">resource
  representation</a> via an HTTP response header field whose value is a <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp③">serialized CSP</a>. This mechanism is defined in detail in <a href="#csp-header">§3.1 The Content-Security-Policy HTTP Response Header Field</a> and <a href="#cspro-header">§3.2 The Content-Security-Policy-Report-Only HTTP Response Header Field</a>, and the integration with Fetch
  and HTML is described in <a href="#fetch-integration">§4.1 Integration with Fetch</a> and <a href="#html-integration">§4.2 Integration with HTML</a>.</p>
    <p>A <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object①⑧">policy</a> may also be declared inline in an HTML document via a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta">meta</a></code> element’s <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv" id="ref-for-attr-meta-http-equiv">http-equiv</a></code> attribute, as described in <a href="#meta-element">§3.3 The &lt;meta> element</a>.</p>
    <h3 class="heading settled" data-level="3.1" id="csp-header"><span class="secno">3.1. </span><span class="content"> The <code>Content-Security-Policy</code> HTTP Response Header Field </span><a class="self-link" href="#csp-header"></a></h3>
    <p>The <dfn class="dfn-paneled" data-dfn-type="http-header" data-export="" id="header-content-security-policy"><code>Content-Security-Policy</code></dfn> HTTP response header field is the preferred mechanism for delivering a policy from a server to a
  client. The header’s value is represented by the following ABNF <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a>:</p>
<pre>Content-Security-Policy = 1#<a data-link-type="grammar" href="#grammardef-serialized-policy" id="ref-for-grammardef-serialized-policy①">serialized-policy</a>
</pre>
    <div class="example" id="example-cc966e28">
     <a class="self-link" href="#example-cc966e28"></a> 
<pre><a data-link-type="http-header" href="#header-content-security-policy" id="ref-for-header-content-security-policy">Content-Security-Policy</a>: script-src 'self';
                         report-to csp-reporting-endpoint
</pre>
    </div>
    <p>A server MAY send different <code>Content-Security-Policy</code> header field
  values with different <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc7231#section-3" id="ref-for-section-3①">representations</a> of the same resource.</p>
    <p>A server SHOULD NOT send more than one HTTP response header field named
  "<code>Content-Security-Policy</code>" with a given <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc7231#section-3" id="ref-for-section-3②">resource
  representation</a>.</p>
    <p>When the user agent receives a <code>Content-Security-Policy</code> header field, it
  MUST <a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#parse-serialized-policy" id="ref-for-parse-serialized-policy">parse</a> and <a data-link-type="dfn" href="#enforced" id="ref-for-enforced">enforce</a> each <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp④">serialized CSP</a> it contains as described in <a href="#fetch-integration">§4.1 Integration with Fetch</a>, <a href="#html-integration">§4.2 Integration with HTML</a>.</p>
    <h3 class="heading settled" data-level="3.2" id="cspro-header"><span class="secno">3.2. </span><span class="content"> The <code>Content-Security-Policy-Report-Only</code> HTTP Response Header Field </span><a class="self-link" href="#cspro-header"></a></h3>
    <p>The <dfn class="dfn-paneled" data-dfn-type="http-header" data-export="" id="header-content-security-policy-report-only"><code>Content-Security-Policy-Report-Only</code></dfn> HTTP response header field allows web developers to experiment with policies by monitoring (but
  not enforcing) their effects. The header’s value is represented by the following ABNF <a data-link-type="biblio" href="#biblio-rfc5234">[RFC5234]</a>:</p>
<pre>Content-Security-Policy-Report-Only = 1#<a data-link-type="grammar" href="#grammardef-serialized-policy" id="ref-for-grammardef-serialized-policy②">serialized-policy</a>
</pre>
    <p>This header field allows developers to piece together their security policy in
  an iterative fashion, deploying a report-only policy based on their best
  estimate of how their site behaves, watching for violation reports, and then
  moving to an enforced policy once they’ve gained confidence in that behavior.</p>
    <div class="example" id="example-971dbae8">
     <a class="self-link" href="#example-971dbae8"></a> 
<pre><a data-link-type="http-header" href="#header-content-security-policy-report-only" id="ref-for-header-content-security-policy-report-only">Content-Security-Policy-Report-Only</a>: script-src 'self';
                                     report-to csp-reporting-endpoint
</pre>
    </div>
    <p>A server MAY send different <code>Content-Security-Policy-Report-Only</code> header field values with different <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc7231#section-3" id="ref-for-section-3③">representations</a> of the same
  resource.</p>
    <p>A server SHOULD NOT send more than one HTTP response header field named
  "<code>Content-Security-Policy-Report-Only</code>" with a given <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc7231#section-3" id="ref-for-section-3④">resource
  representation</a>.</p>
    <p>When the user agent receives a <code>Content-Security-Policy-Report-Only</code> header
  field, it MUST <a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#parse-serialized-policy" id="ref-for-parse-serialized-policy①">parse</a> and <a data-link-type="dfn" href="#monitored" id="ref-for-monitored">monitor</a> each <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp⑤">serialized CSP</a> it contains as described in <a href="#fetch-integration">§4.1 Integration with Fetch</a> and <a href="#html-integration">§4.2 Integration with HTML</a>.</p>
    <p class="note" role="note"><span>Note:</span> The <a data-link-type="http-header" href="#header-content-security-policy-report-only" id="ref-for-header-content-security-policy-report-only①"><code>Content-Security-Policy-Report-Only</code></a> header is <strong>not</strong> supported inside a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta①">meta</a></code> element.</p>
    <h3 class="heading settled" data-level="3.3" id="meta-element"><span class="secno">3.3. </span><span class="content"> The <code>&lt;meta></code> element </span><a class="self-link" href="#meta-element"></a></h3>
    <p>A <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document②">Document</a></code> may deliver a policy via one or more HTML <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta②">meta</a></code> elements
  whose <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv" id="ref-for-attr-meta-http-equiv①">http-equiv</a></code> attributes are an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive">ASCII case-insensitive</a> match for the string "<code>Content-Security-Policy</code>". For example:</p>
    <div class="example" id="example-f977fbdb">
     <a class="self-link" href="#example-f977fbdb"></a> 
<pre class="highlight"><span class="nt">&lt;meta</span> <span class="na">http-equiv=</span><span class="s">"Content-Security-Policy"</span> <span class="na">content=</span><span class="s">"script-src 'self'"</span><span class="nt">></span>
</pre>
    </div>
    <p>Implementation details can be found in HTML’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-content-security-policy" id="ref-for-attr-meta-http-equiv-content-security-policy">Content Security Policy
  state</a> <code>http-equiv</code> processing instructions <a data-link-type="biblio" href="#biblio-html">[HTML]</a>.</p>
    <p class="note" role="note"><span>Note:</span> The <a data-link-type="http-header" href="#header-content-security-policy-report-only" id="ref-for-header-content-security-policy-report-only②"><code>Content-Security-Policy-Report-Only</code></a> header is <em>not</em> supported inside a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta③">meta</a></code> element. Neither are the <code>report-uri</code>, <code>frame-ancestors</code>, and <code>sandbox</code> directives.</p>
    <p>Authors are <em>strongly encouraged</em> to place <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta④">meta</a></code> elements as early
  in the document as possible, because policies in <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta⑤">meta</a></code> elements are not
  applied to content which precedes them. In particular, note that resources
  fetched or prefetched using the <code>Link</code> HTTP response header
  field, and resources fetched or prefetched using <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#the-link-element" id="ref-for-the-link-element">link</a></code> and <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script②">script</a></code> elements which precede a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta⑥">meta</a></code>-delivered policy will not be blocked.</p>
    <p class="note" role="note"><span>Note:</span> A policy specified via a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta⑦">meta</a></code> element will be enforced along with
  any other policies active for the protected resource, regardless
  of where they’re specified. The general impact of enforcing multiple
  policies is described in <a href="#multiple-policies">§8.1 The effect of multiple policies</a>.</p>
    <p class="note" role="note"><span>Note:</span> Modifications to the <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-content" id="ref-for-attr-meta-content">content</a></code> attribute of a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta⑧">meta</a></code> element
  after the element has been parsed will be ignored.</p>
   </section>
   <section>
    <h2 class="heading settled" data-level="4" id="integrations"><span class="secno">4. </span><span class="content">Integrations</span><a class="self-link" href="#integrations"></a></h2>
    <p><em>This section is non-normative.</em></p>
    <p>This document defines a set of algorithms which are used in other
  specifications in order to implement the functionality. These
  integrations are outlined here for clarity, but those external
  documents are the normative references which ought to be consulted for
  detailed information.</p>
    <h3 class="heading settled" data-level="4.1" id="fetch-integration"><span class="secno">4.1. </span><span class="content"> Integration with Fetch </span><a class="self-link" href="#fetch-integration"></a></h3>
    <p>A number of <a data-link-type="dfn" href="#directives" id="ref-for-directives⑦">directives</a> control resource loading in one way or
  another. This specification provides algorithms which allow Fetch to make
  decisions about whether or not a particular <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑥">request</a> should be blocked
  or allowed, and about whether a particular <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response④">response</a> should be replaced
  with a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-network-error" id="ref-for-concept-network-error">network error</a>.</p>
    <ol>
     <li data-md="">
      <p><a href="#should-block-request">§4.1.3 Should request be blocked by Content Security Policy?</a> is called as part of step #5 of its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-main-fetch" id="ref-for-concept-main-fetch">Main
  Fetch</a> algorithm. This allows directives' <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check">pre-request checks</a> to be executed against each <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑦">request</a> before it hits the network,
  and against each redirect that a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑧">request</a> might go through on its
  way to reaching a resource.</p>
     <li data-md="">
      <p><a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a> is called as part of step #13 of its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-main-fetch" id="ref-for-concept-main-fetch①">Main
  Fetch</a> algorithm. This allows directives' <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check">post-request checks</a> and <a data-link-type="dfn" href="#directive-response-check" id="ref-for-directive-response-check">response checks</a> to be executed on the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response⑤">response</a> delivered
  from the network or from a Service Worker.</p>
    </ol>
    <p>A <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object①⑨">policy</a> is generally enforced upon a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object④">global object</a>, but the
  user agent needs to <a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#parse-serialized-policy" id="ref-for-parse-serialized-policy②">parse</a> any policy
  delivered via an HTTP response header field before any <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object⑤">global object</a> is created in order to handle directives that require knowledge of a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response⑥">response</a>’s details. To that end:</p>
    <ol>
     <li data-md="">
      <p>A <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response⑦">response</a> has an associated <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list" id="ref-for-concept-response-csp-list">CSP list</a> which
  contains any policy objects delivered in the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response⑧">response</a>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list" id="ref-for-concept-response-header-list">header list</a>.</p>
     <li data-md="">
      <p><a href="#set-response-csp-list">§4.1.1 Set response’s CSP list</a> is called in the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-http-fetch" id="ref-for-concept-http-fetch">HTTP fetch</a> and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-http-network-fetch" id="ref-for-concept-http-network-fetch">HTTP-network fetch</a> algorithms.</p>
      <p class="note" role="note"><span>Note:</span> These two calls should ensure that a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response⑨">response</a>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list" id="ref-for-concept-response-csp-list①">CSP list</a> is set, regardless of how the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response①⓪">response</a> is created. If we hit the network (via <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-http-network-fetch" id="ref-for-concept-http-network-fetch①">HTTP-network
  fetch</a>, then we parse the policy before we handle the <code>Set-Cookie</code> header. If we get a response from a Service Worker (via <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-http-fetch" id="ref-for-concept-http-fetch①">HTTP fetch</a>,
  we’ll process its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list" id="ref-for-concept-response-csp-list②">CSP list</a> before handing the
  response back to our caller.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Set response’s CSP list" data-level="4.1.1" id="set-response-csp-list"><span class="secno">4.1.1. </span><span class="content"> Set <var>response</var>’s <code>CSP list</code> </span><a class="self-link" href="#set-response-csp-list"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response①①">response</a> (<var>response</var>), this algorithm evaluates its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list" id="ref-for-concept-response-header-list①">header list</a> for <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp⑥">serialized CSP</a> values, and
  populates its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list" id="ref-for-concept-response-csp-list③">CSP list</a> accordingly:</p>
    <ol class="algorithm">
     <li data-md="">
      <p>Set <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list" id="ref-for-concept-response-csp-list④">CSP list</a> to the empty list.</p>
     <li data-md="">
      <p>Let <var>policies</var> be the result of <a data-link-type="abstract-op" href="#abstract-opdef-parse-a-serialized-csp-list" id="ref-for-abstract-opdef-parse-a-serialized-csp-list">parsing</a> the result of <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#extract-header-list-values" id="ref-for-extract-header-list-values">extracting header list values</a> given <code>Content-Security-Policy</code> and <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list" id="ref-for-concept-response-header-list②">header list</a>, with a <a data-link-type="dfn" href="#policy-source" id="ref-for-policy-source⑤">source</a> of "<code>header</code>", and a <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition⑤">disposition</a> of "<code>enforce</code>".</p>
     <li data-md="">
      <p>Append to <var>policies</var> the result of <a data-link-type="abstract-op" href="#abstract-opdef-parse-a-serialized-csp-list" id="ref-for-abstract-opdef-parse-a-serialized-csp-list①">parsing</a> the result of <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#extract-header-list-values" id="ref-for-extract-header-list-values①">extracting header list values</a> given <code>Content-Security-Policy-Report-Only</code> and <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list" id="ref-for-concept-response-header-list③">header list</a>, with a <a data-link-type="dfn" href="#policy-source" id="ref-for-policy-source⑥">source</a> of "<code>header</code>", and a <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition⑥">disposition</a> of "<code>report</code>".</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>policies</var>:</p>
      <ol>
       <li data-md="">
        <p>Insert <var>policy</var> into <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list" id="ref-for-concept-response-csp-list⑤">CSP list</a>.</p>
      </ol>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Report Content Security Policy violations for request" data-level="4.1.2" id="report-for-request"><span class="secno">4.1.2. </span><span class="content"> Report Content Security Policy violations for <var>request</var> </span><a class="self-link" href="#report-for-request"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑨">request</a> (<var>request</var>), this algorithm reports violations based
  on <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client" id="ref-for-concept-request-client①">client</a>’s "report only" policies.</p>
    <ol>
     <li data-md="">
      <p>Let <var>CSP list</var> be <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client" id="ref-for-concept-request-client②">client</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global" id="ref-for-concept-settings-object-global①">global object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list">CSP list</a>.</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>CSP list</var>:</p>
      <ol>
       <li data-md="">
        <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition⑦">disposition</a> is "<code>enforce</code>",
  then skip to the next <var>policy</var>.</p>
       <li data-md="">
        <p>Let <var>violates</var> be the result of executing <a href="#does-request-violate-policy">§6.6.1.1 Does request violate policy?</a> on <var>request</var> and <var>policy</var>.</p>
       <li data-md="">
        <p>If <var>violates</var> is not "<code>Does Not Violate</code>", then execute <a href="#report-violation">§5.3 Report a violation</a> on the result of executing <a href="#create-violation-for-request">§2.4.2 Create a violation object for request, policy, and directive</a> on <var>request</var>, <var>policy</var>, and <var>violates</var>.</p>
      </ol>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Should request be blocked by Content Security Policy?" data-level="4.1.3" id="should-block-request"><span class="secno">4.1.3. </span><span class="content"> Should <var>request</var> be blocked by Content Security Policy? </span><a class="self-link" href="#should-block-request"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request①⓪">request</a> (<var>request</var>), this algorithm returns <code>Blocked</code> or <code>Allowed</code> and reports violations based on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client" id="ref-for-concept-request-client③">client</a>’s Content Security Policy.</p>
    <ol>
     <li data-md="">
      <p>Let <var>CSP list</var> be <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client" id="ref-for-concept-request-client④">client</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global" id="ref-for-concept-settings-object-global②">global object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list①">CSP list</a>.</p>
     <li data-md="">
      <p>Let <var>result</var> be "<code>Allowed</code>".</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>CSP list</var>:</p>
      <ol>
       <li data-md="">
        <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition⑧">disposition</a> is "<code>report</code>",
  then skip to the next <var>policy</var>.</p>
       <li data-md="">
        <p>Let <var>violates</var> be the result of executing <a href="#does-request-violate-policy">§6.6.1.1 Does request violate policy?</a> on <var>request</var> and <var>policy</var>.</p>
       <li data-md="">
        <p>If <var>violates</var> is not "<code>Does Not Violate</code>", then:</p>
        <ol>
         <li data-md="">
          <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on the result of executing <a href="#create-violation-for-request">§2.4.2 Create a violation object for request, policy, and directive</a> on <var>request</var>, <var>policy</var>, and <var>violates</var>.</p>
         <li data-md="">
          <p>Set <var>result</var> to "<code>Blocked</code>".</p>
        </ol>
      </ol>
     <li data-md="">
      <p>Return <var>result</var>.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Should response to request be blocked by Content
    Security Policy?" data-level="4.1.4" id="should-block-response"><span class="secno">4.1.4. </span><span class="content"> Should <var>response</var> to <var>request</var> be blocked by Content
    Security Policy? </span><a class="self-link" href="#should-block-response"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response①②">response</a> (<var>response</var>) and a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request①①">request</a> (<var>request</var>), this algorithm returns <code>Blocked</code> or <code>Allowed</code>, and reports violations based on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client" id="ref-for-concept-request-client⑤">client</a>’s Content Security Policy.</p>
    <ol>
     <li data-md="">
      <p>Let <var>CSP list</var> be <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client" id="ref-for-concept-request-client⑥">client</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global" id="ref-for-concept-settings-object-global③">global object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list②">CSP list</a>.</p>
     <li data-md="">
      <p>Let <var>result</var> be "<code>Allowed</code>".</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>CSP list</var>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>directive</var> in <var>policy</var>:</p>
        <ol>
         <li data-md="">
          <p>If the result of executing <var>directive</var>’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check①">post-request check</a> is "<code>Blocked</code>", then:</p>
          <ol>
           <li data-md="">
            <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on the result of executing <a href="#create-violation-for-request">§2.4.2 Create a violation object for request, policy, and directive</a> on <var>request</var>, <var>policy</var>, and <var>directive</var>.</p>
           <li data-md="">
            <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition⑨">disposition</a> is "<code>enforce</code>",
  then set <var>result</var> to "<code>Blocked</code>".</p>
          </ol>
        </ol>
      </ol>
      <p class="note" role="note"><span>Note:</span> This portion of the check verifies that the page can load the
  response. That is, that a Service Worker hasn’t substituted a file which
  would violate the page’s CSP.</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list" id="ref-for-concept-response-csp-list⑥">CSP list</a>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>directive</var> in <var>policy</var>:</p>
        <ol>
         <li data-md="">
          <p>If the result of executing <var>directive</var>’s <a data-link-type="dfn" href="#directive-response-check" id="ref-for-directive-response-check①">response check</a> on <var>request</var>, <var>response</var>,
  and <var>policy</var> is "<code>Blocked</code>", then:</p>
          <ol>
           <li data-md="">
            <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on the result of executing <a href="#create-violation-for-request">§2.4.2 Create a violation object for request, policy, and directive</a> on <var>request</var>, <var>policy</var>, and <var>directive</var>.</p>
           <li data-md="">
            <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition①⓪">disposition</a> is "<code>enforce</code>",
  then set <var>result</var> to "<code>Blocked</code>".</p>
          </ol>
        </ol>
      </ol>
      <p class="note" role="note"><span>Note:</span> This portion of the check allows policies delivered with the
  response to determine whether the response is allowed to be delivered.</p>
     <li data-md="">
      <p>Return <var>result</var>.</p>
    </ol>
    <h3 class="heading settled" data-level="4.2" id="html-integration"><span class="secno">4.2. </span><span class="content"> Integration with HTML </span><a class="self-link" href="#html-integration"></a></h3>
    <ol>
     <li data-md="">
      <p>The <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document③">Document</a></code>, <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope" id="ref-for-workerglobalscope①">WorkerGlobalScope</a></code>, and <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/worklets-1/#workletglobalscope" id="ref-for-workletglobalscope①">WorkletGlobalScope</a></code> objects have a <code>CSP list</code>, which holds all the <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object②⓪">policy</a> objects which are
  active for a given context. This list is empty unless otherwise specified,
  and is populated via the <a href="#initialize-global-object-csp">§4.2.2 Initialize a global object’s CSP list</a> algorithm.</p>
      <p class="issue" id="issue-a794766b"><a class="self-link" href="#issue-a794766b"></a> This concept is missing from W3C’s Workers. <a href="https://github.com/w3c/html/issues/187">&lt;https://github.com/w3c/html/issues/187></a></p>
     <li data-md="">
      <p>A <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object⑥">global object</a>’s <dfn class="dfn-paneled" data-dfn-for="global object" data-dfn-type="dfn" data-noexport="" id="global-object-csp-list">CSP list</dfn> is the result of executing <a href="#get-csp-of-object">§4.2.3 Retrieve the CSP list of an object</a> with the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object⑦">global object</a> as the <code>object</code>.</p>
     <li data-md="">
      <p>A <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object②①">policy</a> is <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="enforced">enforced</dfn> or <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="monitored">monitored</dfn> for a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object⑧">global object</a> by inserting it into the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object⑨">global object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list③">CSP list</a>.</p>
     <li data-md="">
      <p><a href="#initialize-global-object-csp">§4.2.2 Initialize a global object’s CSP list</a> is called during the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object" id="ref-for-initialise-the-document-object">initializing a
  new <code>Document</code> object</a> and <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/workers.html#run-a-worker" id="ref-for-run-a-worker">run a worker</a> algorithms in order to
  bind a set of <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object②②">policy</a> objects associated with a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response①③">response</a> to a newly created <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document④">Document</a></code>, <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope" id="ref-for-workerglobalscope②">WorkerGlobalScope</a></code> or <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/worklets-1/#workletglobalscope" id="ref-for-workletglobalscope②">WorkletGlobalScope</a></code>.</p>
     <li data-md="">
      <p><a href="#should-block-inline">§4.2.4 Should element’s inline type behavior be blocked by Content Security Policy?</a> is called during the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/scripting.html#prepare-a-script" id="ref-for-prepare-a-script">prepare a script</a> and <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/semantics.html#update-a-style-block" id="ref-for-update-a-style-block">update a <code>style</code> block</a> algorithms in order to determine whether or
  not an inline script or style block is allowed to execute/render.</p>
     <li data-md="">
      <p><a href="#should-block-inline">§4.2.4 Should element’s inline type behavior be blocked by Content Security Policy?</a> is called during handling of inline event
  handlers (like <code>onclick</code>) and inline <code>style</code> attributes in order to
  determine whether or not they ought to be allowed to execute/render.</p>
     <li data-md="">
      <p><a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object②③">policy</a> is <a data-link-type="dfn" href="#enforced" id="ref-for-enforced①">enforced</a> during processing of the <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta⑨">meta</a></code> element’s <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv" id="ref-for-attr-meta-http-equiv②">http-equiv</a></code>.</p>
     <li data-md="">
      <p>A <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document⑤">Document</a></code>'s <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport="" id="embedding-document">embedding document</dfn> is the <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document⑥">Document</a></code> <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-nested-through" id="ref-for-browsing-context-nested-through">through which</a> the <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document⑦">Document</a></code>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context②">browsing context</a> is nested.</p>
     <li data-md="">
      <p>HTML populates each <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request①②">request</a>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata" id="ref-for-concept-request-nonce-metadata">cryptographic nonce
  metadata</a> and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-parser-metadata" id="ref-for-concept-request-parser-metadata">parser metadata</a> with relevant data from the
  elements responsible for resource loading.</p>
      <p class="issue" id="issue-aa77c60b"><a class="self-link" href="#issue-aa77c60b"></a> Stylesheet loading is not yet integrated with
  Fetch in W3C’s HTML. <a href="https://github.com/whatwg/html/issues/198">&lt;https://github.com/whatwg/html/issues/198></a></p>
      <p class="issue" id="issue-25da4fba"><a class="self-link" href="#issue-25da4fba"></a> Stylesheet loading is not yet integrated with
  Fetch in WHATWG’s HTML. <a href="https://github.com/whatwg/html/issues/968">&lt;https://github.com/whatwg/html/issues/968></a></p>
     <li data-md="">
      <p><a href="#allow-base-for-document">§6.2.1.1 Is base allowed for document?</a> is called during <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#the-base-element" id="ref-for-the-base-element">base</a></code>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/semantics.html#set-the-frozen-base-url" id="ref-for-set-the-frozen-base-url">set the frozen
  base URL</a> algorithm to ensure that the <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/semantics.html#attr-base-href" id="ref-for-attr-base-href">href</a></code> attribute’s value
  is valid.</p>
     <li data-md="">
      <p><a href="#should-plugin-element-be-blocked-a-priori-by-content-security-policy" id="ref-for-should-plugin-element-be-blocked-a-priori-by-content-security-policy">§6.2.2.2 Should plugin element be blocked a priori by Content
    Security Policy?:</a> is called during the processing of <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element" id="ref-for-the-object-element">object</a></code>, <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element" id="ref-for-the-embed-element">embed</a></code>, and <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/obsolete.html#applet" id="ref-for-applet"><code>applet</code></a> elements to determine whether they may trigger a fetch.</p>
      <p class="note" role="note"><span>Note:</span> Fetched plugin resources are handled in <a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a>.</p>
      <p class="issue" id="issue-5faf83e6"><a class="self-link" href="#issue-5faf83e6"></a> This hook is missing from W3C’s HTML. <a href="https://github.com/w3c/html/issues/547">&lt;https://github.com/w3c/html/issues/547></a></p>
     <li data-md="">
      <p><a href="#should-block-navigation-request">§4.2.5 Should navigation request of type from source in target be blocked
    by Content Security Policy?</a> is called during the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#process-a-navigate-fetch" id="ref-for-process-a-navigate-fetch">process a
  navigate fetch</a> algorithm, and <a href="#should-block-navigation-response">§4.2.6 Should navigation response to navigation request of type from source
    in target be blocked by Content Security Policy?</a> is called during the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#process-a-navigate-response" id="ref-for-process-a-navigate-response">process a navigate response</a> algorithm to
  apply directive’s navigation checks, as well as inline checks for
  navigations to <code>javascript:</code>.</p>
      <p class="issue" id="issue-7b0f92da"><a class="self-link" href="#issue-7b0f92da"></a> W3C’s HTML is not based on Fetch, and does not
  have a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#process-a-navigate-response" id="ref-for-process-a-navigate-response①">process a navigate response</a> algorithm into which to hook. <a href="https://github.com/w3c/html/issues/548">&lt;https://github.com/w3c/html/issues/548></a></p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Initialize a Document&apos;s CSP list" data-level="4.2.1" id="initialize-document-csp"><span class="secno">4.2.1. </span><span class="content"> Initialize a <code>Document</code>'s <code>CSP list</code> </span><a class="self-link" href="#initialize-document-csp"></a></h4>
    <p>Given a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document⑧">Document</a></code> (<var>document</var>), and a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response①④">response</a> (<var>response</var>), the
  user agent performs the following steps in order to initialize <var>document</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-csp-list" id="ref-for-concept-document-csp-list">CSP list</a>:</p>
    <ol>
     <li data-md="">
      <p>If <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url" id="ref-for-concept-response-url">url</a>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme">scheme</a> is a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#local-scheme" id="ref-for-local-scheme①">local scheme</a>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>documents</var> be an empty list.</p>
       <li data-md="">
        <p>If <var>document</var> has an <a data-link-type="dfn" href="#embedding-document" id="ref-for-embedding-document">embedding document</a> (<var>embedding</var>), then add <var>embedding</var> to <var>documents</var>.</p>
       <li data-md="">
        <p>If <var>document</var> has an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#opener-browsing-context" id="ref-for-opener-browsing-context">opener browsing context</a>, then add its <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#active-document" id="ref-for-active-document">active document</a> to <var>documents</var>.</p>
       <li data-md="">
        <p>For each <var>doc</var> in <var>documents</var>:</p>
        <ol>
         <li data-md="">
          <p>For each <var>policy</var> in <var>doc</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-csp-list" id="ref-for-concept-document-csp-list①">CSP list</a>:</p>
          <ol>
           <li data-md="">
            <p>Insert a copy of <var>policy</var> into <var>document</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-csp-list" id="ref-for-concept-document-csp-list②">CSP list</a>.</p>
          </ol>
        </ol>
      </ol>
      <p class="note" role="note"><span>Note:</span> <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#local-scheme" id="ref-for-local-scheme②">local scheme</a> includes <code>about:</code>, and this algorithm will
  therefore copy the <a data-link-type="dfn" href="#embedding-document" id="ref-for-embedding-document①">embedding document</a>’s policies for <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#an-iframe-srcdoc-document" id="ref-for-an-iframe-srcdoc-document">an iframe <code>srcdoc</code> <code>Document</code></a>.</p>
      <p class="note" role="note"><span>Note:</span> We do all this to ensure that a page cannot bypass its <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object②④">policy</a> by embedding a frame or popping up a new window containing content it
  controls (<code>blob:</code> resources, or <code>document.write()</code>).</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list" id="ref-for-concept-response-csp-list⑦">CSP list</a>, insert <var>policy</var> into <var>document</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-csp-list" id="ref-for-concept-document-csp-list③">CSP list</a>.</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>document</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-csp-list" id="ref-for-concept-document-csp-list④">CSP list</a>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>directive</var> in <var>policy</var>:</p>
        <ol>
         <li data-md="">
          <p>Execute <var>directive</var>’s <a data-link-type="dfn" href="#directive-initialization" id="ref-for-directive-initialization">initialization</a> algorithm on <var>document</var> and <var>response</var>.</p>
        </ol>
      </ol>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Initialize a global object’s CSP list" data-level="4.2.2" id="initialize-global-object-csp"><span class="secno">4.2.2. </span><span class="content"> Initialize a global object’s <code>CSP list</code> </span><a class="self-link" href="#initialize-global-object-csp"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object①⓪">global object</a> (<var>global</var>), and a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response①⑤">response</a> (<var>response</var>), the user agent performs the following steps in order
  to initialize <var>global</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list④">CSP list</a>:</p>
    <ol>
     <li data-md="">
      <p>If <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url" id="ref-for-concept-response-url①">url</a>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme①">scheme</a> is a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#local-scheme" id="ref-for-local-scheme③">local scheme</a>, or if <var>global</var> is a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#dedicatedworkerglobalscope" id="ref-for-dedicatedworkerglobalscope">DedicatedWorkerGlobalScope</a></code>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>owners</var> be an empty list.</p>
       <li data-md="">
        <p>Add each of the items in <var>global</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/#concept-WorkerGlobalScope-owner-set" id="ref-for-concept-WorkerGlobalScope-owner-set">owner set</a> to <var>owners</var>.</p>
       <li data-md="">
        <p>For each <var>owner</var> in <var>owners</var>:</p>
        <ol>
         <li data-md="">
          <p>For each <var>policy</var> in <var>owner</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list⑤">CSP list</a>:</p>
          <ol>
           <li data-md="">
            <p>Insert a copy of <var>policy</var> into <var>global</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list⑥">CSP list</a>.</p>
          </ol>
        </ol>
      </ol>
      <p class="note" role="note"><span>Note:</span> <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#local-scheme" id="ref-for-local-scheme④">local scheme</a> includes <code>about:</code>, and this algorithm will
  therefore copy the <a data-link-type="dfn" href="#embedding-document" id="ref-for-embedding-document②">embedding document</a>’s policies for <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#an-iframe-srcdoc-document" id="ref-for-an-iframe-srcdoc-document①">an iframe <code>srcdoc</code> <code>Document</code></a>.</p>
     <li data-md="">
      <p>If <var>global</var> is a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#sharedworkerglobalscope" id="ref-for-sharedworkerglobalscope">SharedWorkerGlobalScope</a></code> or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/ServiceWorker/#serviceworkerglobalscope" id="ref-for-serviceworkerglobalscope">ServiceWorkerGlobalScope</a></code>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>policy</var> in <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list" id="ref-for-concept-response-csp-list⑧">CSP list</a>, insert <var>policy</var> into <var>global</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list⑦">CSP list</a>.</p>
      </ol>
     <li data-md="">
      <p>If <var>global</var> is a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/worklets-1/#workletglobalscope" id="ref-for-workletglobalscope③">WorkletGlobalScope</a></code>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>owner</var> be <var>global</var>’s <a data-link-type="dfn" href="https://drafts.css-houdini.org/worklets/#workletglobalscope-owner-document" id="ref-for-workletglobalscope-owner-document">owner document</a>.</p>
       <li data-md="">
        <p>For each <var>policy</var> in <var>owner</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list⑧">CSP list</a>:</p>
        <ol>
         <li data-md="">
          <p>Insert a copy of <var>policy</var> into <var>global</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list⑨">CSP list</a>.</p>
        </ol>
      </ol>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Retrieve the CSP list of an object" data-level="4.2.3" id="get-csp-of-object"><span class="secno">4.2.3. </span><span class="content"> Retrieve the <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list①⓪">CSP list</a> of an <var>object</var> </span><a class="self-link" href="#get-csp-of-object"></a></h4>
    <p>To obtain <var>object</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list①①">CSP list</a>:</p>
    <ol>
     <li data-md="">
      <p>If <var>object</var> is a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document⑨">Document</a></code> return <var>object</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-csp-list" id="ref-for-concept-document-csp-list⑤">CSP list</a>.</p>
     <li data-md="">
      <p>If <var>object</var> is a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/window-object.html#window" id="ref-for-window②">Window</a></code> return <var>object</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/window-object.html#concept-document-window" id="ref-for-concept-document-window">associated <code>Document</code></a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-csp-list" id="ref-for-concept-document-csp-list⑥">CSP list</a>.</p>
     <li data-md="">
      <p>If <var>object</var> is a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope" id="ref-for-workerglobalscope③">WorkerGlobalScope</a></code>, return <var>object</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list①②">CSP list</a>.</p>
     <li data-md="">
      <p>If <var>object</var> is a <code class="idl"><a data-link-type="idl" href="https://www.w3.org/TR/worklets-1/#workletglobalscope" id="ref-for-workletglobalscope④">WorkletGlobalScope</a></code>, return <var>object</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list①③">CSP list</a>.</p>
     <li data-md="">
      <p>Return <code>null</code>.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Should element’s inline type behavior be blocked by Content Security Policy?" data-level="4.2.4" id="should-block-inline"><span class="secno">4.2.4. </span><span class="content"> Should <var>element</var>’s inline <var>type</var> behavior be blocked by Content Security Policy? </span><a class="self-link" href="#should-block-inline"></a></h4>
    <p>Given an <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#element" id="ref-for-element①">Element</a></code> (<var>element</var>), a string (<var>type</var>), and a string (<var>source</var>)
  this algorithm returns "<code>Allowed</code>" if the element is allowed to have inline
  definition of a particular type of behavior (script execution, style
  application, event handlers, etc.), and "<code>Blocked</code>" otherwise:</p>
    <p class="note" role="note"><span>Note:</span> The valid values for <var>type</var> are "<code>script</code>", "<code>script attribute</code>",
  "<code>style</code>", and "<code>style attribute</code>".</p>
    <ol class="algorithm">
     <li data-md="">
      <p class="assertion">Assert: <var>element</var> is not <code>null</code>.</p>
     <li data-md="">
      <p>Let <var>result</var> be "<code>Allowed</code>".</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>element</var>’s <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document①⓪">Document</a></code>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object①①">global object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list①④">CSP list</a>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>directive</var> in <var>policy</var>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set⑥">directive set</a>:</p>
        <ol>
         <li data-md="">
          <p>If <var>directive</var>’s <a data-link-type="dfn" href="#directive-inline-check" id="ref-for-directive-inline-check">inline check</a> returns
  "<code>Allowed</code>" when executed upon <var>element</var>, <var>type</var>, and <var>source</var>,
  skip to the next <var>directive</var>.</p>
         <li data-md="">
          <p>Otherwise, let <var>violation</var> be the result of executing <a href="#create-violation-for-global">§2.4.1 Create a violation object for global, policy, and directive</a> on the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#current-settings-object" id="ref-for-current-settings-object">current settings
  object</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global" id="ref-for-concept-settings-object-global④">global object</a>, <var>policy</var>,
  and "<code>style-src</code>" if <var>type</var> is "<code>style</code>" or "<code>style-attribute</code>",
  or "<code>script-src</code>" otherwise.</p>
         <li data-md="">
          <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource②">resource</a> to "<code>inline</code>".</p>
         <li data-md="">
          <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-element" id="ref-for-violation-element">element</a> to <var>element</var>.</p>
         <li data-md="">
          <p>If <var>directive</var>’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value④">value</a> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-contain" id="ref-for-list-contain①">contains</a> the
  expression "<a data-link-type="grammar" href="#grammardef-report-sample" id="ref-for-grammardef-report-sample①"><code>'report-sample'</code></a>", then set <var>violation</var>’s <a data-link-type="dfn" href="#violation-sample" id="ref-for-violation-sample②">sample</a> to the substring of <var>source</var> containing its first 40
  characters.</p>
         <li data-md="">
          <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on <var>violation</var>.</p>
         <li data-md="">
          <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition①①">disposition</a> is "<code>enforce</code>", then
  set <var>result</var> to "<code>Blocked</code>".</p>
        </ol>
      </ol>
     <li data-md="">
      <p>Return <var>result</var>.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Should navigation request of type from source in target be blocked
    by Content Security Policy?" data-level="4.2.5" id="should-block-navigation-request"><span class="secno">4.2.5. </span><span class="content"> Should <var>navigation request</var> of <var>type</var> from <var>source</var> in <var>target</var> be blocked
    by Content Security Policy? </span><a class="self-link" href="#should-block-navigation-request"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request①③">request</a> (<var>navigation request</var>), a string (<var>type</var>, either
  "<code>form-submission</code>" or "<code>other</code>"), and two <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context③">browsing contexts</a> (<var>source</var> and <var>target</var>), this algorithm return "<code>Blocked</code>" if the active policy blocks
  the navigation, and "<code>Allowed</code>" otherwise:</p>
    <ol class="algorithm">
     <li data-md="">
      <p>Let <var>result</var> be "<code>Allowed</code>".</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>source</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#active-document" id="ref-for-active-document①">active document</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-csp-list" id="ref-for-concept-document-csp-list⑦">CSP list</a>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>directive</var> in <var>policy</var>:</p>
        <ol>
         <li data-md="">
          <p>If <var>directive</var>’s <a data-link-type="dfn" href="#directive-pre-navigation-check" id="ref-for-directive-pre-navigation-check">pre-navigation check</a> returns "<code>Allowed</code>" when executed upon <var>navigation request</var>, <var>type</var>, <var>source</var>, and <var>target</var>, skip to the next <var>directive</var>.</p>
         <li data-md="">
          <p>Otherwise, let <var>violation</var> be the result of executing <a href="#create-violation-for-global">§2.4.1 Create a violation object for global, policy, and directive</a> on <var>source</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global" id="ref-for-concept-relevant-global">relevant global
  object</a>, <var>policy</var>, and <var>directive</var>’s <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name③">name</a>.</p>
         <li data-md="">
          <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource③">resource</a> to <var>navigation
  request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url" id="ref-for-concept-response-url②">URL</a>.</p>
         <li data-md="">
          <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on <var>violation</var>.</p>
         <li data-md="">
          <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition①②">disposition</a> is "<code>enforce</code>", then
  set <var>result</var> to "<code>Blocked</code>".</p>
        </ol>
      </ol>
     <li data-md="">
      <p>If <var>result</var> is "<code>Allowed</code>", and if <var>navigation request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url" id="ref-for-concept-request-url②">url</a>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme②">scheme</a> is <code>javascript</code>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>policy</var> in <var>source</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#active-document" id="ref-for-active-document②">active document</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-csp-list" id="ref-for-concept-document-csp-list⑧">CSP List</a>:</p>
        <ol>
         <li data-md="">
          <p>For each <var>directive</var> in <var>policy</var>:</p>
          <ol>
           <li data-md="">
            <p>If <var>directive</var>’s <a data-link-type="dfn" href="#directive-inline-check" id="ref-for-directive-inline-check①">inline check</a> returns "<code>Allowed</code>" when executed upon <var>navigation request</var>, <var>type</var>, <var>source</var>, and <var>target</var>, skip to the next <var>directive</var>.</p>
          </ol>
         <li data-md="">
          <p>Otherwise, let <var>violation</var> be the result of executing <a href="#create-violation-for-global">§2.4.1 Create a violation object for global, policy, and directive</a> on <var>source</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global" id="ref-for-concept-relevant-global①">relevant global
  object</a>, <var>policy</var>, and <var>directive</var>’s <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name④">name</a>.</p>
         <li data-md="">
          <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource④">resource</a> to <var>navigation
  request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url" id="ref-for-concept-response-url③">URL</a>.</p>
         <li data-md="">
          <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on <var>violation</var>.</p>
         <li data-md="">
          <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition①③">disposition</a> is "<code>enforce</code>", then
  set <var>result</var> to "<code>Blocked</code>".</p>
        </ol>
      </ol>
     <li data-md="">
      <p>Return <var>result</var>.</p>
    </ol>
    <h4 class="heading settled algorithm" data-algorithm="Should navigation response to navigation request of type from source
    in target be blocked by Content Security Policy?" data-level="4.2.6" id="should-block-navigation-response"><span class="secno">4.2.6. </span><span class="content"> Should <var>navigation response</var> to <var>navigation request</var> of <var>type</var> from <var>source</var> in <var>target</var> be blocked by Content Security Policy? </span><a class="self-link" href="#should-block-navigation-response"></a></h4>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request①④">request</a> (<var>navigation request</var>),, a string (<var>type</var>, either
  "<code>form-submission</code>" or "<code>other</code>"), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response①⑥">response</a> <var>navigation
  response</var>, and two <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context④">browsing contexts</a> (<var>source</var> and <var>target</var>), this algorithm
  returns "<code>Blocked</code>" if the active policy blocks the navigation, and "<code>Allowed</code>"
  otherwise:</p>
    <ol class="algorithm">
     <li data-md="">
      <p>Let <var>result</var> be "<code>Allowed</code>".</p>
     <li data-md="">
      <p>For each <var>policy</var> in <var>navigation response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-csp-list" id="ref-for-concept-response-csp-list⑨">CSP list</a>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>directive</var> in <var>policy</var>:</p>
        <ol>
         <li data-md="">
          <p>If <var>directive</var>’s <a data-link-type="dfn" href="#directive-navigation-response-check" id="ref-for-directive-navigation-response-check">navigation response check</a> returns "<code>Allowed</code>" when executed upon <var>navigation request</var>, <var>type</var>, <var>navigation response</var>, <var>source</var>, and <var>target</var>, skip to the next <var>directive</var>.</p>
         <li data-md="">
          <p>Otherwise, let <var>violation</var> be the result of executing <a href="#create-violation-for-global">§2.4.1 Create a violation object for global, policy, and directive</a> on <code>null</code>, <var>policy</var>, and <var>directive</var>’s <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name⑤">name</a>.</p>
          <p class="note" role="note"><span>Note:</span> We use <code>null</code> for the global object, as no global exists:
  we haven’t processed the navigation to create a Document yet.</p>
         <li data-md="">
          <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource⑤">resource</a> to <var>navigation
  response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url" id="ref-for-concept-response-url④">URL</a>.</p>
         <li data-md="">
          <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on <var>violation</var>.</p>
         <li data-md="">
          <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition①④">disposition</a> is "<code>enforce</code>", then
  set <var>result</var> to "<code>Blocked</code>".</p>
        </ol>
      </ol>
     <li data-md="">
      <p>Return <var>result</var>.</p>
    </ol>
    <h3 class="heading settled" data-level="4.3" id="ecma-integration"><span class="secno">4.3. </span><span class="content">Integration with ECMAScript</span><a class="self-link" href="#ecma-integration"></a></h3>
    <p>ECMAScript defines a <code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262#sec-hostensurecancompilestrings" id="ref-for-sec-hostensurecancompilestrings">HostEnsureCanCompileStrings()</a></code> abstract operation
  which allows the host environment to block the compilation of strings into
  ECMAScript code. This document defines an implementation of that abstract
  operation thich examines the relevant <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list①⑤">CSP list</a> to determine whether such compilation ought to be blocked.</p>
    <h4 class="heading settled algorithm" data-algorithm="EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source)" data-dfn-type="dfn" data-level="4.3.1" data-lt="EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source)" data-noexport="" id="can-compile-strings"><span class="secno">4.3.1. </span><span class="content"> EnsureCSPDoesNotBlockStringCompilation(<var>callerRealm</var>, <var>calleeRealm</var>, <var>source</var>) </span><a class="self-link" href="#can-compile-strings"></a></h4>
    <p>Given two <a data-link-type="dfn" href="https://tc39.github.io/ecma262#realm" id="ref-for-realm">realms</a> (<var>callerRealm</var> and <var>calleeRealm</var>), and a string (<var>source</var>), this algorithm
  returns normally if string compilation is allowed, and throws an "<code>EvalError</code>" if not:</p>
    <ol>
     <li data-md="">
      <p>Let <var>globals</var> be a list containing <var>callerRealm</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-realm-global" id="ref-for-concept-realm-global">global object</a> and <var>calleeRealm</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-realm-global" id="ref-for-concept-realm-global①">global object</a>.</p>
     <li data-md="">
      <p>For each <var>global</var> in <var>globals</var>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>result</var> be "<code>Allowed</code>".</p>
       <li data-md="">
        <p>For each <var>policy</var> in <var>global</var>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list①⑥">CSP list</a>:</p>
        <ol>
         <li data-md="">
          <p>Let <var>source-list</var> be <code>null</code>.</p>
         <li data-md="">
          <p>If <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives⑧">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name⑥">name</a> is "<code>script-src</code>", then
  set <var>source-list</var> to that <a data-link-type="dfn" href="#directives" id="ref-for-directives⑨">directive</a>'s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value⑤">value</a>.</p>
          <p>Otherwise if <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives①⓪">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name⑦">name</a> is
  "<code>default-src</code>", then set <var>source-list</var> to that directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value⑥">value</a>.</p>
         <li data-md="">
          <p>If <var>source-list</var> is non-<code>null</code>, and does not contain a <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression②">source expression</a> which is
  an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive①">ASCII case-insensitive</a> match for the string "<a data-link-type="grammar" href="#grammardef-unsafe-eval" id="ref-for-grammardef-unsafe-eval"><code>'unsafe-eval'</code></a>",
  then:</p>
          <ol>
           <li data-md="">
            <p>Let <var>violation</var> be the result of executing <a href="#create-violation-for-global">§2.4.1 Create a violation object for global, policy, and directive</a> on <var>global</var>, <var>policy</var>, and "<code>script-src</code>".</p>
           <li data-md="">
            <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource⑥">resource</a> to "<code>inline</code>".</p>
           <li data-md="">
            <p>If <var>source-list</var> <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#list-contain" id="ref-for-list-contain②">contains</a> the expression
  "<a data-link-type="grammar" href="#grammardef-report-sample" id="ref-for-grammardef-report-sample②"><code>'report-sample'</code></a>", then set <var>violation</var>’s <a data-link-type="dfn" href="#violation-sample" id="ref-for-violation-sample③">sample</a> to
  the substring of <var>source</var> containing its first 40 characters.</p>
           <li data-md="">
            <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on <var>violation</var>.</p>
           <li data-md="">
            <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition①⑤">disposition</a> is "<code>enforce</code>", then set <var>result</var> to
  "<code>Blocked</code>".</p>
          </ol>
        </ol>
       <li data-md="">
        <p>If <var>result</var> is "<code>Blocked</code>", throw an <code>EvalError</code> exception.</p>
      </ol>
    </ol>
    <p class="issue" id="issue-910d1dca"><a class="self-link" href="#issue-910d1dca"></a> <code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262#sec-hostensurecancompilestrings" id="ref-for-sec-hostensurecancompilestrings①">HostEnsureCanCompileStrings()</a></code> does not include the string which is
  going to be compiled as a parameter. We’ll also need to update HTML to pipe that value through
  to CSP. <a href="https://github.com/tc39/ecma262/issues/938">&lt;https://github.com/tc39/ecma262/issues/938></a></p>
   </section>
   <section>
    <h2 class="heading settled" data-level="5" id="reporting"><span class="secno">5. </span><span class="content"> Reporting </span><a class="self-link" href="#reporting"></a></h2>
    <p>When one or more of a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object②⑤">policy</a>’s directives is violated, a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="violation report" id="violation-report">violation
  report</dfn> may be generated and sent out to a reporting endpoint associated
  with the <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object②⑥">policy</a>.</p>
    <h3 class="heading settled" data-level="5.1" id="violation-events"><span class="secno">5.1. </span><span class="content"> Violation DOM Events </span><a class="self-link" href="#violation-events"></a></h3>
<pre class="idl highlight def"><span class="kt">enum</span> <dfn class="nv dfn-paneled idl-code" data-dfn-type="enum" data-export="" id="enumdef-securitypolicyviolationeventdisposition"><code>SecurityPolicyViolationEventDisposition</code></dfn> {
  <dfn class="s idl-code" data-dfn-for="SecurityPolicyViolationEventDisposition" data-dfn-type="enum-value" data-export="" data-lt="&quot;enforce&quot;|enforce" id="dom-securitypolicyviolationeventdisposition-enforce"><code>"enforce"</code><a class="self-link" href="#dom-securitypolicyviolationeventdisposition-enforce"></a></dfn>, <dfn class="s idl-code" data-dfn-for="SecurityPolicyViolationEventDisposition" data-dfn-type="enum-value" data-export="" data-lt="&quot;report&quot;|report" id="dom-securitypolicyviolationeventdisposition-report"><code>"report"</code><a class="self-link" href="#dom-securitypolicyviolationeventdisposition-report"></a></dfn>
};

[<dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="constructor" data-export="" data-lt="SecurityPolicyViolationEvent(type, eventInitDict)|SecurityPolicyViolationEvent(type)" id="dom-securitypolicyviolationevent-securitypolicyviolationevent"><code>Constructor</code><a class="self-link" href="#dom-securitypolicyviolationevent-securitypolicyviolationevent"></a></dfn>(<a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString"><span class="kt">DOMString</span></a> <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEvent/SecurityPolicyViolationEvent(type, eventInitDict)" data-dfn-type="argument" data-export="" id="dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-type"><code>type</code><a class="self-link" href="#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-type"></a></dfn>, <span class="kt">optional</span> <a class="n" data-link-type="idl-name" href="#dictdef-securitypolicyviolationeventinit" id="ref-for-dictdef-securitypolicyviolationeventinit">SecurityPolicyViolationEventInit</a> <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEvent/SecurityPolicyViolationEvent(type, eventInitDict)" data-dfn-type="argument" data-export="" id="dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-eventinitdict"><code>eventInitDict</code><a class="self-link" href="#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-eventinitdict"></a></dfn>)]
<span class="kt">interface</span> <dfn class="nv dfn-paneled idl-code" data-dfn-type="interface" data-export="" id="securitypolicyviolationevent"><code>SecurityPolicyViolationEvent</code></dfn> : <a class="n" data-link-type="idl-name" href="https://dom.spec.whatwg.org/#event" id="ref-for-event">Event</a> {
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①"><span class="kt">DOMString</span></a>      <dfn class="nv dfn-paneled idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" data-readonly="" data-type="DOMString" id="dom-securitypolicyviolationevent-documenturi"><code>documentURI</code></dfn>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②"><span class="kt">DOMString</span></a>      <dfn class="nv dfn-paneled idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" data-readonly="" data-type="DOMString" id="dom-securitypolicyviolationevent-referrer"><code>referrer</code></dfn>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③"><span class="kt">DOMString</span></a>      <dfn class="nv dfn-paneled idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" data-readonly="" data-type="DOMString" id="dom-securitypolicyviolationevent-blockeduri"><code>blockedURI</code></dfn>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString④"><span class="kt">DOMString</span></a>      <dfn class="nv dfn-paneled idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" data-readonly="" data-type="DOMString" id="dom-securitypolicyviolationevent-violateddirective"><code>violatedDirective</code></dfn>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑤"><span class="kt">DOMString</span></a>      <dfn class="nv dfn-paneled idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" data-readonly="" data-type="DOMString" id="dom-securitypolicyviolationevent-effectivedirective"><code>effectiveDirective</code></dfn>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑥"><span class="kt">DOMString</span></a>      <dfn class="nv dfn-paneled idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" data-readonly="" data-type="DOMString" id="dom-securitypolicyviolationevent-originalpolicy"><code>originalPolicy</code></dfn>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑦"><span class="kt">DOMString</span></a>      <dfn class="nv dfn-paneled idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" data-readonly="" data-type="DOMString" id="dom-securitypolicyviolationevent-sourcefile"><code>sourceFile</code></dfn>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑧"><span class="kt">DOMString</span></a>      <dfn class="nv dfn-paneled idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" data-readonly="" data-type="DOMString" id="dom-securitypolicyviolationevent-sample"><code>sample</code></dfn>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n" data-link-type="idl-name" href="#enumdef-securitypolicyviolationeventdisposition" id="ref-for-enumdef-securitypolicyviolationeventdisposition">SecurityPolicyViolationEventDisposition</a>      <dfn class="nv dfn-paneled idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" data-readonly="" data-type="SecurityPolicyViolationEventDisposition" id="dom-securitypolicyviolationevent-disposition"><code>disposition</code></dfn>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-short" id="ref-for-idl-unsigned-short"><span class="kt">unsigned</span> <span class="kt">short</span></a> <dfn class="nv dfn-paneled idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" data-readonly="" data-type="unsigned short" id="dom-securitypolicyviolationevent-statuscode"><code>statusCode</code></dfn>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long"><span class="kt">long</span></a>           <dfn class="nv dfn-paneled idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" data-readonly="" data-type="long" id="dom-securitypolicyviolationevent-linenumber"><code>lineNumber</code></dfn>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long①"><span class="kt">long</span></a>           <dfn class="nv dfn-paneled idl-code" data-dfn-for="SecurityPolicyViolationEvent" data-dfn-type="attribute" data-export="" data-readonly="" data-type="long" id="dom-securitypolicyviolationevent-columnnumber"><code>columnNumber</code></dfn>;
};

<span class="kt">dictionary</span> <dfn class="nv dfn-paneled idl-code" data-dfn-type="dictionary" data-export="" id="dictdef-securitypolicyviolationeventinit"><code>SecurityPolicyViolationEventInit</code></dfn> : <a class="n" data-link-type="idl-name" href="https://dom.spec.whatwg.org/#dictdef-eventinit" id="ref-for-dictdef-eventinit">EventInit</a> {
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑨"><span class="kt">DOMString</span></a>      <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" data-type="DOMString      " id="dom-securitypolicyviolationeventinit-documenturi"><code>documentURI</code><a class="self-link" href="#dom-securitypolicyviolationeventinit-documenturi"></a></dfn>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⓪"><span class="kt">DOMString</span></a>      <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" data-type="DOMString      " id="dom-securitypolicyviolationeventinit-referrer"><code>referrer</code><a class="self-link" href="#dom-securitypolicyviolationeventinit-referrer"></a></dfn>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①①"><span class="kt">DOMString</span></a>      <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" data-type="DOMString      " id="dom-securitypolicyviolationeventinit-blockeduri"><code>blockedURI</code><a class="self-link" href="#dom-securitypolicyviolationeventinit-blockeduri"></a></dfn>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①②"><span class="kt">DOMString</span></a>      <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" data-type="DOMString      " id="dom-securitypolicyviolationeventinit-violateddirective"><code>violatedDirective</code><a class="self-link" href="#dom-securitypolicyviolationeventinit-violateddirective"></a></dfn>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①③"><span class="kt">DOMString</span></a>      <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" data-type="DOMString      " id="dom-securitypolicyviolationeventinit-effectivedirective"><code>effectiveDirective</code><a class="self-link" href="#dom-securitypolicyviolationeventinit-effectivedirective"></a></dfn>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①④"><span class="kt">DOMString</span></a>      <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" data-type="DOMString      " id="dom-securitypolicyviolationeventinit-originalpolicy"><code>originalPolicy</code><a class="self-link" href="#dom-securitypolicyviolationeventinit-originalpolicy"></a></dfn>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⑤"><span class="kt">DOMString</span></a>      <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" data-type="DOMString      " id="dom-securitypolicyviolationeventinit-sourcefile"><code>sourceFile</code><a class="self-link" href="#dom-securitypolicyviolationeventinit-sourcefile"></a></dfn>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⑥"><span class="kt">DOMString</span></a>      <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" data-type="DOMString      " id="dom-securitypolicyviolationeventinit-sample"><code>sample</code><a class="self-link" href="#dom-securitypolicyviolationeventinit-sample"></a></dfn>;
    <a class="n" data-link-type="idl-name" href="#enumdef-securitypolicyviolationeventdisposition" id="ref-for-enumdef-securitypolicyviolationeventdisposition①">SecurityPolicyViolationEventDisposition</a>      <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" data-type="SecurityPolicyViolationEventDisposition      " id="dom-securitypolicyviolationeventinit-disposition"><code>disposition</code><a class="self-link" href="#dom-securitypolicyviolationeventinit-disposition"></a></dfn>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-short" id="ref-for-idl-unsigned-short①"><span class="kt">unsigned</span> <span class="kt">short</span></a> <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" data-type="unsigned short " id="dom-securitypolicyviolationeventinit-statuscode"><code>statusCode</code><a class="self-link" href="#dom-securitypolicyviolationeventinit-statuscode"></a></dfn>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long②"><span class="kt">long</span></a>           <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" data-type="long           " id="dom-securitypolicyviolationeventinit-linenumber"><code>lineNumber</code><a class="self-link" href="#dom-securitypolicyviolationeventinit-linenumber"></a></dfn>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long③"><span class="kt">long</span></a>           <dfn class="nv idl-code" data-dfn-for="SecurityPolicyViolationEventInit" data-dfn-type="dict-member" data-export="" data-type="long           " id="dom-securitypolicyviolationeventinit-columnnumber"><code>columnNumber</code><a class="self-link" href="#dom-securitypolicyviolationeventinit-columnnumber"></a></dfn>;
};
</pre>
    <h3 class="heading settled" data-level="5.2" id="deprecated-serialize-violation"><span class="secno">5.2. </span><span class="content"> Obtain the deprecated serialization of <var>violation</var> </span><a class="self-link" href="#deprecated-serialize-violation"></a></h3>
    <p>Given a <a data-link-type="dfn" href="#violation" id="ref-for-violation①⑦">violation</a> (<var>violation</var>), this algorithm returns a JSON text
  string representation of the violation, suitable for submission to a reporting
  endpoint associated with the deprecated <a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri"><code>report-uri</code></a> directive.</p>
    <ol>
     <li data-md="">
      <p>Let <var>object</var> be a new JavaScript object with properties initialized as
  follows:</p>
      <dl>
       <dt data-md="">"<code>document-uri</code>"
       <dd data-md="">
        <p>The result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-serializer" id="ref-for-concept-url-serializer">URL serializer</a> on <var>violation</var>’s <a data-link-type="dfn" href="#violation-url" id="ref-for-violation-url">url</a>, with the <code>exclude fragment</code> flag set.</p>
       <dt data-md="">"<code>referrer</code>"
       <dd data-md="">
        <p>The result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-serializer" id="ref-for-concept-url-serializer①">URL serializer</a> on <var>violation</var>’s <a data-link-type="dfn" href="#violation-referrer" id="ref-for-violation-referrer①">referrer</a>, with the <code>exclude fragment</code> flag set.</p>
       <dt data-md="">"<code>blocked-uri</code>"
       <dd data-md="">
        <p>The result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-serializer" id="ref-for-concept-url-serializer②">URL serializer</a> on <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource⑦">resource</a>, with the <code>exclude fragment</code> flag set.</p>
       <dt data-md="">"<code>effective-directive</code>"
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-effective-directive" id="ref-for-violation-effective-directive①">effective directive</a></p>
       <dt data-md="">"<code>violated-directive</code>"
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-effective-directive" id="ref-for-violation-effective-directive②">effective directive</a></p>
       <dt data-md="">"<code>original-policy</code>"
       <dd data-md="">
        <p>The <a data-link-type="dfn" href="#serialized-csp" id="ref-for-serialized-csp⑦">serialization</a> of <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy①">policy</a></p>
       <dt data-md="">"<code>disposition</code>"
       <dd data-md="">
        <p>The <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition①⑥">disposition</a> of <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy②">policy</a></p>
       <dt data-md="">"<code>status-code</code>"
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-status" id="ref-for-violation-status①">status</a></p>
       <dt data-md="">"<code>script-sample</code>"
       <dd data-md="">
        <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-sample" id="ref-for-violation-sample④">sample</a></p>
        <p class="note" role="note"><span>Note:</span> The name <code>script-sample</code> was chosen for compatibility with an earlier iteration of
  this feature which has shipped in Firefox since its initial implementation of CSP. Despite
  the name, this field will contain samples for non-script violations, like stylesheets. The
  data contained in a <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent">SecurityPolicyViolationEvent</a></code> object, and in reports generated via
  the new <a data-link-type="dfn" href="#report-to" id="ref-for-report-to"><code>report-to</code></a> directive, is named in a more encompassing fashion: <code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-sample" id="ref-for-dom-securitypolicyviolationevent-sample">sample</a></code>.</p>
      </dl>
     <li data-md="">
      <p>If <var>violation</var>’s <a data-link-type="dfn" href="#violation-source-file" id="ref-for-violation-source-file②">source file</a> is not <code>null</code>:</p>
      <ol>
       <li data-md="">
        <p>Set <var>object</var>’s "<code>source-file</code>" property to the result of executing
  the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-serializer" id="ref-for-concept-url-serializer③">URL serializer</a> on <var>violation</var>’s <a data-link-type="dfn" href="#violation-source-file" id="ref-for-violation-source-file③">source
  file</a>, with the <code>exclude fragment</code> flag set.</p>
       <li data-md="">
        <p>Set <var>object</var>’s "<code>line-number</code>" property to <var>violation</var>’s <a data-link-type="dfn" href="#violation-line-number" id="ref-for-violation-line-number①">line number</a>.</p>
       <li data-md="">
        <p>Set <var>object</var>’s "<code>column-number</code>" property to <var>violation</var>’s <a data-link-type="dfn" href="#violation-column-number" id="ref-for-violation-column-number①">column number</a>.</p>
      </ol>
     <li data-md="">
      <p class="assertion">Assert: If <var>object</var>’s "<code>blocked-uri</code>" property is not "<code>inline</code>", then its "<code>sample</code>"
  property is the empty string.</p>
     <li data-md="">
      <p>Return the result of executing <code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262#sec-json.stringify" id="ref-for-sec-json.stringify">JSON.stringify()</a></code> on <var>object</var>.</p>
    </ol>
    <h3 class="heading settled algorithm" data-algorithm="Report a violation" data-level="5.3" id="report-violation"><span class="secno">5.3. </span><span class="content"> Report a <var>violation</var> </span><a class="self-link" href="#report-violation"></a></h3>
    <p>Given a <a data-link-type="dfn" href="#violation" id="ref-for-violation①⑧">violation</a> (<var>violation</var>), this algorithm reports it to the endpoint specified in <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy③">policy</a>, and fires a <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent①">SecurityPolicyViolationEvent</a></code> at <var>violation</var>’s <a data-link-type="dfn" href="#violation-element" id="ref-for-violation-element①">element</a>, or at <var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object③">global object</a> as described below:</p>
    <ol>
     <li data-md="">
      <p>Let <var>global</var> be <var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object④">global object</a>.</p>
     <li data-md="">
      <p>Let <var>target</var> be <var>violation</var>’s <a data-link-type="dfn" href="#violation-element" id="ref-for-violation-element②">element</a>.</p>
     <li data-md="">
      <p><a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#queue-a-task" id="ref-for-queue-a-task">Queue a task</a> to run the following steps:</p>
      <p class="note" role="note"><span>Note:</span> We "queue a task" here to ensure that the event targeting and dispatch
  happens after JavaScript completes execution of the task responsible for a
  given violation (which might manipulate the DOM).</p>
      <ol>
       <li data-md="">
        <p>If <var>target</var> is not <code>null</code>, and <var>global</var> is a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/window-object.html#window" id="ref-for-window③">Window</a></code>, and <var>target</var>’s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-shadow-including-root" id="ref-for-concept-shadow-including-root">shadow-including root</a> is not <var>global</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/window-object.html#concept-document-window" id="ref-for-concept-document-window①">associated <code>Document</code></a>, set <var>target</var> to <code>null</code>.</p>
        <p class="note" role="note"><span>Note:</span> This ensures that we fire events only at elements <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#connected" id="ref-for-connected">connected</a> to <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy④">policy</a>’s <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document①①">Document</a></code>. If a
  violation is caused by an element which isn’t connected to that
  document, we’ll fire the event at the document rather than the element
  in order to ensure that the violation is visible to the document’s
  listeners.</p>
       <li data-md="">
        <p>If <var>target</var> is <code>null</code>:</p>
        <ol>
         <li data-md="">
          <p>Set <var>target</var> be <var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object⑤">global object</a>.</p>
         <li data-md="">
          <p>If <var>target</var> is a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/window-object.html#window" id="ref-for-window④">Window</a></code>, set <var>target</var> to <var>target</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/window-object.html#concept-document-window" id="ref-for-concept-document-window②">associated <code>Document</code></a>.</p>
        </ol>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-event-fire" id="ref-for-concept-event-fire">Fire an event</a> named <code>securitypolicyviolation</code> that uses the <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent②">SecurityPolicyViolationEvent</a></code> interface at <var>target</var> with
  its attributes initialized as follows:</p>
        <dl>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-documenturi" id="ref-for-dom-securitypolicyviolationevent-documenturi">documentURI</a></code>
         <dd data-md="">
          <p>The result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-serializer" id="ref-for-concept-url-serializer④">URL serializer</a> on <var>violation</var>’s <a data-link-type="dfn" href="#violation-url" id="ref-for-violation-url①">url</a>, with the <code>exclude fragment</code> flag set.</p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-referrer" id="ref-for-dom-securitypolicyviolationevent-referrer">referrer</a></code>
         <dd data-md="">
          <p>The result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-serializer" id="ref-for-concept-url-serializer⑤">URL serializer</a> on <var>violation</var>’s <a data-link-type="dfn" href="#violation-referrer" id="ref-for-violation-referrer②">referrer</a>, with the <code>exclude fragment</code> flag set.</p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-blockeduri" id="ref-for-dom-securitypolicyviolationevent-blockeduri">blockedURI</a></code>
         <dd data-md="">
          <p>The result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-serializer" id="ref-for-concept-url-serializer⑥">URL serializer</a> on <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource⑧">resource</a>, with the <code>exclude fragment</code> flag set.</p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-effectivedirective" id="ref-for-dom-securitypolicyviolationevent-effectivedirective">effectiveDirective</a></code>
         <dd data-md="">
          <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-effective-directive" id="ref-for-violation-effective-directive③">effective directive</a></p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-violateddirective" id="ref-for-dom-securitypolicyviolationevent-violateddirective">violatedDirective</a></code>
         <dd data-md="">
          <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-effective-directive" id="ref-for-violation-effective-directive④">effective directive</a></p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-originalpolicy" id="ref-for-dom-securitypolicyviolationevent-originalpolicy">originalPolicy</a></code>
         <dd data-md="">
          <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy⑤">policy</a></p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-disposition" id="ref-for-dom-securitypolicyviolationevent-disposition">disposition</a></code>
         <dd data-md="">
          <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-disposition" id="ref-for-violation-disposition">disposition</a></p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-sourcefile" id="ref-for-dom-securitypolicyviolationevent-sourcefile">sourceFile</a></code>
         <dd data-md="">
          <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-source-file" id="ref-for-violation-source-file④">source file</a></p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-statuscode" id="ref-for-dom-securitypolicyviolationevent-statuscode">statusCode</a></code>
         <dd data-md="">
          <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-status" id="ref-for-violation-status②">status</a></p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-linenumber" id="ref-for-dom-securitypolicyviolationevent-linenumber">lineNumber</a></code>
         <dd data-md="">
          <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-line-number" id="ref-for-violation-line-number②">line number</a></p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-columnnumber" id="ref-for-dom-securitypolicyviolationevent-columnnumber">columnNumber</a></code>
         <dd data-md="">
          <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-column-number" id="ref-for-violation-column-number②">column number</a></p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-sample" id="ref-for-dom-securitypolicyviolationevent-sample①">sample</a></code>
         <dd data-md="">
          <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-sample" id="ref-for-violation-sample⑤">sample</a></p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#dom-event-bubbles" id="ref-for-dom-event-bubbles">bubbles</a></code>
         <dd data-md="">
          <p><code>true</code></p>
         <dt data-md=""><code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#dom-event-composed" id="ref-for-dom-event-composed">composed</a></code>
         <dd data-md="">
          <p><code>true</code></p>
        </dl>
        <p class="note" role="note"><span>Note:</span> Both <code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-effectivedirective" id="ref-for-dom-securitypolicyviolationevent-effectivedirective①">effectiveDirective</a></code> and <code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-violateddirective" id="ref-for-dom-securitypolicyviolationevent-violateddirective①">violatedDirective</a></code> are the same value.
  This is intentional to maintain backwards compatibility.</p>
        <p class="note" role="note"><span>Note:</span> We set the <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#dom-event-composed" id="ref-for-dom-event-composed①">composed</a></code> attribute, which means that this event
  can be captured on its way into, and will bubble its way out of a shadow
  tree. <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#dom-event-target" id="ref-for-dom-event-target">target</a></code>, et al will be automagically scoped correctly for
  the main tree.</p>
       <li data-md="">
        <p>If <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy⑥">policy</a>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set⑦">directive
  set</a> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives①①">directive</a> named "<a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri①"><code>report-uri</code></a>"
  (<var>directive</var>):</p>
        <ol>
         <li data-md="">
          <p>If <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy⑦">policy</a>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set⑧">directive set</a> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives①②">directive</a> named
  "<a data-link-type="dfn" href="#report-to" id="ref-for-report-to①"><code>report-to</code></a>", skip the remaining substeps.</p>
         <li data-md="">
          <p>Let <var>endpoint</var> be the result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-parser" id="ref-for-concept-url-parser">URL parser</a> with <var>directive</var>’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value⑦">value</a> as the input, and <var>violation</var>’s <a data-link-type="dfn" href="#violation-url" id="ref-for-violation-url②">url</a> as the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-base-url" id="ref-for-concept-base-url">base URL</a>.</p>
         <li data-md="">
          <p>If <var>endpoint</var> is not a valid URL, skip the remaining substeps.</p>
         <li data-md="">
          <p>Let <var>request</var> be a new <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request①⑤">request</a>, initialized as follows:</p>
          <dl>
           <dt data-md=""><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-method" id="ref-for-concept-request-method">method</a>
           <dd data-md="">
            <p>"<code>POST</code>"</p>
           <dt data-md=""><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-url" id="ref-for-concept-request-url③">url</a>
           <dd data-md="">
            <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-url" id="ref-for-violation-url③">url</a></p>
           <dt data-md=""><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-origin" id="ref-for-concept-request-origin">origin</a>
           <dd data-md="">
            <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object⑥">global object</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object" id="ref-for-relevant-settings-object">relevant settings
  object</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin" id="ref-for-concept-settings-object-origin">origin</a></p>
           <dt data-md=""><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-window" id="ref-for-concept-request-window">window</a>
           <dd data-md="">
            <p>"<code>no-window</code>"</p>
           <dt data-md=""><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client" id="ref-for-concept-request-client⑦">client</a>
           <dd data-md="">
            <p><var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object⑦">global object</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object" id="ref-for-relevant-settings-object①">relevant
  settings object</a></p>
           <dt data-md=""><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination">destination</a>
           <dd data-md="">
            <p>"<code>report</code>"</p>
           <dt data-md=""><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator" id="ref-for-concept-request-initiator">initiator</a>
           <dd data-md="">
            <p>""</p>
           <dt data-md=""><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-credentials-mode" id="ref-for-concept-request-credentials-mode">credentials mode</a>
           <dd data-md="">
            <p>"<code>same-origin</code>"</p>
           <dt data-md=""><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#request-keepalive-flag" id="ref-for-request-keepalive-flag">keepalive flag</a>
           <dd data-md="">
            <p>"<code>true</code>"</p>
           <dt data-md=""><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-header-list" id="ref-for-concept-request-header-list">header list</a>
           <dd data-md="">
            <p>A header list containing a single header whose name is
  "<code>Content-Type</code>", and value is "<code>application/csp-report</code>"</p>
           <dt data-md=""><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-body" id="ref-for-concept-request-body">body</a>
           <dd data-md="">
            <p>The result of executing <a href="#deprecated-serialize-violation">§5.2 Obtain the deprecated serialization of violation</a> on <var>violation</var></p>
           <dt data-md=""><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-redirect-mode" id="ref-for-concept-request-redirect-mode">redirect mode</a>
           <dd data-md="">
            <p>"<code>error</code>"</p>
          </dl>
          <p class="note" role="note"><span>Note:</span> <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-mode" id="ref-for-concept-request-mode">mode</a> defaults to "<code>no-cors</code>"; the response is ignored entirely.</p>
         <li data-md="">
          <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-fetch" id="ref-for-concept-fetch">Fetch</a> <var>request</var>. The result will be ignored.</p>
        </ol>
        <p class="note" role="note"><span>Note:</span> All of this should be considered deprecated. It sends a single
  request per violation, which simply isn’t scalable. As soon as this
  behavior can be removed from user agents, it will be.</p>
        <p class="note" role="note"><span>Note:</span> <code>report-uri</code> only takes effect if <code>report-to</code> is not present. That
  is, the latter overrides the former, allowing for backwards compatibility
  with browsers that don’t support the new mechanism.</p>
       <li data-md="">
        <p>If <var>violation</var>’s <a data-link-type="dfn" href="#violation-policy" id="ref-for-violation-policy⑧">policy</a>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set⑨">directive
  set</a> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives①③">directive</a> named "<a data-link-type="dfn" href="#report-to" id="ref-for-report-to②"><code>report-to</code></a>"
  (<var>directive</var>):</p>
        <ol>
         <li data-md="">
          <p>Let <var>group</var> be <var>directive</var>’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value⑧">value</a>.</p>
         <li data-md="">
          <p>Let <var>settings object</var> be <var>violation</var>’s <a data-link-type="dfn" href="#violation-global-object" id="ref-for-violation-global-object⑧">global
  object</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object" id="ref-for-relevant-settings-object②">relevant settings object</a>.</p>
         <li data-md="">
          <p>Execute <a data-link-type="biblio" href="#biblio-reporting">[REPORTING]</a>'s <a data-link-type="dfn" href="https://w3c.github.io/reporting/#queue-report" id="ref-for-queue-report">Queue <var>data</var> as <var>type</var> for <var>endpoint group</var> on <var>settings</var></a> algorithm with the
  following arguments:</p>
          <dl>
           <dt data-md=""><var>data</var>
           <dd data-md="">
            <p><var>violation</var></p>
           <dt data-md=""><var>type</var>
           <dd data-md="">
            <p>"CSP"</p>
           <dt data-md=""><var>endpoint group</var>
           <dd data-md="">
            <p><var>group</var></p>
           <dt data-md=""><var>settings</var>
           <dd data-md="">
            <p><var>settings object</var></p>
          </dl>
        </ol>
      </ol>
    </ol>
   </section>
   <section>
    <h2 class="heading settled" data-level="6" id="csp-directives"><span class="secno">6. </span><span class="content"> Content Security Policy Directives </span><a class="self-link" href="#csp-directives"></a></h2>
    <p>This specification defines a number of types of <a data-link-type="dfn" href="#directives" id="ref-for-directives①④">directives</a> which allow
  developers to control certain aspects of their sites' behavior. This document
  defines directives which govern resource fetching (in <a href="#directives-fetch">§6.1 Fetch Directives</a>),
  directives which govern the state of a document (in <a href="#directives-document">§6.2 Document Directives</a>),
  directives which govern aspects of navigation (in <a href="#directives-navigation">§6.3 Navigation Directives</a>),
  and directives which govern reporting (in <a href="#directives-reporting">§6.4 Reporting Directives</a>). These
  form the core of Content Security Policy; other directives are defined in a
  modular fashion in ancillary documents (see <a href="#directives-elsewhere">§6.5 Directives Defined in Other Documents</a> for
  examples).</p>
    <p>To mitigate the risk of cross-site scripting attacks, web developers SHOULD
  include directives that regulate sources of script and plugins. They can do
  so by including:</p>
    <ul>
     <li data-md="">
      <p>Both the <a data-link-type="dfn" href="#script-src" id="ref-for-script-src">script-src</a> and <a data-link-type="dfn" href="#object-src" id="ref-for-object-src">object-src</a> directives, or</p>
     <li data-md="">
      <p>a <a data-link-type="dfn" href="#default-src" id="ref-for-default-src">default-src</a> directive</p>
    </ul>
    <p>In either case, developers SHOULD NOT include either <a data-link-type="grammar" href="#grammardef-unsafe-inline" id="ref-for-grammardef-unsafe-inline"><code>'unsafe-inline'</code></a>, or <code>data:</code> as valid
  sources in their policies. Both enable XSS attacks by allowing code to be
  included directly in the document itself; they are best avoided completely.</p>
    <h3 class="heading settled" data-level="6.1" id="directives-fetch"><span class="secno">6.1. </span><span class="content"> Fetch Directives </span><a class="self-link" href="#directives-fetch"></a></h3>
    <p><dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="fetch-directives">Fetch directives</dfn> control the locations from which certain resource
  types may be loaded. For instance, <a data-link-type="dfn" href="#script-src" id="ref-for-script-src①">script-src</a> allows developers to allow
  trusted sources of script to execute on a page, while <a data-link-type="dfn" href="#font-src" id="ref-for-font-src">font-src</a> controls the
  sources of web fonts.</p>
    <h4 class="heading settled" data-level="6.1.1" id="directive-child-src"><span class="secno">6.1.1. </span><span class="content"><code>child-src</code></span><a class="self-link" href="#directive-child-src"></a></h4>
    <p>The <a data-link-type="dfn" href="#child-src" id="ref-for-child-src"><code>child-src</code></a> directive is <em>deprecated</em>. Authors who wish to regulate
  nested browsing contexts and workers SHOULD use the <a data-link-type="dfn" href="#frame-src" id="ref-for-frame-src"><code>frame-src</code></a> and <a data-link-type="dfn" href="#worker-src" id="ref-for-worker-src"><code>worker-src</code></a> directives, respectively.</p>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="child-src"><code>child-src</code></dfn> directive governs the creation of <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context">nested browsing
  contexts</a> (e.g. <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element">iframe</a></code> and <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/obsolete.html#frame" id="ref-for-frame">frame</a></code> navigations) and Worker execution
  contexts. The syntax for the directive’s name and value is described by the
  following ABNF:</p>
<pre>directive-name  = "child-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list">serialized-source-list</a>
</pre>
    <p>This directive controls <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request①⑥">requests</a> which will populate a frame or a
  worker. More formally, <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request①⑦">requests</a> falling into one of the
  following categories:</p>
    <ul>
     <li data-md="">
      <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①">destination</a> is "<code>document</code>", and whose <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context" id="ref-for-concept-request-target-browsing-context">target browsing context</a> is a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context①">nested browsing
 context</a> (e.g. requests which will populate an <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element①">iframe</a></code> or <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/obsolete.html#frame" id="ref-for-frame①">frame</a></code> element)</p>
     <li data-md="">
      <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination②">destination</a> is either "<code>serviceworker</code>",
 "<code>sharedworker</code>", or "<code>worker</code>" (which are fed to the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/workers.html#run-a-worker" id="ref-for-run-a-worker①">run a worker</a> algorithm for <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/ServiceWorker/#serviceworker" id="ref-for-serviceworker">ServiceWorker</a></code>, <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#sharedworker" id="ref-for-sharedworker">SharedWorker</a></code>, and <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#worker" id="ref-for-worker①">Worker</a></code>,
 respectively).</p>
    </ul>
    <div class="example" id="example-8a4405cf">
     <a class="self-link" href="#example-8a4405cf"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#child-src" id="ref-for-child-src①">child-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will all return network errors, as the URLs
    provided do not match <code>child-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists">source list</a>:</p>
<pre class="highlight"><span class="nt">&lt;iframe</span> <span class="na">src=</span><span class="s">"https://example.org"</span><span class="nt">>&lt;/iframe></span>
<span class="nt">&lt;script></span>
  <span class="kd">var</span> blockedWorker <span class="o">=</span> <span class="k">new</span> Worker<span class="p">(</span><span class="s2">"data:application/javascript,..."</span><span class="p">);</span>
<span class="nt">&lt;/script></span>
</pre>
    </div>
    <h5 class="heading settled algorithm" data-algorithm="child-src Pre-request check" data-level="6.1.1.1" id="child-src-pre-request"><span class="secno">6.1.1.1. </span><span class="content"> <code>child-src</code> Pre-request check </span><a class="self-link" href="#child-src-pre-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check①">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request①⑧">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object②⑦">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>Let <var>name</var> be the result of executing <a href="#effective-directive-for-a-request">§6.6.1.11 Get the effective directive for request</a> on <var>request</var>.</p>
     <li data-md="">
      <p>If <var>name</var> is not <code>frame-src</code>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>policy</var> contains a directive whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name⑧">name</a> is <var>name</var>, return "<code>Allowed</code>"</p>
     <li data-md="">
      <p>Return the result of executing the <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check②">pre-request
  check</a> for the <a data-link-type="dfn" href="#directives" id="ref-for-directives①⑤">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name⑨">name</a> is <var>name</var> on <var>request</var> and <var>policy</var>, using this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value⑨">value</a> for the comparison.</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="child-src Post-request check" data-level="6.1.1.2" id="child-src-post-request"><span class="secno">6.1.1.2. </span><span class="content"> <code>child-src</code> Post-request check </span><a class="self-link" href="#child-src-post-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check②">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request①⑨">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response①⑦">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object②⑧">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>Let <var>name</var> be the result of executing <a href="#effective-directive-for-a-request">§6.6.1.11 Get the effective directive for request</a> on <var>request</var>.</p>
     <li data-md="">
      <p>If <var>name</var> is not <code>frame-src</code>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>policy</var> contains a directive whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name①⓪">name</a> is <var>name</var>, return "<code>Allowed</code>"</p>
     <li data-md="">
      <p>Return the result of executing the <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check③">post-request
  check</a> for the <a data-link-type="dfn" href="#directives" id="ref-for-directives①⑥">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name①①">name</a> is <var>name</var> on <var>request</var>, <var>response</var>, and <var>policy</var>, using this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value①⓪">value</a> for the comparison.</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.2" id="directive-connect-src"><span class="secno">6.1.2. </span><span class="content"><code>connect-src</code></span><a class="self-link" href="#directive-connect-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="connect-src">connect-src</dfn> directive restricts the URLs which can be loaded
  using script interfaces. The syntax for the directive’s name and value is
  described by the following ABNF:</p>
<pre>directive-name  = "connect-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list①">serialized-source-list</a>
</pre>
    <p>This directive controls <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request②⓪">requests</a> which transmit or receive data from
  other origins. This includes APIs like <code>fetch()</code>, <a data-link-type="biblio" href="#biblio-xhr">[XHR]</a>, <a data-link-type="biblio" href="#biblio-eventsource">[EVENTSOURCE]</a>, <a data-link-type="biblio" href="#biblio-beacon">[BEACON]</a>, and <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/text-level-semantics.html#the-a-element" id="ref-for-the-a-element">a</a></code>'s <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/text-level-semantics.html#dom-a-ping" id="ref-for-dom-a-ping">ping</a></code>. This directive <em>also</em> controls
  WebSocket <a data-link-type="biblio" href="#biblio-websockets">[WEBSOCKETS]</a> connections, though those aren’t technically part
  of Fetch.</p>
    <div class="example" id="example-ea16035e">
     <a class="self-link" href="#example-ea16035e"></a> JavaScript offers a few mechanisms that directly connect to an external
    server to send or receive information. <code>EventSource</code> maintains an open
    HTTP connection to a server in order to receive push notifications, <code>WebSockets</code> open a bidirectional communication channel between your
    browser and a server, and <code>XMLHttpRequest</code> makes arbitrary HTTP requests
    on your behalf. These are powerful APIs that enable useful functionality,
    but also provide tempting avenues for data exfiltration. 
     <p>The <code>connect-src</code> directive allows you to ensure that these and similar
    sorts of connections are only opened to origins you trust. Sending a
    policy that defines a list of source expressions for this directive is
    straightforward. For example, to limit connections to only <code>https://example.com</code>, send the following header:</p>
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#connect-src" id="ref-for-connect-src">connect-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will all return network errors, as the URLs
    provided do not match <code>connect-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists①">source list</a>:</p>
<pre class="highlight"><span class="nt">&lt;a</span> <span class="na">ping=</span><span class="s">"https://example.org"</span><span class="nt">></span>...
<span class="nt">&lt;script></span>
  <span class="kd">var</span> xhr <span class="o">=</span> <span class="k">new</span> XMLHttpRequest<span class="p">();</span>
  xhr<span class="p">.</span>open<span class="p">(</span><span class="s1">'GET'</span><span class="p">,</span> <span class="s1">'https://example.org/'</span><span class="p">);</span>
  xhr<span class="p">.</span>send<span class="p">();</span>

  <span class="kd">var</span> ws <span class="o">=</span> <span class="k">new</span> WebSocket<span class="p">(</span><span class="s2">"https://example.org/"</span><span class="p">);</span>

  <span class="kd">var</span> es <span class="o">=</span> <span class="k">new</span> EventSource<span class="p">(</span><span class="s2">"https://example.org/"</span><span class="p">);</span>

  navigator<span class="p">.</span>sendBeacon<span class="p">(</span><span class="s2">"https://example.org/"</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span> <span class="p">});</span>
<span class="nt">&lt;/script></span>
</pre>
    </div>
    <h5 class="heading settled algorithm" data-algorithm="connect-src Pre-request check" data-level="6.1.2.1" id="connect-src-pre-request"><span class="secno">6.1.2.1. </span><span class="content"> <code>connect-src</code> Pre-request check </span><a class="self-link" href="#connect-src-pre-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check③">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request②①">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object②⑨">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator" id="ref-for-concept-request-initiator①">initiator</a> is "<code>fetch</code>" or its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination③">destination</a> is "":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-request-to-source-list">§6.6.1.3 Does request match source list?</a> on <var>request</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value①①">value</a> is
  "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="connect-src Post-request check" data-level="6.1.2.2" id="connect-src-post-request"><span class="secno">6.1.2.2. </span><span class="content"> <code>connect-src</code> Post-request check </span><a class="self-link" href="#connect-src-post-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check④">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request②②">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response①⑧">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object③⓪">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator" id="ref-for-concept-request-initiator②">initiator</a> is "<code>fetch</code>" or its <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination④">destination</a> is "":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-response-to-source-list">§6.6.1.4 Does response to request match source list?</a> on <var>response</var>, <var>request</var>, and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value①②">value</a> is "<code>Does Not Match</code>", return
  "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.3" id="directive-default-src"><span class="secno">6.1.3. </span><span class="content"><code>default-src</code></span><a class="self-link" href="#directive-default-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="default-src">default-src</dfn> directive serves as a fallback for the other <a data-link-type="dfn" href="#fetch-directives" id="ref-for-fetch-directives">fetch directives</a>. The syntax for the directive’s name and value is described by
  the following ABNF:</p>
<pre>directive-name  = "default-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list②">serialized-source-list</a>
</pre>
    <p>If a <a data-link-type="dfn" href="#default-src" id="ref-for-default-src①">default-src</a> directive is present in a policy, its value will be
  used as the policy’s default source list. That is, given <code>default-src 'none'; script-src 'self'</code>, script requests will use <code>'self'</code> as the <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists②">source
  list</a> to match against. Other requests will use <code>'none'</code>. This is spelled
  out in more detail in the <a href="#should-block-request">§4.1.3 Should request be blocked by Content Security Policy?</a> and <a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a> algorithms.</p>
    <div class="example" id="example-ff4cda9d">
     <a class="self-link" href="#example-ff4cda9d"></a> The following header: 
<pre><a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#header-content-security-policy" id="ref-for-header-content-security-policy①">Content-Security-Policy</a>: <a data-link-type="dfn" href="#default-src" id="ref-for-default-src②">default-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self①">'self'</a>
</pre>
     <p>will have the same behavior as the following header:</p>
<pre><a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#header-content-security-policy" id="ref-for-header-content-security-policy②">Content-Security-Policy</a>: <a data-link-type="dfn" href="#connect-src" id="ref-for-connect-src①">connect-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self②">'self'</a>;
                         <a data-link-type="dfn" href="#font-src" id="ref-for-font-src①">font-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self③">'self'</a>;
                         <a data-link-type="dfn" href="#frame-src" id="ref-for-frame-src①">frame-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self④">'self'</a>;
                         <a data-link-type="dfn" href="#img-src" id="ref-for-img-src">img-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self⑤">'self'</a>;
                         <a data-link-type="dfn" href="#manifest-src" id="ref-for-manifest-src">manifest-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self⑥">'self'</a>;
                         <a data-link-type="dfn" href="#media-src" id="ref-for-media-src">media-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self⑦">'self'</a>;
                         <a data-link-type="dfn" href="#object-src" id="ref-for-object-src①">object-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self⑧">'self'</a>;
                         <a data-link-type="dfn" href="#script-src" id="ref-for-script-src②">script-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self⑨">'self'</a>;
                         <a data-link-type="dfn" href="#style-src" id="ref-for-style-src">style-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self①⓪">'self'</a>;
                         <a data-link-type="dfn" href="#worker-src" id="ref-for-worker-src①">worker-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self①①">'self'</a>
</pre>
     <p>That is, when <code>default-src</code> is set, every <a data-link-type="dfn" href="#fetch-directives" id="ref-for-fetch-directives①">fetch directive</a> that isn’t
    explicitly set will fall back to the value <code>default-src</code> specifies.</p>
    </div>
    <div class="example" id="example-e1c8ddf3">
     <a class="self-link" href="#example-e1c8ddf3"></a> There is no inheritance. If a <code>script-src</code> directive is explicitly
    specified, for example, then the value of <code>default-src</code> has no influence on
    script requests. That is, the following header: 
<pre><a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#header-content-security-policy" id="ref-for-header-content-security-policy③">Content-Security-Policy</a>: <a data-link-type="dfn" href="#default-src" id="ref-for-default-src③">default-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self①②">'self'</a>; <a data-link-type="dfn" href="#script-src" id="ref-for-script-src③">script-src</a> https://example.com
</pre>
     <p>will have the same behavior as the following header:</p>
<pre><a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#header-content-security-policy" id="ref-for-header-content-security-policy④">Content-Security-Policy</a>: <a data-link-type="dfn" href="#connect-src" id="ref-for-connect-src②">connect-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self①③">'self'</a>;
                         <a data-link-type="dfn" href="#font-src" id="ref-for-font-src②">font-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self①④">'self'</a>;
                         <a data-link-type="dfn" href="#frame-src" id="ref-for-frame-src②">frame-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self①⑤">'self'</a>;
                         <a data-link-type="dfn" href="#img-src" id="ref-for-img-src①">img-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self①⑥">'self'</a>;
                         <a data-link-type="dfn" href="#manifest-src" id="ref-for-manifest-src①">manifest-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self①⑦">'self'</a>;
                         <a data-link-type="dfn" href="#media-src" id="ref-for-media-src①">media-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self①⑧">'self'</a>;
                         <a data-link-type="dfn" href="#object-src" id="ref-for-object-src②">object-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self①⑨">'self'</a>;
                         <a data-link-type="dfn" href="#script-src" id="ref-for-script-src④">script-src</a> https://example.com;
                         <a data-link-type="dfn" href="#style-src" id="ref-for-style-src①">style-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self②⓪">'self'</a>;
                         <a data-link-type="dfn" href="#worker-src" id="ref-for-worker-src②">worker-src</a> <a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self②①">'self'</a>
</pre>
     <p>Given this behavior, one good way to build a policy for a site would be to
    begin with a <code>default-src</code> of <code>'none'</code>, and to build up a policy from there
    which allowed only those resource types which are necessary for the
    particular page the policy will apply to.</p>
    </div>
    <h5 class="heading settled algorithm" data-algorithm="default-src Pre-request check" data-level="6.1.3.1" id="default-src-pre-request"><span class="secno">6.1.3.1. </span><span class="content"> <code>default-src</code> Pre-request check </span><a class="self-link" href="#default-src-pre-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check④">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request②③">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object③①">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>Let <var>name</var> be the result of executing <a href="#effective-directive-for-a-request">§6.6.1.11 Get the effective directive for request</a> on <var>request</var>.</p>
     <li data-md="">
      <p>If <var>name</var> is <code>null</code>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives①⑦">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name①②">name</a> is <var>name</var>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>name</var> is "<code>frame-src</code>", and <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives①⑧">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name①③">name</a> is "<code>child-src</code>", return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>name</var> is "<code>worker-src</code>", and <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives①⑨">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name①④">name</a> is "<code>script-src</code>", return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>Otherwise, return the result of executing the <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check⑤">pre-request check</a> for the <a data-link-type="dfn" href="#directives" id="ref-for-directives②⓪">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name①⑤">name</a> is <var>name</var> on <var>request</var> and <var>policy</var>, using
  this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value①③">value</a> for the comparison.</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="default-src Post-request check" data-level="6.1.3.2" id="default-src-post-request"><span class="secno">6.1.3.2. </span><span class="content"> <code>default-src</code> Post-request check </span><a class="self-link" href="#default-src-post-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check⑤">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request②④">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response①⑨">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object③②">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>Let <var>name</var> be the result of executing <a href="#effective-directive-for-a-request">§6.6.1.11 Get the effective directive for request</a> on <var>request</var>.</p>
     <li data-md="">
      <p>If <var>name</var> is <code>null</code>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives②①">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name①⑥">name</a> is <var>name</var>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>name</var> is "<code>frame-src</code>", and <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives②②">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name①⑦">name</a> is "<code>child-src</code>", return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>name</var> is "<code>worker-src</code>", and <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives②③">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name①⑧">name</a> is "<code>script-src</code>", return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>Otherwise, return the result of executing the <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check⑥">post-request check</a> for the <a data-link-type="dfn" href="#directives" id="ref-for-directives②④">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name①⑨">name</a> is <var>name</var> on <var>request</var>, <var>response</var>, and <var>policy</var>, using this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value①④">value</a> for the
  comparison.</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.4" id="directive-font-src"><span class="secno">6.1.4. </span><span class="content"><code>font-src</code></span><a class="self-link" href="#directive-font-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="font-src">font-src</dfn> directive restricts the URLs from which font resources
  may be loaded. The syntax for the directive’s name and value is described by
  the following ABNF:</p>
<pre>directive-name  = "font-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list③">serialized-source-list</a>
</pre>
    <div class="example" id="example-9055d098">
     <a class="self-link" href="#example-9055d098"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#font-src" id="ref-for-font-src③">font-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>font-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists③">source list</a>:</p>
<pre class="highlight"><span class="nt">&lt;style></span>
  <span class="k">@font-face</span> <span class="p">{</span>
    <span class="nt">font-family</span><span class="o">:</span> <span class="s2">"Example Font"</span><span class="o">;</span>
    <span class="nt">src</span><span class="o">:</span> <span class="nt">url</span><span class="o">(</span><span class="s2">"https://example.org/font"</span><span class="o">);</span>
  <span class="p">}</span>
  <span class="nt">body</span> <span class="p">{</span>
    <span class="k">font-family</span><span class="o">:</span> <span class="s2">"Example Font"</span><span class="p">;</span>
  <span class="p">}</span>
<span class="nt">&lt;/style></span>
</pre>
    </div>
    <h5 class="heading settled algorithm" data-algorithm="font-src Pre-request check" data-level="6.1.4.1" id="font-src-pre-request"><span class="secno">6.1.4.1. </span><span class="content"> <code>font-src</code> Pre-request check </span><a class="self-link" href="#font-src-pre-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check⑥">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request②⑤">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object③③">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination⑤">destination</a> is "<code>font</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-request-to-source-list">§6.6.1.3 Does request match source list?</a> on <var>request</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value①⑤">value</a> is
  "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="font-src Post-request check" data-level="6.1.4.2" id="font-src-post-request"><span class="secno">6.1.4.2. </span><span class="content"> <code>font-src</code> Post-request check </span><a class="self-link" href="#font-src-post-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check⑦">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request②⑥">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response②⓪">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object③④">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination⑥">destination</a> is "<code>font</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-response-to-source-list">§6.6.1.4 Does response to request match source list?</a> on <var>response</var>, <var>request</var>, and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value①⑥">value</a> is "<code>Does Not Match</code>", return
  "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.5" id="directive-frame-src"><span class="secno">6.1.5. </span><span class="content"><code>frame-src</code></span><a class="self-link" href="#directive-frame-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="frame-src">frame-src</dfn> directive restricts the URLs which may be loaded into <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context②">nested browsing contexts</a>. The syntax for the directive’s name and value
  is described by the following ABNF:</p>
<pre>directive-name  = "frame-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list④">serialized-source-list</a>
</pre>
    <div class="example" id="example-367911bc">
     <a class="self-link" href="#example-367911bc"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#frame-src" id="ref-for-frame-src③">frame-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>frame-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists④">source list</a>:</p>
<pre class="highlight"><span class="nt">&lt;iframe</span> <span class="na">src=</span><span class="s">"https://example.org/"</span><span class="nt">></span>
<span class="nt">&lt;/iframe></span>
</pre>
    </div>
    <h5 class="heading settled algorithm" data-algorithm="frame-src Pre-request check" data-level="6.1.5.1" id="frame-src-pre-request"><span class="secno">6.1.5.1. </span><span class="content"> <code>frame-src</code> Pre-request check </span><a class="self-link" href="#frame-src-pre-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check⑦">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request②⑦">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object③⑤">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination⑦">destination</a> is "<code>document</code>" and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context" id="ref-for-concept-request-target-browsing-context①">target browsing context</a> is a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context③">nested browsing
  context</a>:</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-request-to-source-list">§6.6.1.3 Does request match source list?</a> on <var>request</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value①⑦">value</a> is
  "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="frame-src Post-request check" data-level="6.1.5.2" id="frame-src-post-request"><span class="secno">6.1.5.2. </span><span class="content"> <code>frame-src</code> Post-request check </span><a class="self-link" href="#frame-src-post-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check⑧">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request②⑧">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response②①">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object③⑥">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination⑧">destination</a> is "<code>document</code>" and <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context" id="ref-for-concept-request-target-browsing-context②">target browsing context</a> is a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context④">nested browsing
  context</a>:</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-response-to-source-list">§6.6.1.4 Does response to request match source list?</a> on <var>response</var>, <var>request</var>, and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value①⑧">value</a> is "<code>Does Not Match</code>", return
  "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.6" id="directive-img-src"><span class="secno">6.1.6. </span><span class="content"><code>img-src</code></span><a class="self-link" href="#directive-img-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="img-src">img-src</dfn> directive restricts the URLs from which image resources
  may be loaded. The syntax for the directive’s name and value is described by
  the following ABNF:</p>
<pre>directive-name  = "img-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list⑤">serialized-source-list</a>
</pre>
    <p>This directive controls <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request②⑨">requests</a> which load images. More formally, this
  includes <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request③⓪">requests</a> whose <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination⑨">destination</a> is "<code>image</code>" <a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a>.</p>
    <div class="example" id="example-d81d31f9">
     <a class="self-link" href="#example-d81d31f9"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#img-src" id="ref-for-img-src②">img-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>img-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists⑤">source list</a>:</p>
<pre class="highlight"><span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">"https://example.org/img"</span><span class="nt">></span>
</pre>
    </div>
    <h5 class="heading settled algorithm" data-algorithm="img-src Pre-request check" data-level="6.1.6.1" id="img-src-pre-request"><span class="secno">6.1.6.1. </span><span class="content"> <code>img-src</code> Pre-request check </span><a class="self-link" href="#img-src-pre-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check⑧">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request③①">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object③⑦">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①⓪">destination</a> is "<code>image</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-request-to-source-list">§6.6.1.3 Does request match source list?</a> on <var>request</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value①⑨">value</a> is
  "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="img-src Post-request check" data-level="6.1.6.2" id="img-src-post-request"><span class="secno">6.1.6.2. </span><span class="content"> <code>img-src</code> Post-request check </span><a class="self-link" href="#img-src-post-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check⑨">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request③②">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response②②">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object③⑧">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①①">destination</a> is "<code>image</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-response-to-source-list">§6.6.1.4 Does response to request match source list?</a> on <var>response</var>, <var>request</var>, and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value②⓪">value</a> is "<code>Does Not Match</code>", return
  "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.7" id="directive-manifest-src"><span class="secno">6.1.7. </span><span class="content"><code>manifest-src</code></span><a class="self-link" href="#directive-manifest-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="manifest-src">manifest-src</dfn> directive restricts the URLs from which application
  manifests may be loaded <a data-link-type="biblio" href="#biblio-appmanifest">[APPMANIFEST]</a>. The syntax for the directive’s name
  and value is described by the following ABNF:</p>
<pre>directive-name  = "manifest-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list⑥">serialized-source-list</a>
</pre>
    <div class="example" id="example-c0df126a">
     <a class="self-link" href="#example-c0df126a"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#manifest-src" id="ref-for-manifest-src②">manifest-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>manifest-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists⑥">source list</a>:</p>
<pre class="highlight"><span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"manifest"</span> <span class="na">href=</span><span class="s">"https://example.org/manifest"</span><span class="nt">></span>
</pre>
    </div>
    <h5 class="heading settled algorithm" data-algorithm="manifest-src Pre-request check" data-level="6.1.7.1" id="manifest-src-pre-request"><span class="secno">6.1.7.1. </span><span class="content"> <code>manifest-src</code> Pre-request check </span><a class="self-link" href="#manifest-src-pre-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check⑨">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request③③">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object③⑨">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①②">destination</a> is "<code>manifest</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-request-to-source-list">§6.6.1.3 Does request match source list?</a> on <var>request</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value②①">value</a> is
  "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="manifest-src Post-request check" data-level="6.1.7.2" id="manifest-src-post-request"><span class="secno">6.1.7.2. </span><span class="content"> <code>manifest-src</code> Post-request check </span><a class="self-link" href="#manifest-src-post-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check①⓪">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request③④">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response②③">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object④⓪">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①③">destination</a> is "<code>manifest</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-response-to-source-list">§6.6.1.4 Does response to request match source list?</a> on <var>response</var>, <var>request</var>, and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value②②">value</a> is "<code>Does Not Match</code>", return
  "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.8" id="directive-media-src"><span class="secno">6.1.8. </span><span class="content"><code>media-src</code></span><a class="self-link" href="#directive-media-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="media-src">media-src</dfn> directive restricts the URLs from which video, audio,
  and associated text track resources may be loaded. The syntax for the
  directive’s name and value is described by the following ABNF:</p>
<pre>directive-name  = "media-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list⑦">serialized-source-list</a>
</pre>
    <div class="example" id="example-0bdf4506">
     <a class="self-link" href="#example-0bdf4506"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#media-src" id="ref-for-media-src②">media-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>media-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists⑦">source list</a>:</p>
<pre class="highlight"><span class="nt">&lt;audio</span> <span class="na">src=</span><span class="s">"https://example.org/audio"</span><span class="nt">>&lt;/audio></span>
<span class="nt">&lt;video</span> <span class="na">src=</span><span class="s">"https://example.org/video"</span><span class="nt">></span>
    <span class="nt">&lt;track</span> <span class="na">kind=</span><span class="s">"subtitles"</span> <span class="na">src=</span><span class="s">"https://example.org/subtitles"</span><span class="nt">></span>
<span class="nt">&lt;/video></span>
</pre>
    </div>
    <h5 class="heading settled algorithm" data-algorithm="media-src Pre-request check" data-level="6.1.8.1" id="media-src-pre-request"><span class="secno">6.1.8.1. </span><span class="content"> <code>media-src</code> Pre-request check </span><a class="self-link" href="#media-src-pre-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check①⓪">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request③⑤">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object④①">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①④">destination</a> is one of "<code>audio</code>", "<code>video</code>",
  or "<code>track</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-request-to-source-list">§6.6.1.3 Does request match source list?</a> on <var>request</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value②③">value</a> is
  "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="media-src Post-request check" data-level="6.1.8.2" id="media-src-post-request"><span class="secno">6.1.8.2. </span><span class="content"> <code>media-src</code> Post-request check </span><a class="self-link" href="#media-src-post-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check①①">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request③⑥">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response②④">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object④②">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①⑤">destination</a> is one of "<code>audio</code>", "<code>video</code>",
  or "<code>track</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-response-to-source-list">§6.6.1.4 Does response to request match source list?</a> on <var>response</var>, <var>request</var>, and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value②④">value</a> is "<code>Does Not Match</code>", return
  "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.9" id="directive-object-src"><span class="secno">6.1.9. </span><span class="content"><code>object-src</code></span><a class="self-link" href="#directive-object-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="object-src">object-src</dfn> directive restricts the URLs from which plugin
  content may be loaded. The syntax for the directive’s name and value is
  described by the following ABNF:</p>
<pre>directive-name  = "object-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list⑧">serialized-source-list</a>
</pre>
    <div class="example" id="example-942e3a4c">
     <a class="self-link" href="#example-942e3a4c"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#object-src" id="ref-for-object-src③">object-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>object-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists⑧">source list</a>:</p>
<pre class="highlight"><span class="nt">&lt;embed</span> <span class="na">src=</span><span class="s">"https://example.org/flash"</span><span class="nt">>&lt;/embed></span>
<span class="nt">&lt;object</span> <span class="na">data=</span><span class="s">"https://example.org/flash"</span><span class="nt">>&lt;/object></span>
<span class="nt">&lt;applet</span> <span class="na">archive=</span><span class="s">"https://example.org/flash"</span><span class="nt">>&lt;/applet></span>
</pre>
    </div>
    <p>If plugin content is loaded without an associated URL (perhaps an <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element" id="ref-for-the-object-element①">object</a></code> element lacks a <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-object-data" id="ref-for-attr-object-data">data</a></code> attribute, but loads some default plugin based
  on the specified <code>type</code>), it MUST be blocked if <code>object-src</code>'s value is <code>'none'</code>, but will otherwise be allowed.</p>
    <p class="note" role="note"><span>Note:</span> The <code>object-src</code> directive acts upon any request made on behalf of
  an <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element" id="ref-for-the-object-element②">object</a></code>, <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element" id="ref-for-the-embed-element①">embed</a></code>, or <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/obsolete.html#applet" id="ref-for-applet①"><code>applet</code></a> element. This includes requests
  which would populate the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context⑤">nested browsing context</a> generated by the
  former two (also including navigations). This is true even when the data is
  semantically equivalent to content which would otherwise be restricted by
  another directive, such as an <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element" id="ref-for-the-object-element③">object</a></code> element with a <code>text/html</code> MIME
  type.</p>
    <p class="note" role="note"><span>Note:</span> When a plugin resource is navigated to directly (that is, as a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#plugin-document" id="ref-for-plugin-document">plugin document</a> in the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context" id="ref-for-top-level-browsing-context">top-level browsing context</a> or a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context⑥">nested browsing context</a>, and not as an embedded
  subresource via <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element" id="ref-for-the-embed-element②">embed</a></code>, <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element" id="ref-for-the-object-element④">object</a></code>, or <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/obsolete.html#applet" id="ref-for-applet②"><code>applet</code></a>), any <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object④③">policy</a> delivered along
  with that resource will be applied to the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#plugin-document" id="ref-for-plugin-document①">plugin document</a>. This means, for instance, that
  developers can prevent the execution of arbitrary resources as plugin content by delivering the
  policy <code>object-src 'none'</code> along with a response. Given plugins' power (and the
  sometimes-interesting security model presented by Flash and others), this could mitigate the risk
  of attack vectors like <a href="https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/">Rosetta Flash</a>.</p>
    <h5 class="heading settled algorithm" data-algorithm="object-src Pre-request check" data-level="6.1.9.1" id="object-src-pre-request"><span class="secno">6.1.9.1. </span><span class="content"> <code>object-src</code> Pre-request check </span><a class="self-link" href="#object-src-pre-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check①①">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request③⑦">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object④④">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①⑥">destination</a> is "<code>object</code>" or "<code>embed</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-request-to-source-list">§6.6.1.3 Does request match source list?</a> on <var>request</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value②⑤">value</a> is
  "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="object-src Post-request check" data-level="6.1.9.2" id="object-src-post-request"><span class="secno">6.1.9.2. </span><span class="content"> <code>object-src</code> Post-request check </span><a class="self-link" href="#object-src-post-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check①②">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request③⑧">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response②⑤">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object④⑤">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①⑦">destination</a> is "<code>object</code>" or "<code>embed</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-response-to-source-list">§6.6.1.4 Does response to request match source list?</a> on <var>response</var>, <var>request</var>, and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value②⑥">value</a> is "<code>Does Not Match</code>", return
  "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.10" id="directive-script-src"><span class="secno">6.1.10. </span><span class="content"><code>script-src</code></span><a class="self-link" href="#directive-script-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="script-src">script-src</dfn> directive restricts the locations from which scripts
  may be executed. This includes not only URLs loaded directly into <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script③">script</a></code> elements, but also things like inline script blocks and XSLT stylesheets <a data-link-type="biblio" href="#biblio-xslt">[XSLT]</a> which can trigger script execution. The syntax for the directive’s
  name and value is described by the following ABNF:</p>
<pre>directive-name  = "script-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list⑨">serialized-source-list</a>
</pre>
    <p>The <code>script-src</code> directive governs four things:</p>
    <ol>
     <li data-md="">
      <p>Script <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request③⑨">requests</a> MUST pass through <a href="#should-block-request">§4.1.3 Should request be blocked by Content Security Policy?</a>.</p>
     <li data-md="">
      <p>Script <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response②⑥">responses</a> MUST pass through <a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a>.</p>
     <li data-md="">
      <p>Inline <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script④">script</a></code> blocks MUST pass through <a href="#should-block-inline">§4.2.4 Should element’s inline type behavior be blocked by Content Security Policy?</a>. Their
  behavior will be blocked unless every policy allows inline script, either
  implicitly by not specifying a <code>script-src</code> (or <code>default-src</code>) directive,
  or explicitly, by specifying "<code>unsafe-inline</code>", a <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source②">nonce-source</a> or a <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source②">hash-source</a> that matches
  the inline block.</p>
     <li data-md="">
      <p>The following JavaScript execution sinks are gated on the "<code>unsafe-eval</code>"
  source expression:</p>
      <ul>
       <li data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262#sec-eval-x" id="ref-for-sec-eval-x①">eval()</a></code></p>
       <li data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262#sec-function-objects" id="ref-for-sec-function-objects">Function()</a></code></p>
       <li data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-settimeout" id="ref-for-dom-settimeout">setTimeout()</a></code> with an initial argument which is not callable.</p>
       <li data-md="">
        <p><code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval" id="ref-for-dom-setinterval">setInterval()</a></code> with an initial argument which is not callable.</p>
      </ul>
      <p class="note" role="note"><span>Note:</span> If a user agent implements non-standard sinks like <code>setImmediate()</code> or <code>execScript()</code>, they SHOULD also be gated on "<code>unsafe-eval</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="script-src Pre-request check" data-level="6.1.10.1" id="script-src-pre-request"><span class="secno">6.1.10.1. </span><span class="content"> <code>script-src</code> Pre-request check </span><a class="self-link" href="#script-src-pre-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check①②">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request④⓪">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object④⑥">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If the result of executing <a href="#effective-directive-for-a-request">§6.6.1.11 Get the effective directive for request</a> on <var>request</var> is "<code>worker-src</code>", and <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives②⑤">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name②⓪">name</a> is "<code>worker-src</code>", return "<code>Allowed</code>".</p>
      <p class="note" role="note"><span>Note:</span> If <code>worker-src</code> is present, we’ll defer to it when handling worker requests.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①⑧">destination</a> is <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#request-destination-script-like" id="ref-for-request-destination-script-like">script-like</a>:</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-nonce-to-source-list">§6.6.1.2 Does nonce match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata" id="ref-for-concept-request-nonce-metadata①">cryptographic nonce metadata</a> and this
  directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value②⑦">value</a> is "<code>Matches</code>", return
  "<code>Allowed</code>".</p>
       <li data-md="">
        <p>Let <var>integrity expressions</var> be the set of <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression③">source expressions</a> in
  this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value②⑧">value</a> that match the <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source③">hash-source</a> grammar.</p>
       <li data-md="">
        <p>If <var>integrity expressions</var> is not empty:</p>
        <ol>
         <li data-md="">
          <p>Let <var>integrity sources</var> be the result of executing the algorithn
  defined in <a href="https://www.w3.org/TR/SRI/#parse-metadata">Subresource Integrity §parse-metadata</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-integrity-metadata" id="ref-for-concept-request-integrity-metadata">integrity metadata</a>. <a data-link-type="biblio" href="#biblio-sri">[SRI]</a></p>
         <li data-md="">
          <p>If <var>integrity sources</var> is "<code>no metadata</code>" or an empty set, skip
  the remaining substeps.</p>
         <li data-md="">
          <p>Let <var>bypass due to integrity match</var> be <code>true</code>.</p>
         <li data-md="">
          <p>For each <var>source</var> in <var>integrity sources</var>:</p>
          <ol>
           <li data-md="">
            <p>If this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value②⑨">value</a> does not
  contain a <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression④">source expression</a> whose <a data-link-type="grammar" href="#grammardef-hash-algorithm" id="ref-for-grammardef-hash-algorithm①">hash-algorithm</a> is a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#case-sensitive" id="ref-for-case-sensitive">case-sensitive</a> match
  for <var>source</var>’s <code>hash-algo</code> component, and whose <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value④">base64-value</a> is a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#case-sensitive" id="ref-for-case-sensitive①">case-sensitive</a> match
  for <var>source</var>’s <code>base64-value</code>, then set <var>bypass due to
  integrity match</var> to <code>false</code>.</p>
          </ol>
         <li data-md="">
          <p>If <var>bypass due to integrity match</var> is <code>true</code>, return
  "<code>Allowed</code>".</p>
        </ol>
        <p class="note" role="note"><span>Note:</span> Here, we verify only that the <var>request</var> contains a set of <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-integrity-metadata" id="ref-for-concept-request-integrity-metadata①">integrity metadata</a> which is a subset of the <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source④">hash-source</a> <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression⑤">source expressions</a> specified by
  this directive. We rely on the browser’s enforcement of Subresource
  Integrity <a data-link-type="biblio" href="#biblio-sri">[SRI]</a> to block non-matching resources upon response.</p>
       <li data-md="">
        <p>If this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value③⓪">value</a> contains a <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression⑥">source
  expression</a> that is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive②">ASCII case-insensitive</a> match for
  the "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic"><code>'strict-dynamic'</code></a>" <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source①">keyword-source</a>:</p>
        <ol>
         <li data-md="">
          <p>If the <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-parser-metadata" id="ref-for-concept-request-parser-metadata①">parser metadata</a> is <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/scripting.html#parser-inserted" id="ref-for-parser-inserted①">"parser-inserted"</a>, return "<code>Blocked</code>".</p>
          <p>Otherwise, return "<code>Allowed</code>".</p>
          <p class="note" role="note"><span>Note:</span> "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic①"><code>'strict-dynamic'</code></a>" is explained in more detail
  in <a href="#strict-dynamic-usage">§8.2 Usage of "'strict-dynamic'"</a>.</p>
        </ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-request-to-source-list">§6.6.1.3 Does request match source list?</a> on <var>request</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value③①">value</a> is
  "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="script-src Post-request check" data-level="6.1.10.2" id="script-src-post-request"><span class="secno">6.1.10.2. </span><span class="content"> <code>script-src</code> Post-request check </span><a class="self-link" href="#script-src-post-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check①③">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request④①">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response②⑦">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object④⑦">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p>If the result of executing <a href="#effective-directive-for-a-request">§6.6.1.11 Get the effective directive for request</a> on <var>request</var> is "<code>worker-src</code>", and <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives②⑥">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name②①">name</a> is "<code>worker-src</code>", return "<code>Allowed</code>".</p>
      <p class="note" role="note"><span>Note:</span> If <code>worker-src</code> is present, we’ll defer to it when handling worker requests.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination①⑨">destination</a> is <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#request-destination-script-like" id="ref-for-request-destination-script-like①">script-like</a>:</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-nonce-to-source-list">§6.6.1.2 Does nonce match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata" id="ref-for-concept-request-nonce-metadata②">cryptographic nonce metadata</a> and this
  directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value③②">value</a> is "<code>Matches</code>", return
  "<code>Allowed</code>".</p>
       <li data-md="">
        <p>If this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value③③">value</a> contains
  "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic②"><code>'strict-dynamic'</code></a>", and <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-parser-metadata" id="ref-for-concept-request-parser-metadata②">parser metadata</a> is not <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/scripting.html#parser-inserted" id="ref-for-parser-inserted②">"parser-inserted"</a>,
  return "<code>Allowed</code>".</p>
       <li data-md="">
        <p>If the result of executing <a href="#match-response-to-source-list">§6.6.1.4 Does response to request match source list?</a> on <var>response</var>, <var>request</var>, and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value③④">value</a> is "<code>Does Not Match</code>", return
  "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="script-src Inline Check" data-level="6.1.10.3" id="script-src-inline"><span class="secno">6.1.10.3. </span><span class="content"> <code>script-src</code> Inline Check </span><a class="self-link" href="#script-src-inline"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-inline-check" id="ref-for-directive-inline-check②">inline check</a> algorithm is as follows:</p>
    <p>Given an <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#element" id="ref-for-element②">Element</a></code> (<var>element</var>), a string (<var>type</var>), and a string (<var>source</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>type</var> is "<code>script attribute</code>" or "<code>script</code>":</p>
      <ol>
       <li data-md="">
        <p class="assertion">Assert: <var>element</var> is not <code>null</code>.</p>
       <li data-md="">
        <p>If the result of executing <a href="#match-element-to-source-list">§6.6.2.3 Does element match source list for type and source?</a> on <var>element</var>, this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value③⑤">value</a>, <var>type</var>,
  and <var>source</var>, is "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>If <var>type</var> is "<code>navigation</code>":</p>
      <ol>
       <li data-md="">
        <p>Let <var>unsafe-inline flag</var> be <code>false</code>.</p>
       <li data-md="">
        <p>For each <var>expression</var> in this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value③⑥">value</a>:</p>
        <ol>
         <li data-md="">
          <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source③"><code>nonce-source</code></a> or <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source⑤"><code>hash-source</code></a> grammar, return "<code>Blocked</code>".</p>
         <li data-md="">
          <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source②">keyword-source</a> "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic③"><code>'strict-dynamic'</code></a>", return "<code>Blocked</code>".</p>
         <li data-md="">
          <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source③">keyword-source</a> "<a data-link-type="grammar" href="#grammardef-unsafe-inline" id="ref-for-grammardef-unsafe-inline①"><code>'unsafe-inline'</code></a>", set <var>unsafe-inline flag</var> to <code>true</code>.</p>
        </ol>
       <li data-md="">
        <p>If <var>unsafe-inline flag</var> is <code>false</code>, return "<code>Blocked</code>".</p>
      </ol>
      <p class="note" role="note"><span>Note:</span> Navigating to a <code>javascript:</code> URL is allowed only in the presence
  of "<a data-link-type="grammar" href="#grammardef-unsafe-inline" id="ref-for-grammardef-unsafe-inline②"><code>'unsafe-inline'</code></a>" that isn’t overridden by a nonce,
  hash, or "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic④"><code>'strict-dynamic'</code></a>".</p>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.1.11" id="directive-style-src"><span class="secno">6.1.11. </span><span class="content"><code>style-src</code></span><a class="self-link" href="#directive-style-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="style-src">style-src</dfn> directive restricts the locations from which style
  may be applied to a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document①②">Document</a></code>. The syntax for the directive’s name and
  value is described by the following ABNF:</p>
<pre>directive-name  = "style-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list①⓪">serialized-source-list</a>
</pre>
    <p>The <code>style-src</code> directive governs several things:</p>
    <ol>
     <li data-md="">
      <p>Style <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request④②">requests</a> MUST pass through <a href="#should-block-request">§4.1.3 Should request be blocked by Content Security Policy?</a>. This
  includes:</p>
      <ol>
       <li data-md="">
        <p>Stylesheet requests originating from a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#the-link-element" id="ref-for-the-link-element①">link</a></code> element.</p>
       <li data-md="">
        <p>Stylesheet requests originating from the <a class="css" data-link-type="at-rule" href="https://www.w3.org/TR/css-cascade-4/#at-ruledef-import" id="ref-for-at-ruledef-import"><code>@import</code></a> rule.</p>
       <li data-md="">
        <p>Stylesheet requests originating from a <code>Link</code> HTTP response header
  field <a data-link-type="biblio" href="#biblio-rfc8288">[RFC8288]</a>.</p>
      </ol>
     <li data-md="">
      <p><a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response②⑧">Responses</a> to style requests MUST pass through <a href="#should-block-response">§4.1.4 Should response to request be blocked by Content
    Security Policy?</a>.</p>
     <li data-md="">
      <p>Inline <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#the-style-element" id="ref-for-the-style-element">style</a></code> blocks MUST pass through <a href="#should-block-inline">§4.2.4 Should element’s inline type behavior be blocked by Content Security Policy?</a>. The
  styles will be blocked unless every policy allows inline style, either
  implicitly by not specifying a <code>style-src</code> (or <code>default-src</code>) directive,
  or explicitly, by specifying "<code>unsafe-inline</code>", a <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source④">nonce-source</a> or a <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source⑥">hash-source</a> that matches
  the inline block.</p>
     <li data-md="">
      <p>The following CSS algorithms are gated on the <code>unsafe-eval</code> source
  expression:</p>
      <ol>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://www.w3.org/TR/cssom-1/#insert-a-css-rule" id="ref-for-insert-a-css-rule">insert a CSS rule</a></p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://www.w3.org/TR/cssom-1/#parse-a-css-rule" id="ref-for-parse-a-css-rule">parse a CSS rule</a>,</p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://www.w3.org/TR/cssom-1/#parse-a-css-declaration-block" id="ref-for-parse-a-css-declaration-block">parse a CSS declaration block</a></p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://www.w3.org/TR/cssom-1/#parse-a-group-of-selectors" id="ref-for-parse-a-group-of-selectors">parse a group of selectors</a></p>
      </ol>
      <p>This would include, for example, all invocations of CSSOM’s various <code>cssText</code> setters and <code>insertRule</code> methods <a data-link-type="biblio" href="#biblio-cssom">[CSSOM]</a> <a data-link-type="biblio" href="#biblio-html">[HTML]</a>.</p>
      <p class="issue" id="issue-ba1a0a35"><a class="self-link" href="#issue-ba1a0a35"></a> This needs to be better explained. <a href="https://github.com/w3c/webappsec-csp/issues/212">&lt;https://github.com/w3c/webappsec-csp/issues/212></a></p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="style-src Pre-request Check" data-level="6.1.11.1" id="style-src-pre-request"><span class="secno">6.1.11.1. </span><span class="content"> <code>style-src</code> Pre-request Check </span><a class="self-link" href="#style-src-pre-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check①③">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request④③">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object④⑧">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination②⓪">destination</a> is "<code>style</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-nonce-to-source-list">§6.6.1.2 Does nonce match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata" id="ref-for-concept-request-nonce-metadata③">cryptographic nonce metadata</a> and this
  directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value③⑦">value</a> is "<code>Matches</code>", return
  "<code>Allowed</code>".</p>
       <li data-md="">
        <p>If the result of executing <a href="#match-request-to-source-list">§6.6.1.3 Does request match source list?</a> on <var>request</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value③⑧">value</a> is
  "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="style-src Post-request Check" data-level="6.1.11.2" id="style-src-post-request"><span class="secno">6.1.11.2. </span><span class="content"> <code>style-src</code> Post-request Check </span><a class="self-link" href="#style-src-post-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check①④">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request④④">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response②⑨">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object④⑨">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination②①">destination</a> is "<code>style</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-nonce-to-source-list">§6.6.1.2 Does nonce match source list?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata" id="ref-for-concept-request-nonce-metadata④">cryptographic nonce metadata</a> and this
  directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value③⑨">value</a> is "<code>Matches</code>", return
  "<code>Allowed</code>".</p>
       <li data-md="">
        <p>If the result of executing <a href="#match-response-to-source-list">§6.6.1.4 Does response to request match source list?</a> on <var>response</var>, <var>request</var>, and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value④⓪">value</a> is "<code>Does Not Match</code>", return
  "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="style-src Inline Check" data-level="6.1.11.3" id="style-src-inline"><span class="secno">6.1.11.3. </span><span class="content"> <code>style-src</code> Inline Check </span><a class="self-link" href="#style-src-inline"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-inline-check" id="ref-for-directive-inline-check③">inline check</a> algorithm is as follows:</p>
    <p>Given an <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#element" id="ref-for-element③">Element</a></code> (<var>element</var>), a string (<var>type</var>), and a string (<var>source</var>):</p>
    <ol>
     <li data-md="">
      <p>If <var>type</var> is "<code>style</code>" or "<code>style attribute</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-element-to-source-list">§6.6.2.3 Does element match source list for type and source?</a> on <var>element</var>, this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value④①">value</a>, <var>type</var>,
  and <var>source</var>, is "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <p>This directive’s <a data-link-type="dfn" href="#directive-initialization" id="ref-for-directive-initialization①">initialization</a> algorithm is as follows:</p>
    <p class="issue" id="issue-eba1ebc1"><a class="self-link" href="#issue-eba1ebc1"></a> Do something interesting to the execution context in order to lock down
  interesting CSSOM algorithms. I don’t think CSSOM gives us any hooks here, so
  let’s work with them to put something reasonable together.</p>
    <h4 class="heading settled" data-level="6.1.12" id="directive-worker-src"><span class="secno">6.1.12. </span><span class="content"><code>worker-src</code></span><a class="self-link" href="#directive-worker-src"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="worker-src">worker-src</dfn> directive restricts the URLs which may be loaded as
  a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#worker" id="ref-for-worker②">Worker</a></code>, <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/workers.html#sharedworker" id="ref-for-sharedworker①">SharedWorker</a></code>, or <code class="idl"><a data-link-type="idl" href="https://w3c.github.io/ServiceWorker/#serviceworker" id="ref-for-serviceworker①">ServiceWorker</a></code>. The syntax for the
  directive’s name and value is described by the following ABNF:</p>
<pre>directive-name  = "worker-src"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list①①">serialized-source-list</a>
</pre>
    <div class="example" id="example-04ba5239">
     <a class="self-link" href="#example-04ba5239"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#worker-src" id="ref-for-worker-src③">worker-src</a> https://example.com/
</pre>
     <p>Fetches for the following code will return a network errors, as the URL
    provided do not match <code>worker-src</code>'s <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists⑨">source list</a>:</p>
<pre class="highlight"><span class="nt">&lt;script></span>
  <span class="kd">var</span> blockedWorker <span class="o">=</span> <span class="k">new</span> Worker<span class="p">(</span><span class="s2">"data:application/javascript,..."</span><span class="p">);</span>
  blockedWorker <span class="o">=</span> <span class="k">new</span> SharedWorker<span class="p">(</span><span class="s2">"https://example.org/"</span><span class="p">);</span>
  navigator<span class="p">.</span>serviceWorker<span class="p">.</span>register<span class="p">(</span><span class="s1">'https://example.org/sw.js'</span><span class="p">);</span>
<span class="nt">&lt;/script></span>
</pre>
    </div>
    <h5 class="heading settled algorithm" data-algorithm="worker-src Pre-request Check" data-level="6.1.12.1" id="worker-src-pre-request"><span class="secno">6.1.12.1. </span><span class="content"> <code>worker-src</code> Pre-request Check </span><a class="self-link" href="#worker-src-pre-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check①④">pre-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request④⑤">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑤⓪">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination②②">destination</a> is one of
  "<code>serviceworker</code>", "<code>sharedworker</code>", or "<code>worker</code>":</p>
      <ol start="4">
       <li data-md="">
        <p>If the result of executing <a href="#match-request-to-source-list">§6.6.1.3 Does request match source list?</a> on <var>request</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value④②">value</a> is
  "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="worker-src Post-request Check" data-level="6.1.12.2" id="worker-src-post-request"><span class="secno">6.1.12.2. </span><span class="content"> <code>worker-src</code> Post-request Check </span><a class="self-link" href="#worker-src-post-request"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check①⑤">post-request check</a> is as follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request④⑥">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response③⓪">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑤①">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination②③">destination</a> is one of
  "<code>serviceworker</code>", "<code>sharedworker</code>", or "<code>worker</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-response-to-source-list">§6.6.1.4 Does response to request match source list?</a> on <var>response</var>, <var>request</var>, and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value④③">value</a> is "<code>Does Not Match</code>", return
  "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h3 class="heading settled" data-level="6.2" id="directives-document"><span class="secno">6.2. </span><span class="content"> Document Directives </span><a class="self-link" href="#directives-document"></a></h3>
    <p>The following directives govern the properties of a document or worker
  environment to which a policy applies.</p>
    <h4 class="heading settled" data-level="6.2.1" id="directive-base-uri"><span class="secno">6.2.1. </span><span class="content"><code>base-uri</code></span><a class="self-link" href="#directive-base-uri"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="base-uri">base-uri</dfn> directive restricts the <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url" id="ref-for-url④">URL</a></code>s which can be used in
  a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document①③">Document</a></code>'s <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#the-base-element" id="ref-for-the-base-element①">base</a></code> element. The syntax for the directive’s name and
  value is described by the following ABNF:</p>
<pre>directive-name  = "base-uri"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list①②">serialized-source-list</a>
</pre>
    <p>The following algorithm is called during HTML’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/semantics.html#set-the-frozen-base-url" id="ref-for-set-the-frozen-base-url①">set the frozen base url</a> algorithm in order to monitor and enforce this directive:</p>
    <h5 class="heading settled algorithm" data-algorithm="Is base allowed for document?" data-level="6.2.1.1" id="allow-base-for-document"><span class="secno">6.2.1.1. </span><span class="content"> Is <var>base</var> allowed for <var>document</var>? </span><a class="self-link" href="#allow-base-for-document"></a></h5>
    <p>Given a <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url" id="ref-for-url⑤">URL</a></code> (<var>base</var>), and a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document①④">Document</a></code> (<var>document</var>), this algorithm
  returns "<code>Allowed</code>" if <var>base</var> may be used as the value of a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#the-base-element" id="ref-for-the-base-element②">base</a></code> element’s <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/semantics.html#attr-base-href" id="ref-for-attr-base-href①">href</a></code> attribute, and "<code>Blocked</code>" otherwise:</p>
    <ol>
     <li data-md="">
      <p>For each <var>policy</var> in <var>document</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object①②">global object</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list①⑦">csp list</a>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>source list</var> be <code>null</code>.</p>
       <li data-md="">
        <p>If a <a data-link-type="dfn" href="#directives" id="ref-for-directives②⑦">directive</a> whose <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name②②">name</a> is
  "<code>base-uri</code>" is present in <var>policy</var>’s <a data-link-type="dfn" href="#policy-directive-set" id="ref-for-policy-directive-set①⓪">directive
  set</a>, set <var>source list</var> to that <a data-link-type="dfn" href="#directives" id="ref-for-directives②⑧">directive</a>’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value④④">value</a>.</p>
       <li data-md="">
        <p>If <var>source list</var> is <code>null</code>, skip to the next <var>policy</var>.</p>
       <li data-md="">
        <p>If the result of executing <a href="#match-url-to-source-list">§6.6.1.5 Does url match source list in origin with redirect count?</a> on <var>base</var>, <var>source list</var>, <var>document</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/urls-and-fetching.html#fallback-base-url" id="ref-for-fallback-base-url">fallback base URL</a>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-origin" id="ref-for-concept-url-origin">origin</a>, and <code>0</code> is "<code>Does Not Match</code>":</p>
        <ol>
         <li data-md="">
          <p>Let <var>violation</var> be the result of executing <a href="#create-violation-for-global">§2.4.1 Create a violation object for global, policy, and directive</a> on <var>document</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object①③">global
  object</a>, <var>policy</var>, and "<a data-link-type="dfn" href="#base-uri" id="ref-for-base-uri"><code>base-uri</code></a>".</p>
         <li data-md="">
          <p>Set <var>violation</var>’s <a data-link-type="dfn" href="#violation-resource" id="ref-for-violation-resource⑨">resource</a> to "<code>inline</code>".</p>
         <li data-md="">
          <p>Execute <a href="#report-violation">§5.3 Report a violation</a> on <var>violation</var>.</p>
         <li data-md="">
          <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition①⑦">disposition</a> is "<code>enforce</code>",
  return "<code>Blocked</code>".</p>
        </ol>
      </ol>
      <p class="note" role="note"><span>Note:</span> We compare against the fallback base URL in order to deal correctly with things like <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#an-iframe-srcdoc-document" id="ref-for-an-iframe-srcdoc-document②">an iframe <code>srcdoc</code> <code>Document</code></a> which has been sandboxed into an opaque origin.</p>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.2.2" id="directive-plugin-types"><span class="secno">6.2.2. </span><span class="content"><code>plugin-types</code></span><a class="self-link" href="#directive-plugin-types"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="plugin-types">plugin-types</dfn> directive restricts the set of plugins that
  can be embedded into a document by limiting the types of resources which can
  be loaded. The directive’s syntax is described by the following ABNF grammar:</p>
<pre>directive-name  = "plugin-types"
directive-value = <a data-link-type="grammar" href="#grammardef-media-type-list" id="ref-for-grammardef-media-type-list">media-type-list</a>

<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-media-type-list">media-type-list</dfn> = <a data-link-type="grammar" href="#grammardef-media-type" id="ref-for-grammardef-media-type">media-type</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3" id="ref-for-section-3.2.3⑥">RWS</a> <a data-link-type="grammar" href="#grammardef-media-type" id="ref-for-grammardef-media-type①">media-type</a> )
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-media-type">media-type</dfn> = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc2045#section-5.1" id="ref-for-section-5.1">type</a> "/" <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc2045#section-5.1" id="ref-for-section-5.1①">subtype</a>
; <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc2045#section-5.1" id="ref-for-section-5.1②">type</a> and <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc2045#section-5.1" id="ref-for-section-5.1③">subtype</a> are defined in RFC 2045
</pre>
    <p>If a <code>plugin-types</code> directive is present, instantiation of an <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element" id="ref-for-the-embed-element③">embed</a></code> or <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element" id="ref-for-the-object-element⑤">object</a></code> element will fail if any of the following conditions hold:</p>
    <ol>
     <li data-md="">
      <p>The element does not explicitly declare a <a data-link-type="dfn" href="https://mimesniff.spec.whatwg.org/#valid-mime-type" id="ref-for-valid-mime-type">valid MIME type</a> via a <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-embed-type" id="ref-for-attr-embed-type">type</a></code> attribute.</p>
     <li data-md="">
      <p>The declared type does not match one of the items in the directive’s
  value.</p>
     <li data-md="">
      <p>The fetched resource does not match the declared type.</p>
    </ol>
    <div class="example" id="example-b40ed0be">
     <a class="self-link" href="#example-b40ed0be"></a> Given a page with the following Content Security Policy: 
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#plugin-types" id="ref-for-plugin-types">plugin-types</a> application/pdf
</pre>
     <p>Fetches for the following code will all return network errors:</p>
<pre class="highlight"><span class="c">&lt;!-- No 'type' declaration --></span>
<span class="nt">&lt;object</span> <span class="na">data=</span><span class="s">"https://example.com/flash"</span><span class="nt">>&lt;/object></span>

<span class="c">&lt;!-- Non-matching 'type' declaration --></span>
<span class="nt">&lt;object</span> <span class="na">data=</span><span class="s">"https://example.com/flash"</span> <span class="na">type=</span><span class="s">"application/x-shockwave-flash"</span><span class="nt">>&lt;/object></span>

<span class="c">&lt;!-- Non-matching resource --></span>
<span class="nt">&lt;object</span> <span class="na">data=</span><span class="s">"https://example.com/flash"</span> <span class="na">type=</span><span class="s">"application/pdf"</span><span class="nt">>&lt;/object></span>
</pre>
     <p>If the page allowed Flash content by sending the following header:</p>
<pre>Content-Security-Policy: <a data-link-type="dfn" href="#plugin-types" id="ref-for-plugin-types①">plugin-types</a> application/x-shockwave-flash
</pre>
     <p>Then the second item above would load successfully:</p>
<pre class="highlight"><span class="c">&lt;!-- Matching 'type' declaration and resource --></span>
<span class="nt">&lt;object</span> <span class="na">data=</span><span class="s">"https://example.com/flash"</span> <span class="na">type=</span><span class="s">"application/x-shockwave-flash"</span><span class="nt">>&lt;/object></span>
</pre>
    </div>
    <h5 class="heading settled algorithm" data-algorithm="plugin-types Post-Request Check" data-dfn-type="dfn" data-level="6.2.2.1" data-lt="plugin-types Post-Request Check" data-noexport="" id="plugin-types-post-request-check"><span class="secno">6.2.2.1. </span><span class="content"> <code>plugin-types</code> Post-Request Check </span><a class="self-link" href="#plugin-types-post-request-check"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check①⑥">post-request check</a> algorithm is as
  follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request④⑦">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response③①">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑤②">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>policy</var> is unused.</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination②④">destination</a> is either "<code>object</code>"
  or "<code>embed</code>":</p>
      <ol>
       <li data-md="">
        <p>Let <var>type</var> be the result of <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-header-extract-mime-type" id="ref-for-concept-header-extract-mime-type">extracting a
  MIME type</a> from <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list" id="ref-for-concept-response-header-list④">header list</a>.</p>
       <li data-md="">
        <p>If <var>type</var> is not an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive③">ASCII case-insensitive</a> match for any item
  in this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value④⑤">value</a>, return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled dfn-paneled algorithm" data-algorithm="Should plugin element be blocked a priori by Content
    Security Policy?:" data-dfn-type="dfn" data-level="6.2.2.2" data-lt="Should plugin element be blocked a priori by Content Security Policy?:" data-noexport="" id="should-plugin-element-be-blocked-a-priori-by-content-security-policy"><span class="secno">6.2.2.2. </span><span class="content"> Should <var>plugin element</var> be blocked <i lang="la">a priori</i> by Content
    Security Policy?: </span></h5>
    <p>Given an <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#element" id="ref-for-element④">Element</a></code> (<var>plugin element</var>), this algorithm returns "<code>Blocked</code>"
  or "<code>Allowed</code>" based on the element’s <code>type</code> attribute and the policy applied to
  its document:</p>
    <ol class="algorithm">
     <li data-md="">
      <p>For each <var>policy</var> in <var>plugin element</var>’s <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-node-document" id="ref-for-concept-node-document">node document</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-csp-list" id="ref-for-concept-document-csp-list⑨">CSP list</a>:</p>
      <ol>
       <li data-md="">
        <p>If <var>policy</var> contains a <a data-link-type="dfn" href="#directives" id="ref-for-directives②⑨">directive</a> (<var>directive</var>) whose name is <code>plugin-types</code>:</p>
        <ol>
         <li data-md="">
          <p>Let <var>type</var> be "<code>application/x-java-applet</code>" if <var>plugin element</var> is an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/obsolete.html#applet" id="ref-for-applet③"><code>applet</code></a> element, or <var>plugin element</var>’s <code>type</code> attribute’s
  value if present, or "<code>null</code>" otherwise.</p>
         <li data-md="">
          <p>Return "<code>Blocked</code>" if any of the following are true:</p>
          <ol>
           <li data-md="">
            <p><var>type</var> is <code>null</code>.</p>
           <li data-md="">
            <p><var>type</var> is not a <a data-link-type="dfn" href="https://mimesniff.spec.whatwg.org/#valid-mime-type" id="ref-for-valid-mime-type①">valid MIME type</a>.</p>
           <li data-md="">
            <p><var>type</var> is not an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive④">ASCII case-insensitive</a> match for any
  item in <var>directive</var>’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value④⑥">value</a>.</p>
          </ol>
        </ol>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.2.3" id="directive-sandbox"><span class="secno">6.2.3. </span><span class="content"><code>sandbox</code></span><a class="self-link" href="#directive-sandbox"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="sandbox">sandbox</dfn> directive specifies an HTML sandbox policy which the
  user agent will apply to a resource, just as though it had been included in
  an <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element②">iframe</a></code> with a <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox" id="ref-for-attr-iframe-sandbox">sandbox</a></code> property.</p>
    <p>The directive’s syntax is described by the following ABNF grammar, with
  the additional requirement that each token value MUST be one of the
  keywords defined by HTML specification as allowed values for the <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element③">iframe</a></code> <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox" id="ref-for-attr-iframe-sandbox①">sandbox</a></code> attribute <a data-link-type="biblio" href="#biblio-html">[HTML]</a>.</p>
<pre>directive-name  = "sandbox"
directive-value = "" / <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.6" id="ref-for-section-3.2.6">token</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3" id="ref-for-section-3.2.3⑦">RWS</a> <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.6" id="ref-for-section-3.2.6①">token</a> )
</pre>
    <p>This directive has no reporting requirements; it will be ignored entirely when
  delivered in a <a data-link-type="http-header" href="#header-content-security-policy-report-only" id="ref-for-header-content-security-policy-report-only③"><code>Content-Security-Policy-Report-Only</code></a> header, or within
  a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta①⓪">meta</a></code> element.</p>
    <h5 class="heading settled algorithm" data-algorithm="sandbox Response Check" data-level="6.2.3.1" id="sandbox-response"><span class="secno">6.2.3.1. </span><span class="content"> <code>sandbox</code> Response Check </span><a class="self-link" href="#sandbox-response"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-response-check" id="ref-for-directive-response-check②">response check</a> algorithm is as
  follows:</p>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request④⑧">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response③②">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑤③">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>response</var> is unused.</p>
     <li data-md="">
      <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition①⑧">disposition</a> is not "<code>enforce</code>", then
  return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>If <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination②⑤">destination</a> is one of
  "<code>serviceworker</code>", "<code>sharedworker</code>", or "<code>worker</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#parse-a-sandboxing-directive" id="ref-for-parse-a-sandboxing-directive">Parse a sandboxing directive</a> algorithm
  using this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value④⑦">value</a> as the input
  contains either the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#sandboxed-scripts-browsing-context-flag" id="ref-for-sandboxed-scripts-browsing-context-flag">sandboxed scripts browsing context flag</a> or
  the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#sandboxed-origin-browsing-context-flag" id="ref-for-sandboxed-origin-browsing-context-flag">sandboxed origin browsing context flag</a> flags, return
  "<code>Blocked</code>".</p>
        <p class="note" role="note"><span>Note:</span> This will need to change if we allow Workers to be sandboxed into
  unique origins, which seems like a pretty reasonable thing to do.</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="sandbox Initialization" data-level="6.2.3.2" id="sandbox-init"><span class="secno">6.2.3.2. </span><span class="content"> <code>sandbox</code> Initialization </span><a class="self-link" href="#sandbox-init"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-initialization" id="ref-for-directive-initialization②">initialization</a> algorithm is
  responsible for adjusting a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document①⑤">Document</a></code>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#forced-sandboxing-flag-set" id="ref-for-forced-sandboxing-flag-set">forced sandboxing flag set</a> according to the <a data-link-type="dfn" href="#sandbox" id="ref-for-sandbox"><code>sandbox</code></a> values present in its policies, as
  follows:</p>
    <p>Given a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document①⑥">Document</a></code> or <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object①④">global object</a> (<var>context</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response③③">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑤④">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>response</var> is unused.</p>
     <li data-md="">
      <p>If <var>policy</var>’s <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition①⑨">disposition</a> is not "<code>enforce</code>", or <var>context</var> is not a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document①⑦">Document</a></code>, then abort this algorithm.</p>
      <p class="note" role="note"><span>Note:</span> This will need to change if we allow Workers to be sandboxed,
  which seems like a pretty reasonable thing to do.</p>
     <li data-md="">
      <p><a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#parse-a-sandboxing-directive" id="ref-for-parse-a-sandboxing-directive①">Parse a sandboxing directive</a> using this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value④⑧">value</a> as the input, and <var>context</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#forced-sandboxing-flag-set" id="ref-for-forced-sandboxing-flag-set①">forced
  sandboxing flag set</a> as the output.</p>
    </ol>
    <section class="wip">
     <h4 class="heading settled" data-level="6.2.4" id="directive-disown-opener"><span class="secno">6.2.4. </span><span class="content"><code>disown-opener</code></span><a class="self-link" href="#directive-disown-opener"></a></h4>
     <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="disown-opener"><code>disown-opener</code></dfn> directive ensures that a resource
    will <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#disowned-its-opener" id="ref-for-disowned-its-opener">disown its opener</a> when navigated to. The directive’s syntax is
    described by the following ABNF grammar:</p>
<pre>directive-name  = "disown-opener"
directive-value = ""
</pre>
     <p>This directive has no reporting requirements; it will be ignored entirely when
    delivered in a <a data-link-type="http-header" href="#header-content-security-policy-report-only" id="ref-for-header-content-security-policy-report-only④"><code>Content-Security-Policy-Report-Only</code></a> header, or within
    a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta①①">meta</a></code> element.</p>
     <p class="issue" id="issue-55f190c5"><a class="self-link" href="#issue-55f190c5"></a> Not sure this is the right model. We need to ensure that we take care
    of <a href="https://github.com/w3c/webappsec/issues/139">the inverse</a> as
    well, and there might be a cleverer syntax that could encompass both a
    document’s opener, and a document’s openees. <code>disown-openee</code> is weird.
    Maybe <code>disown 'opener' 'openee'</code>? Do we need origin restrictions on either/both?</p>
    </section>
    <h5 class="heading settled algorithm" data-algorithm="disown-opener Initialization" data-level="6.2.4.1" id="disown-opener-init"><span class="secno">6.2.4.1. </span><span class="content"> <code>disown-opener</code> Initialization </span><a class="self-link" href="#disown-opener-init"></a></h5>
    <p>This directive’s <a data-link-type="dfn" href="#directive-initialization" id="ref-for-directive-initialization③">initialization</a> algorithm is as
  follows:</p>
    <p>Given a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document①⑧">Document</a></code> or <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object" id="ref-for-global-object①⑤">global object</a> (<var>context</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response③④">response</a> (<var>response</var>), and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑤⑤">policy</a> (<var>policy</var>):</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>response</var> and <var>policy</var> are unused.</p>
     <li data-md="">
      <p>If <var>context</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#responsible-browsing-context" id="ref-for-responsible-browsing-context">responsible browsing context</a> has an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#opener-browsing-context" id="ref-for-opener-browsing-context①">opener browsing
  context</a>, <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#disowned-its-opener" id="ref-for-disowned-its-opener①">disown its opener</a>.</p>
    </ol>
    <p class="issue" id="issue-466edd09"><a class="self-link" href="#issue-466edd09"></a> What should this do in an <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element④">iframe</a></code>? Anything?</p>
    <h3 class="heading settled" data-level="6.3" id="directives-navigation"><span class="secno">6.3. </span><span class="content"> Navigation Directives </span><a class="self-link" href="#directives-navigation"></a></h3>
    <h4 class="heading settled" data-level="6.3.1" id="directive-form-action"><span class="secno">6.3.1. </span><span class="content"><code>form-action</code></span><a class="self-link" href="#directive-form-action"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="form-action">form-action</dfn> directive restricts the <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url" id="ref-for-url⑥">URL</a></code>s which can be used
  as the target of a form submissions from a given context. The directive’s syntax is
  described by the following ABNF grammar:</p>
<pre class="abnf">directive-name  = "form-action"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list①③">serialized-source-list</a>
</pre>
    <h5 class="heading settled algorithm" data-algorithm="form-action Pre-Navigation Check" data-level="6.3.1.1" id="form-action-pre-navigate"><span class="secno">6.3.1.1. </span><span class="content"> <code>form-action</code> Pre-Navigation Check </span><a class="self-link" href="#form-action-pre-navigate"></a></h5>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request④⑨">request</a> (<var>request</var>), a string (<var>type</var>, "<code>form-submission</code> or
  "<code>other</code>") and two <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context⑤">browsing contexts</a> (<var>source</var> and <var>target</var>), this
  algorithm returns "<code>Blocked</code>" if one or more of the ancestors of <var>target</var> violate the <code>frame-ancestors</code> directive delivered with the response, and
  "<code>Allowed</code>" otherwise. This constitutes the <code>form-action</code>' directive’s <a data-link-type="dfn" href="#directive-pre-navigation-check" id="ref-for-directive-pre-navigation-check①">pre-navigation check</a>:</p>
    <ol class="algorithm">
     <li data-md="">
      <p class="assertion">Assert: <var>source</var> and <var>target</var> are unused in this algorithm, as <code>form-action</code> is concerned only with details of the outgoing request.</p>
     <li data-md="">
      <p>If <var>type</var> is "<code>form-submission</code>":</p>
      <ol>
       <li data-md="">
        <p>If the result of executing <a href="#match-request-to-source-list">§6.6.1.3 Does request match source list?</a> on <var>request</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value④⑨">value</a> is
  "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h4 class="heading settled" data-level="6.3.2" id="directive-frame-ancestors"><span class="secno">6.3.2. </span><span class="content"><code>frame-ancestors</code></span><a class="self-link" href="#directive-frame-ancestors"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="frame-ancestors">frame-ancestors</dfn> directive restricts the <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url" id="ref-for-url⑦">URL</a></code>s which can
  embed the resource using <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/obsolete.html#frame" id="ref-for-frame②">frame</a></code>, <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element⑤">iframe</a></code>, <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element" id="ref-for-the-object-element⑥">object</a></code>, <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element" id="ref-for-the-embed-element④">embed</a></code>, or <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/obsolete.html#applet" id="ref-for-applet④"><code>applet</code></a> element. Resources can use this directive to avoid many UI
  Redressing <a data-link-type="biblio" href="#biblio-uisecurity">[UISECURITY]</a> attacks, by avoiding the risk of being embedded into
  potentially hostile contexts.</p>
    <p>The directive’s syntax is described by the following ABNF grammar:</p>
<pre>directive-name  = "frame-ancestors"
directive-value = <a data-link-type="grammar" href="#grammardef-ancestor-source-list" id="ref-for-grammardef-ancestor-source-list">ancestor-source-list</a>

<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-ancestor-source-list">ancestor-source-list</dfn> = ( <a data-link-type="grammar" href="#grammardef-ancestor-source" id="ref-for-grammardef-ancestor-source">ancestor-source</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3" id="ref-for-section-3.2.3⑧">RWS</a> <a data-link-type="grammar" href="#grammardef-ancestor-source" id="ref-for-grammardef-ancestor-source①">ancestor-source</a>) ) / "<a data-link-type="grammar" href="#grammardef-none" id="ref-for-grammardef-none①">'none'</a>"
<dfn class="dfn-paneled" data-dfn-type="grammar" data-export="" id="grammardef-ancestor-source">ancestor-source</dfn>      = <a data-link-type="grammar" href="#grammardef-scheme-source" id="ref-for-grammardef-scheme-source①">scheme-source</a> / <a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source①">host-source</a> / "<a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self②②">'self'</a>"
</pre>
    <p>The <code>frame-ancestors</code> directive MUST be ignored when contained in a policy
  declared via a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#meta" id="ref-for-meta①②">meta</a></code> element.</p>
    <p class="note" role="note"><span>Note:</span> The <code>frame-ancestors</code> directive’s syntax is similar to a <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists①⓪">source
  list</a>, but <code>frame-ancestors</code> will not fall back to the <code>default-src</code> directive’s value if one is specified. That is, a policy that declares <code>default-src 'none'</code> will still allow the resource to be embedded by anyone.</p>
    <h5 class="heading settled algorithm" data-algorithm="frame-ancestors Navigation Response Check" data-level="6.3.2.1" id="frame-ancestors-navigation-response"><span class="secno">6.3.2.1. </span><span class="content"> <code>frame-ancestors</code> Navigation Response Check </span><a class="self-link" href="#frame-ancestors-navigation-response"></a></h5>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑤⓪">request</a> (<var>request</var>), a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response③⑤">response</a> (<var>navigation response</var>)
  and two <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context⑥">browsing contexts</a> (<var>source</var> and <var>target</var>), this algorithm
  returns "<code>Blocked</code>" if one or more of the ancestors of <var>target</var> violate the <code>frame-ancestors</code> directive delivered with the response, and "<code>Allowed</code>"
  otherwise. This constitutes the <code>frame-ancestors</code>' directive’s <a data-link-type="dfn" href="#directive-navigation-response-check" id="ref-for-directive-navigation-response-check①">navigation
  response check</a>:</p>
    <ol class="algorithm">
     <li data-md="">
      <p class="assertion">Assert: <var>request</var>, <var>navigation response</var>, and <var>source</var> are unused in
  this algorithm, as <code>frame-ancestors</code> is concerned only with <var>target</var>’s
  ancestors.</p>
     <li data-md="">
      <p>If <var>target</var> is not a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context⑦">nested browsing context</a>, return "<code>Allowed</code>".</p>
     <li data-md="">
      <p>Let <var>current</var> be <var>target</var>.</p>
     <li data-md="">
      <p>While <var>current</var> has a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#parent-browsing-context" id="ref-for-parent-browsing-context">parent browsing context</a> (<var>parent</var>):</p>
      <ol>
       <li data-md="">
        <p>Set <var>current</var> to <var>parent</var>.</p>
       <li data-md="">
        <p>Let <var>origin</var> be the result of executing the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-parser" id="ref-for-concept-url-parser①">URL parser</a> on the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin" id="ref-for-ascii-serialisation-of-an-origin">ASCII serialization</a> of <var>parent</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#active-document" id="ref-for-active-document③">active document</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object" id="ref-for-relevant-settings-object③">relevant settings
  object</a>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin" id="ref-for-concept-settings-object-origin①">origin</a>.</p>
       <li data-md="">
        <p>If <a href="#match-url-to-source-list">§6.6.1.5 Does url match source list in origin with redirect count?</a> returns <code>Does Not Match</code> when
  executed upon <var>origin</var>, this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value⑤⓪">value</a>, <var>navigation response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url" id="ref-for-concept-response-url⑤">url</a>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-origin" id="ref-for-concept-url-origin①">origin</a>, and <code>0</code>, return
  "<code>Blocked</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Allowed</code>".</p>
    </ol>
    <h5 class="heading settled" data-level="6.3.2.2" id="frame-ancestors-and-frame-options"><span class="secno">6.3.2.2. </span><span class="content"> Relation to <code>X-Frame-Options</code> </span><a class="self-link" href="#frame-ancestors-and-frame-options"></a></h5>
    <p>This directive is similar to the <code>X-Frame-Options</code> header that several user agents have
  implemented. The <code>'none'</code> source expression is roughly equivalent to that header’s <code>DENY</code>, <code>'self'</code> to <code>SAMEORIGIN</code>, and so on. The major difference is that many user agents implement <code>SAMEORIGIN</code> such that it only matches against the top-level document’s location, while
  the <a data-link-type="dfn" href="#frame-ancestors" id="ref-for-frame-ancestors"><code>frame-ancestors</code></a> directive checks against each ancestor. If _any_ ancestor doesn’t
  match, the load is cancelled. <a data-link-type="biblio" href="#biblio-rfc7034">[RFC7034]</a></p>
    <p>In order to allow backwards-compatible deployment, the <a data-link-type="dfn" href="#frame-ancestors" id="ref-for-frame-ancestors①"><code>frame-ancestors</code></a> directive
  _obsoletes_ the <code>X-Frame-Options</code> header. If a resource is delivered with an <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑤⑥">policy</a> that includes a <a data-link-type="dfn" href="#directives" id="ref-for-directives③⓪">directive</a> named <a data-link-type="dfn" href="#frame-ancestors" id="ref-for-frame-ancestors②"><code>frame-ancestors</code></a> and whose <a data-link-type="dfn" href="#policy-disposition" id="ref-for-policy-disposition②⓪">disposition</a> is "<code>enforce</code>", then the <code>X-Frame-Options</code> header MUST be ignored.</p>
    <p class="issue" id="issue-db2876b7"><a class="self-link" href="#issue-db2876b7"></a> Spell this out in more detail as part of defining <code>X-Frame-Options</code> integration with the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#process-a-navigate-response" id="ref-for-process-a-navigate-response②">process a navigate response</a> algorithm. <a href="https://github.com/whatwg/html/issues/1230">&lt;https://github.com/whatwg/html/issues/1230></a></p>
    <section class="wip">
     <h4 class="heading settled" data-level="6.3.3" id="directive-navigation-to"><span class="secno">6.3.3. </span><span class="content"><code>navigation-to</code></span><a class="self-link" href="#directive-navigation-to"></a></h4>
     <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="navigation-to">navigation-to</dfn> directive restricts the <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url" id="ref-for-url⑧">URL</a></code>s to which
    a document can navigate by any means (<code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/text-level-semantics.html#the-a-element" id="ref-for-the-a-element①">a</a></code>, <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/forms.html#the-form-element" id="ref-for-the-form-element">form</a></code>, <code>window.location</code>, <code>window.open</code>, etc.). The directive’s syntax is described by the following ABNF grammar:</p>
<pre class="abnf">directive-name  = "navigation-to"
directive-value = <a data-link-type="grammar" href="#grammardef-serialized-source-list" id="ref-for-grammardef-serialized-source-list①④">serialized-source-list</a>
</pre>
     <p class="issue" id="issue-86f8d392"><a class="self-link" href="#issue-86f8d392"></a> Should we use <code>ancestor-source-list</code> (basically, origins as opposed to
    paths?) It doesn’t appear that blocking navigation targets is any worse than
    blocking any other request type with regard to leakage. Given the redirect
    behavior, this devolves to an origin check in the presence of a malicious
    party anyway...</p>
     <h5 class="heading settled algorithm" data-algorithm="navigation-to Pre-Navigation Check" data-level="6.3.3.1" id="navigation-to-pre-navigate"><span class="secno">6.3.3.1. </span><span class="content"> <code>navigation-to</code> Pre-Navigation Check </span><a class="self-link" href="#navigation-to-pre-navigate"></a></h5>
     <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑤①">request</a> (<var>request</var>), a string (<var>type</var>, "<code>form-submission</code> or
    "<code>other</code>") and two <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context⑦">browsing contexts</a> (<var>source</var> and <var>target</var>), this
    algorithm returns "<code>Blocked</code>" if the navigation violates the <code>navigation-to</code> directive’s constraints, and "<code>Allowed</code>" otherwise. This constitutes the <code>navigation-to</code>' directive’s <a data-link-type="dfn" href="#directive-pre-navigation-check" id="ref-for-directive-pre-navigation-check②">pre-navigation check</a>:</p>
     <ol class="algorithm">
      <li data-md="">
       <p class="assertion">Assert: <var>source</var> and <var>target</var> are unused in this algorithm, as <code>navigation-to</code> is concerned only with details of the outgoing request.
  Likewise, <var>type</var> is unused, as all navigation requests are treated
  identically.</p>
      <li data-md="">
       <p>If the result of executing <a href="#match-request-to-source-list">§6.6.1.3 Does request match source list?</a> on <var>request</var> and this directive’s <a data-link-type="dfn" href="#directive-value" id="ref-for-directive-value⑤①">value</a> is
  "<code>Does Not Match</code>", return "<code>Blocked</code>".</p>
      <li data-md="">
       <p>Return "<code>Allowed</code>".</p>
     </ol>
    </section>
    <h3 class="heading settled" data-level="6.4" id="directives-reporting"><span class="secno">6.4. </span><span class="content"> Reporting Directives </span><a class="self-link" href="#directives-reporting"></a></h3>
    <p>Various algorithms in this document hook into the reporting process by
  constructing a <a data-link-type="dfn" href="#violation" id="ref-for-violation①⑨">violation</a> object via <a href="#create-violation-for-request">§2.4.2 Create a violation object for request, policy, and directive</a> or <a href="#create-violation-for-global">§2.4.1 Create a violation object for global, policy, and directive</a>, and passing that object to <a href="#report-violation">§5.3 Report a violation</a> to deliver the report.</p>
    <h4 class="heading settled" data-level="6.4.1" id="directive-report-uri"><span class="secno">6.4.1. </span><span class="content"><code>report-uri</code></span><a class="self-link" href="#directive-report-uri"></a></h4>
    <div class="note" role="note">
      Note: The <a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri②"><code>report-uri</code></a> directive is deprecated. Please use the <a data-link-type="dfn" href="#report-to" id="ref-for-report-to③"><code>report-to</code></a> directive instead. If the latter directive is present,
    this directive will be ignored. To ensure backwards compatibility, we
    suggest specifying both, like this: 
     <div class="example" id="example-9d2ef57e">
      <a class="self-link" href="#example-9d2ef57e"></a> 
<pre><a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#header-content-security-policy" id="ref-for-header-content-security-policy⑤">Content-Security-Policy</a>: ...; <a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri③">report-uri</a> https://endpoint.com; <a data-link-type="dfn" href="#report-to" id="ref-for-report-to④">report-to</a> groupname
</pre>
     </div>
    </div>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="report-uri"><code>report-uri</code></dfn> directive defines a set of endpoints to which <a data-link-type="dfn" href="#violation-report" id="ref-for-violation-report">violation reports</a> will be sent when particular behaviors are prevented.</p>
<pre>directive-name  = "report-uri"
directive-value = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-4.1" id="ref-for-section-4.1">uri-reference</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3" id="ref-for-section-3.2.3⑨">RWS</a> <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-4.1" id="ref-for-section-4.1①">uri-reference</a> )

; The <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-4.1" id="ref-for-section-4.1②">uri-reference</a> grammar is defined in Section 4.1 of RFC 3986.
</pre>
    <p>The directive has no effect in and of itself, but only gains meaning in
  combination with other directives.</p>
    <h4 class="heading settled" data-level="6.4.2" id="directive-report-to"><span class="secno">6.4.2. </span><span class="content"><code>report-to</code></span><a class="self-link" href="#directive-report-to"></a></h4>
    <p>The <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="report-to"><code>report-to</code></dfn> directive defines a <a data-link-type="dfn" href="https://w3c.github.io/reporting/#group" id="ref-for-group">reporting
  group</a> to which violation reports ought to be sent <a data-link-type="biblio" href="#biblio-reporting">[REPORTING]</a>. The
  directive’s behavior is defined in <a href="#report-violation">§5.3 Report a violation</a>. The directive’s name
  and value are described by the following ABNF:</p>
<pre>directive-name  = "report-to"
directive-value = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.6" id="ref-for-section-3.2.6②">token</a>
</pre>
    <h3 class="heading settled" data-level="6.5" id="directives-elsewhere"><span class="secno">6.5. </span><span class="content"> Directives Defined in Other Documents </span><a class="self-link" href="#directives-elsewhere"></a></h3>
    <p>This document defines a core set of directives, and sets up a framework for
  modular extension by other specifications. At the time this document was
  produced, the following stable documents extend CSP:</p>
    <ul>
     <li data-md="">
      <p><a data-link-type="biblio" href="#biblio-mix">[MIX]</a> defines <code>block-all-mixed-content</code></p>
     <li data-md="">
      <p><a data-link-type="biblio" href="#biblio-upgrade-insecure-requests">[UPGRADE-INSECURE-REQUESTS]</a> defines <code>upgrade-insecure-requests</code></p>
     <li data-md="">
      <p><a data-link-type="biblio" href="#biblio-sri">[SRI]</a> defines <code>require-sri-for</code></p>
    </ul>
    <p>Extensions to CSP MUST register themselves via the process outlined in <a data-link-type="biblio" href="#biblio-rfc7762">[RFC7762]</a>. In particular, note the criteria discussed in Section 4.2 of
  that document.</p>
    <p>New directives SHOULD use the <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check①⑤">pre-request check</a>, <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check①⑦">post-request check</a>, <a data-link-type="dfn" href="#directive-response-check" id="ref-for-directive-response-check③">response
  check</a>, and <a data-link-type="dfn" href="#directive-initialization" id="ref-for-directive-initialization④">initialization</a> hooks in order to
  integrate themselves into Fetch and HTML.</p>
    <h3 class="heading settled" data-level="6.6" id="algorithms"><span class="secno">6.6. </span><span class="content">Matching Algorithms</span><a class="self-link" href="#algorithms"></a></h3>
    <h4 class="heading settled" data-level="6.6.1" id="matching-urls"><span class="secno">6.6.1. </span><span class="content">URL Matching</span><a class="self-link" href="#matching-urls"></a></h4>
    <h5 class="heading settled algorithm" data-algorithm="Does request violate policy?" data-level="6.6.1.1" id="does-request-violate-policy"><span class="secno">6.6.1.1. </span><span class="content"> Does <var>request</var> violate <var>policy</var>? </span><a class="self-link" href="#does-request-violate-policy"></a></h5>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑤②">request</a> (<var>request</var>) and a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑤⑦">policy</a> (<var>policy</var>), this
  algorithm returns the violated <a data-link-type="dfn" href="#directives" id="ref-for-directives③①">directive</a> if the request violates the
  policy, and "<code>Does Not Violate</code>" otherwise.</p>
    <ol>
     <li data-md="">
      <p>Let <var>violates</var> be "<code>Does Not Violate</code>".</p>
     <li data-md="">
      <p>For each <var>directive</var> in <var>policy</var>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>result</var> be the result of executing <var>directive</var>’s <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check①⑥">pre-request check</a> on <var>request</var> and <var>policy</var>.</p>
       <li data-md="">
        <p>If <var>result</var> is "<code>Blocked</code>", then let <var>violates</var> be <var>directive</var>.</p>
      </ol>
     <li data-md="">
      <p>Return <var>violates</var>.</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="Does nonce match source list?" data-level="6.6.1.2" id="match-nonce-to-source-list"><span class="secno">6.6.1.2. </span><span class="content"> Does <var>nonce</var> match <var>source list</var>? </span><a class="self-link" href="#match-nonce-to-source-list"></a></h5>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑤③">request</a>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata" id="ref-for-concept-request-nonce-metadata⑤">cryptographic nonce metadata</a> (<var>nonce</var>) and a <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists①①">source list</a> (<var>source list</var>), this algorithm returns
  "<code>Matches</code>" if the nonce matches one or more source expressions in the list,
  and "<code>Does Not Match</code>" otherwise:</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>source list</var> is not <code>null</code>.</p>
     <li data-md="">
      <p>If <var>nonce</var> is the empty string, return "<code>Does Not Match</code>".</p>
     <li data-md="">
      <p>For each <var>expression</var> in <var>source list</var>:</p>
      <ol>
       <li data-md="">
        <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source⑤"><code>nonce-source</code></a> grammar,
  and <var>nonce</var> is a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#case-sensitive" id="ref-for-case-sensitive②">case-sensitive</a> match for <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value⑤"><code>base64-value</code></a> part, return "<code>Matches</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Does Not Match</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="Does request match source list?" data-level="6.6.1.3" id="match-request-to-source-list"><span class="secno">6.6.1.3. </span><span class="content"> Does <var>request</var> match <var>source list</var>? </span><a class="self-link" href="#match-request-to-source-list"></a></h5>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑤④">request</a> (<var>request</var>), and a <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists①②">source list</a> (<var>source list</var>),
  this algorithm returns the result of executing <a href="#match-url-to-source-list">§6.6.1.5 Does url match source list in origin with redirect count?</a> on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-current-url" id="ref-for-concept-request-current-url①">current url</a>, <var>source list</var>, <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-origin" id="ref-for-concept-request-origin①">origin</a>, and <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-redirect-count" id="ref-for-concept-request-redirect-count">redirect
  count</a>.</p>
    <p class="note" role="note"><span>Note:</span> This is generally used in <a data-link-type="dfn" href="#directives" id="ref-for-directives③②">directives</a>' <a data-link-type="dfn" href="#directive-pre-request-check" id="ref-for-directive-pre-request-check①⑦">pre-request check</a> algorithms to verify that a given <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑤⑤">request</a> is reasonable.</p>
    <h5 class="heading settled algorithm" data-algorithm="Does response to request match source list?" data-level="6.6.1.4" id="match-response-to-source-list"><span class="secno">6.6.1.4. </span><span class="content"> Does <var>response</var> to <var>request</var> match <var>source list</var>? </span><a class="self-link" href="#match-response-to-source-list"></a></h5>
    <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑤⑥">request</a> (<var>request</var>), and a <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists①③">source list</a> (<var>source list</var>),
  this algorithm returns the result of executing <a href="#match-url-to-source-list">§6.6.1.5 Does url match source list in origin with redirect count?</a> on <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-url" id="ref-for-concept-response-url⑥">url</a>, <var>source list</var>, <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-origin" id="ref-for-concept-request-origin②">origin</a>, and <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-redirect-count" id="ref-for-concept-request-redirect-count①">redirect
  count</a>.</p>
    <p class="note" role="note"><span>Note:</span> This is generally used in <a data-link-type="dfn" href="#directives" id="ref-for-directives③③">directives</a>' <a data-link-type="dfn" href="#directive-post-request-check" id="ref-for-directive-post-request-check①⑧">post-request check</a> algorithms to verify that a given <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response" id="ref-for-concept-response③⑥">response</a> is reasonable.</p>
    <h5 class="heading settled algorithm" data-algorithm="Does url match source list in origin with redirect count?" data-level="6.6.1.5" id="match-url-to-source-list"><span class="secno">6.6.1.5. </span><span class="content"> Does <var>url</var> match <var>source list</var> in <var>origin</var> with <var>redirect count</var>? </span><a class="self-link" href="#match-url-to-source-list"></a></h5>
    <p>Given a <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url" id="ref-for-url⑨">URL</a></code> (<var>url</var>), a <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists①④">source list</a> (<var>source list</var>), an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin">origin</a> (<var>origin</var>), and a number (<var>redirect count</var>), this
  algorithm returns "<code>Matches</code>" if the URL matches one or more source
  expressions in <var>source list</var>, or "<code>Does Not Match</code>" otherwise:</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>source list</var> is not <code>null</code>.</p>
     <li data-md="">
      <p>If <var>source list</var> is an empty list, return "<code>Does Not Match</code>".</p>
     <li data-md="">
      <p>If <var>source list</var> contains a single item which is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive⑤">ASCII
  case-insensitive</a> match for the string "<code>'none'</code>", return "<code>Does Not Match</code>".</p>
      <p class="note" role="note"><span>Note:</span> An empty source list (that is, a directive without a value: <code>script-src</code>,
  as opposed to <code>script-src host1</code>) is equivalent to a source list containing <code>'none'</code>,
  and will not match any URL.</p>
     <li data-md="">
      <p>For each <var>expression</var> in <var>source list</var>:</p>
      <ol>
       <li data-md="">
        <p>If <a href="#match-url-to-source-expression">§6.6.1.6 Does url match expression in origin with redirect count?</a> returns "<code>Matches</code>" when
  executed upon <var>url</var>, <var>expression</var>, <var>origin</var>, and <var>redirect count</var>, return
  "<code>Matches</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Does Not Match</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="Does url match expression in origin with redirect count?" data-level="6.6.1.6" id="match-url-to-source-expression"><span class="secno">6.6.1.6. </span><span class="content"> Does <var>url</var> match <var>expression</var> in <var>origin</var> with <var>redirect count</var>? </span><a class="self-link" href="#match-url-to-source-expression"></a></h5>
    <p>Given a <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#url" id="ref-for-url①⓪">URL</a></code> (<var>url</var>), a <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression⑦">source expression</a> (<var>expression</var>), an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin①">origin</a> (<var>origin</var>), and a number (<var>redirect count</var>), this algorithm
  returns "<code>Matches</code>" if <var>url</var> matches <var>expression</var>, and "<code>Does Not Match</code>"
  otherwise.</p>
    <p class="note" role="note"><span>Note:</span> <var>origin</var> is the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin②">origin</a> of the resource relative to which the <var>expression</var> should be resolved. "<code>'self'</code>", for instance, will have distinct
  meaning depending on that bit of context.</p>
    <ol>
     <li data-md="">
      <p>If <var>expression</var> is the string "*", return "<code>Matches</code>" if one or more of
  the following conditions is met:</p>
      <ol>
       <li data-md="">
        <p><var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme③">scheme</a> is a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#network-scheme" id="ref-for-network-scheme②">network scheme</a>.</p>
       <li data-md="">
        <p><var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme④">scheme</a> is the same as <var>origin</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-scheme" id="ref-for-concept-origin-scheme">scheme</a>.</p>
      </ol>
      <p class="note" role="note"><span>Note:</span> This logic means that in order to allow a resource from a non-<a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#network-scheme" id="ref-for-network-scheme③">network scheme</a>,
  it has to be either explicitly specified (e.g. <code>default-src * data: custom-scheme-1: custom-scheme-2:</code>),
  or the protected resource must be loaded from the same scheme.</p>
     <li data-md="">
      <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-scheme-source" id="ref-for-grammardef-scheme-source②"><code>scheme-source</code></a> or <a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source②"><code>host-source</code></a> grammar:</p>
      <ol>
       <li data-md="">
        <p>If <var>expression</var> has a <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part②"><code>scheme-part</code></a>, and it does not <a data-link-type="dfn" href="#scheme-part-match" id="ref-for-scheme-part-match"><code>scheme-part</code> match</a> <var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme⑤">scheme</a>, return "<code>Does Not Match</code>".</p>
       <li data-md="">
        <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-scheme-source" id="ref-for-grammardef-scheme-source③"><code>scheme-source</code></a> grammar,
  return "<code>Matches</code>".</p>
      </ol>
     <li data-md="">
      <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source③"><code>host-source</code></a> grammar:</p>
      <ol>
       <li data-md="">
        <p>If <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#dom-url-host" id="ref-for-dom-url-host">host</a></code> is <code>null</code>, return "<code>Does Not Match</code>".</p>
       <li data-md="">
        <p>If <var>expression</var> does not have a <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part③"><code>scheme-part</code></a>, and <var>origin</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-scheme" id="ref-for-concept-origin-scheme①">scheme</a> does not <a data-link-type="dfn" href="#scheme-part-match" id="ref-for-scheme-part-match①"><code>scheme-part</code> match</a> <var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme⑥">scheme</a>,
  return "<code>Does Not Match</code>".</p>
        <p class="note" role="note"><span>Note:</span> As with <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part④"><code>scheme-part</code></a> above, we allow schemeless <a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source④"><code>host-source</code></a> expressions to be upgraded from insecure
  schemes to secure schemes.</p>
       <li data-md="">
        <p>If <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-host-part" id="ref-for-grammardef-host-part①"><code>host-part</code></a> does not <a data-link-type="dfn" href="#host-part-match" id="ref-for-host-part-match"><code>host-part</code> match</a> <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#dom-url-host" id="ref-for-dom-url-host①">host</a></code>, return "<code>Does Not Match</code>".</p>
       <li data-md="">
        <p>Let <var>port-part</var> be <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-port-part" id="ref-for-grammardef-port-part①"><code>port-part</code></a> if present, and <code>null</code> otherwise.</p>
       <li data-md="">
        <p>If <var>port-part</var> does not <a data-link-type="dfn" href="#port-part-matches" id="ref-for-port-part-matches"><code>port-part</code> match</a> <var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-port" id="ref-for-concept-url-port">port</a> and <var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme⑦">scheme</a>, return "<code>Does Not Match</code>".</p>
       <li data-md="">
        <p>If <var>expression</var> contains a non-empty <a data-link-type="grammar" href="#grammardef-path-part" id="ref-for-grammardef-path-part①"><code>path-part</code></a>, and <var>redirect count</var> is 0, then:</p>
        <ol>
         <li data-md="">
          <p>Let <var>path</var> be the resulting of joining <var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-path" id="ref-for-concept-url-path">path</a> on the U+002F SOLIDUS character (<code>/</code>).</p>
         <li data-md="">
          <p>If <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-path-part" id="ref-for-grammardef-path-part②"><code>path-part</code></a> does not <a data-link-type="dfn" href="#path-part-match" id="ref-for-path-part-match"><code>path-part</code> match</a> <var>path</var>,
  return "<code>Does Not Match</code>".</p>
        </ol>
       <li data-md="">
        <p>Return "<code>Matches</code>".</p>
      </ol>
     <li data-md="">
      <p>If <var>expression</var> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive⑥">ASCII case-insensitive</a> match for "<code>'self'</code>",
  return "<code>Matches</code>" if one or more of the following conditions is met:</p>
      <ol>
       <li data-md="">
        <p><var>origin</var> is the same as <var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-origin" id="ref-for-concept-url-origin②">origin</a></p>
       <li data-md="">
        <p><var>origin</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#dom-url-host" id="ref-for-dom-url-host②">host</a></code> is the same as <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#dom-url-host" id="ref-for-dom-url-host③">host</a></code>, <var>origin</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#dom-url-port" id="ref-for-dom-url-port">port</a></code> and <var>url</var>’s <code class="idl"><a data-link-type="idl" href="https://url.spec.whatwg.org/#dom-url-port" id="ref-for-dom-url-port①">port</a></code> are either the same
  or the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#default-port" id="ref-for-default-port">default ports</a> for their respective <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme⑧">scheme</a>s, and
  one or more of the following conditions is met:</p>
        <ol>
         <li data-md="">
          <p><var>url</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme⑨">scheme</a> is "<code>https</code>" or "<code>wss</code>"</p>
         <li data-md="">
          <p><var>origin</var>’s <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme①⓪">scheme</a> is "<code>http</code>"</p>
        </ol>
      </ol>
      <p class="note" role="note"><span>Note:</span> Like the <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part⑤"><code>scheme-part</code></a> logic above, the "<code>'self'</code>"
  matching algorithm allows upgrades to secure schemes when it is safe to do
  so. We limit these upgrades to endpoints running on the default port for a
  particular scheme or a port that matches the origin of the protected
  resource, as this seems sufficient to deal with upgrades that can be
  reasonably expected to succeed.</p>
     <li data-md="">
      <p>Return "<code>Does Not Match</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="scheme-part matching" data-level="6.6.1.7" id="match-schemes"><span class="secno">6.6.1.7. </span><span class="content"> <code>scheme-part</code> matching </span><a class="self-link" href="#match-schemes"></a></h5>
    <p>An <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string④">ASCII string</a> <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="scheme-part match" id="scheme-part-match"><code>scheme-part</code> matches</dfn> another <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string⑤">ASCII string</a> if a CSP source expression that contained the first as a <a data-link-type="grammar" href="#grammardef-scheme-part" id="ref-for-grammardef-scheme-part⑥"><code>scheme-part</code></a> could potentially match a URL containing the latter as a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme①①">scheme</a>. For example, we say that "http" <a data-link-type="dfn" href="#scheme-part-match" id="ref-for-scheme-part-match②"><code>scheme-part</code> matches</a> "https".</p>
    <p class="note" role="note"><span>Note:</span> The matching relation is asymmetric. For example, the source expressions <code>https:</code> and <code>https://example.com/</code> do not match the URL <code>http://example.com/</code>. We always allow a
  secure upgrade from an explicitly insecure expression. <code>script-src http:</code> is treated as equivalent
  to <code>script-src http: https:</code>, <code>script-src http://example.com</code> to <code>script-src http://example.com https://example.com</code>, and <code>connect-src ws:</code> to <code>connect-src ws: wss:</code>.</p>
    <p>More formally, two <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string⑥">ASCII strings</a> (<var>A</var> and <var>B</var>) are said to <a data-link-type="dfn" href="#scheme-part-match" id="ref-for-scheme-part-match③"><code>scheme-part</code> match</a> if the
  following algorithm returns "<code>Matches</code>":</p>
    <ol class="algorithm">
     <li data-md="">
      <p>If one of the following is true, return "<code>Matches</code>":</p>
      <ol>
       <li data-md="">
        <p><var>A</var> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive⑦">ASCII case-insensitive</a> match for <var>B</var>.</p>
       <li data-md="">
        <p><var>A</var> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive⑧">ASCII case-insensitive</a> match for "<code>http</code>", and <var>B</var> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive⑨">ASCII case-insensitive</a> match for "<code>https</code>".</p>
       <li data-md="">
        <p><var>A</var> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive①⓪">ASCII case-insensitive</a> match for "<code>ws</code>", and <var>B</var> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive①①">ASCII case-insensitive</a> match for "<code>wss</code>", "<code>http</code>", or
  "<code>https</code>".</p>
       <li data-md="">
        <p><var>A</var> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive①②">ASCII case-insensitive</a> match for "<code>wss</code>", and <var>B</var> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive①③">ASCII case-insensitive</a> match for "<code>https</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Does Not Match</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="host-part matching" data-level="6.6.1.8" id="match-hosts"><span class="secno">6.6.1.8. </span><span class="content"> <code>host-part</code> matching </span><a class="self-link" href="#match-hosts"></a></h5>
    <p>An <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string⑦">ASCII string</a> <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="host-part match" id="host-part-match"><code>host-part</code> matches</dfn> another <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string⑧">ASCII
  string</a> if a CSP source expression that contained the first as a <a data-link-type="grammar" href="#grammardef-host-part" id="ref-for-grammardef-host-part②"><code>host-part</code></a> could
  potentially match a URL containing the latter as a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-host" id="ref-for-concept-url-host">host</a>. For example, we say that
  "www.example.com" <a data-link-type="dfn" href="#host-part-match" id="ref-for-host-part-match①">host-part matches</a> "www.example.com".</p>
    <p>More formally, two <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string⑨">ASCII strings</a> (<var>A</var> and <var>B</var>) are said to <a data-link-type="dfn" href="#host-part-match" id="ref-for-host-part-match②"><code>host-part</code> match</a> if the
  following algorithm returns "<code>Matches</code>":</p>
    <p class="note" role="note"><span>Note:</span> The matching relation is asymmetric. That is, <var>A</var> matching <var>B</var> does not
  mean that <var>B</var> will match <var>A</var>. For example, <code>*.example.com</code> <a data-link-type="dfn" href="#host-part-match" id="ref-for-host-part-match③"><code>host-part</code> matches</a> <code>www.example.com</code>, but <code>www.example.com</code> does not <a data-link-type="dfn" href="#host-part-match" id="ref-for-host-part-match④"><code>host-part</code> match</a> <code>*.example.com</code>.</p>
    <ol class="algorithm">
     <li data-md="">
      <p>If the first character of <var>A</var> is an U+002A ASTERISK character (<code>*</code>):</p>
      <ol>
       <li data-md="">
        <p>Let <var>remaining</var> be the result of removing the leading ("*") from <var>A</var>.</p>
       <li data-md="">
        <p>If <var>remaining</var> (including the leading U+002E FULL STOP character
  (<code>.</code>)) is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive①④">ASCII case-insensitive</a> match for the rightmost
  characters of <var>B</var>, then return "<code>Matches</code>". Otherwise, return
  "<code>Does Not Match</code>".</p>
      </ol>
     <li data-md="">
      <p>If <var>A</var> is not an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive①⑤">ASCII case-insensitive</a> match for <var>B</var>, return
  "<code>Does Not Match</code>".</p>
     <li data-md="">
      <p>If <var>A</var> matches the <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc3986#section-3.2.2" id="ref-for-section-3.2.2">IPv4address</a> rule from <a data-link-type="biblio" href="#biblio-rfc3986">[RFC3986]</a>, and
  is not "<code>127.0.0.1</code>"; or if <var>A</var> is an <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-ipv6" id="ref-for-concept-ipv6">IPv6 address</a>, return
  "<code>Does Not Match</code>".</p>
      <p class="note" role="note"><span>Note:</span> A future version of this specification may allow literal IPv6
  and IPv4 addresses, depending on usage and demand. Given the weak
  security properties of IP addresses in relation to named hosts,
  however, authors are encouraged to prefer the latter whenever
  possible.</p>
     <li data-md="">
      <p>Return "<code>Matches</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="port-part matching" data-level="6.6.1.9" id="match-ports"><span class="secno">6.6.1.9. </span><span class="content"> <code>port-part</code> matching </span><a class="self-link" href="#match-ports"></a></h5>
    <p>An <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string①⓪">ASCII string</a> (<var>port A</var>) <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" id="port-part-matches"><code>port-part</code> matches</dfn> two other <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string①①">ASCII
  strings</a> (<var>port B</var> and <var>scheme B</var>) if a CSP source expression that contained the first as a <a data-link-type="grammar" href="#grammardef-port-part" id="ref-for-grammardef-port-part②"><code>port-part</code></a> could potentially match a URL containing the latter as <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-port" id="ref-for-concept-url-port①">port</a> and <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-scheme" id="ref-for-concept-url-scheme①②">scheme</a>. For example, "80" <a data-link-type="dfn" href="#port-part-matches" id="ref-for-port-part-matches①"><code>port-part</code> matches</a> matches "80"/"http".</p>
    <ol class="algorithm">
     <li data-md="">
      <p>If <var>port A</var> is empty:</p>
      <ol>
       <li data-md="">
        <p>If <var>port B</var> is the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#default-port" id="ref-for-default-port①">default port</a> for <var>scheme B</var>, return "<code>Matches</code>". Otherwise,
  return "<code>Does Not Match</code>".</p>
      </ol>
     <li data-md="">
      <p>If <var>port A</var> is equal to "*", return "<code>Matches</code>".</p>
     <li data-md="">
      <p>If <var>port A</var> is a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#case-sensitive" id="ref-for-case-sensitive③">case-sensitive</a> match for <var>port B</var>, return "<code>Matches</code>".</p>
     <li data-md="">
      <p>If <var>port B</var> is empty:</p>
      <ol>
       <li data-md="">
        <p>If <var>port A</var> is the <a data-link-type="dfn" href="https://url.spec.whatwg.org/#default-port" id="ref-for-default-port②">default port</a> for <var>scheme B</var>, return "<code>Matches</code>". Otherwise,
  return "<code>Does not Match</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Does Not Match</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="path-part matching" data-level="6.6.1.10" id="match-paths"><span class="secno">6.6.1.10. </span><span class="content"> <code>path-part</code> matching </span><a class="self-link" href="#match-paths"></a></h5>
    <p>An <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string①②">ASCII string</a> (<var>path A</var>) <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="path-part match" id="path-part-match"><code>path-part</code> matches</dfn> another <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-string" id="ref-for-ascii-string①③">ASCII string</a> (<var>path B</var>) if a CSP source expression that contained the first as a <a data-link-type="grammar" href="#grammardef-path-part" id="ref-for-grammardef-path-part③"><code>path-part</code></a> could potentially match a URL containing the latter as a <a data-link-type="dfn" href="https://url.spec.whatwg.org/#concept-url-path" id="ref-for-concept-url-path①">path</a>.
  For example, we say that "/subdirectory/" <a data-link-type="dfn" href="#path-part-match" id="ref-for-path-part-match①"><code>path-part</code> matches</a> "/subdirectory/file".</p>
    <p class="note" role="note"><span>Note:</span> The matching relation is asymmetric. That is, <var>path A</var> matching <var>path B</var> does not mean that <var>path B</var> will match <var>path A</var>.</p>
    <ol class="algorithm">
     <li data-md="">
      <p>If <var>path A</var> is empty, return "<code>Matches</code>".</p>
     <li data-md="">
      <p>If <var>path A</var> consists of one character that is equal to the U+002F SOLIDUS
  character (<code>/</code>) and <var>path B</var> is empty, return "<code>Matches</code>".</p>
     <li data-md="">
      <p>Let <var>exact match</var> be <code>false</code> if the final character of <var>path A</var> is the U+002F
  SOLIDUS character (<code>/</code>), and <code>true</code> otherwise.</p>
     <li data-md="">
      <p>Let <var>path list A</var> and <var>path list B</var> be the result of <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#strictly-split" id="ref-for-strictly-split①">strictly splitting</a> <var>path A</var> and <var>path B</var> respestively on the U+002F SOLIDUS character (<code>/</code>).</p>
     <li data-md="">
      <p>If <var>path list A</var> has more items than <var>path list B</var>, return
  "<code>Does Not Match</code>".</p>
     <li data-md="">
      <p>If <var>exact match</var> is <code>true</code>, and <var>path list A</var> does not have the same
  number of items as <var>path list B</var>, return "<code>Does Not Match</code>".</p>
     <li data-md="">
      <p>If <var>exact match</var> is <code>false</code>:</p>
      <ol>
       <li data-md="">
        <p class="assertion">Assert: the final item in <var>path list A</var> is the empty string.</p>
       <li data-md="">
        <p>Remove the final item from <var>path list A</var>.</p>
      </ol>
     <li data-md="">
      <p>For each <var>piece A</var> in <var>path list A</var>:</p>
      <ol>
       <li data-md="">
        <p>Let <var>piece B</var> be the next item in <var>path list B</var>.</p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://url.spec.whatwg.org/#percent-decode" id="ref-for-percent-decode">Percent decode</a> <var>piece A</var>.</p>
       <li data-md="">
        <p><a data-link-type="dfn" href="https://url.spec.whatwg.org/#percent-decode" id="ref-for-percent-decode①">Percent decode</a> <var>piece B</var>.</p>
       <li data-md="">
        <p>If <var>piece A</var> is not a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#case-sensitive" id="ref-for-case-sensitive④">case-sensitive</a> match
  for <var>piece B</var>, return "<code>Does Not Match</code>".</p>
      </ol>
     <li data-md="">
      <p>Return "<code>Matches</code>".</p>
    </ol>
    <h5 class="heading settled algorithm" data-algorithm="Get the effective directive for request" data-level="6.6.1.11" id="effective-directive-for-a-request"><span class="secno">6.6.1.11. </span><span class="content"> Get the effective directive for <var>request</var> </span><a class="self-link" href="#effective-directive-for-a-request"></a></h5>
    <p>Each <a data-link-type="dfn" href="#fetch-directives" id="ref-for-fetch-directives②">fetch directive</a> controls a specific destination of <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑤⑦">request</a>. Given
  a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request" id="ref-for-concept-request⑤⑧">request</a> (<var>request</var>), the following algorithm returns either <code>null</code> or the <a data-link-type="dfn" href="#directive-name" id="ref-for-directive-name②③">name</a> of the request’s <dfn data-dfn-for="request" data-dfn-type="dfn" data-export="" id="request-effective-directive">effective directive<a class="self-link" href="#request-effective-directive"></a></dfn>:</p>
    <ol>
     <li data-md="">
      <p>Switch on <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-destination" id="ref-for-concept-request-destination②⑥">destination</a>, and execute
  the associated steps:</p>
      <dl>
       <dt data-md="">""
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>If the <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-initiator" id="ref-for-concept-request-initiator③">initiator</a> is
  the empty string, return <code>connect-src</code>.</p>
        </ol>
       <dt data-md="">"<code>manifest</code>"
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Return <code>manifest-src</code>.</p>
        </ol>
       <dt data-md="">"<code>object</code>"
       <dt data-md="">"<code>embed</code>"
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Return <code>object-src</code>.</p>
        </ol>
       <dt data-md="">"<code>document</code>"
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>If the <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context" id="ref-for-concept-request-target-browsing-context③">target browsing context</a> is a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context⑧">nested browsing context</a>, return <code>frame-src</code>.</p>
        </ol>
       <dt data-md="">"<code>audio</code>"
       <dt data-md="">"<code>track</code>"
       <dt data-md="">"<code>video</code>"
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Return <code>media-src</code>.</p>
        </ol>
       <dt data-md="">"<code>font</code>"
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Return <code>font-src</code>.</p>
        </ol>
       <dt data-md="">"<code>image</code>"
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Return <code>img-src</code>.</p>
        </ol>
       <dt data-md="">"<code>style</code>"
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Return <code>style-src</code>.</p>
        </ol>
       <dt data-md="">"<code>script</code>"
       <dt data-md="">"<code>xslt</code>"
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Return <code>script-src</code>.</p>
        </ol>
       <dt data-md="">"<code>sharedworker</code>"
       <dt data-md="">"<code>worker</code>"
       <dd data-md="">
        <ol>
         <li data-md="">
          <p>Return <code>worker-src</code>.</p>
        </ol>
      </dl>
     <li data-md="">
      <p>Return <code>null</code>.</p>
    </ol>
    <h4 class="heading settled" data-level="6.6.2" id="matching-elements"><span class="secno">6.6.2. </span><span class="content">Element Matching Algorithms</span><a class="self-link" href="#matching-elements"></a></h4>
    <h5 class="heading settled algorithm" data-algorithm="Is element nonceable?" data-level="6.6.2.1" id="is-element-nonceable"><span class="secno">6.6.2.1. </span><span class="content"> Is <var>element</var> nonceable? </span><a class="self-link" href="#is-element-nonceable"></a></h5>
    <p>Given an <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#element" id="ref-for-element⑤">Element</a></code> (<var>element</var>), this algorithm returns "<code>Nonceable</code>" if
  a <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source⑥"><code>nonce-source</code></a> expression can match the element (as discussed
  in <a href="#security-nonce-stealing">§7.2 Nonce Stealing</a>), and "<code>Not Nonceable</code>" if such expressions
  should not be applied.</p>
    <ol>
     <li data-md="">
      <p>If <var>element</var> does not have an attribute named "<code>nonce</code>", return "<code>Not Nonceable</code>".</p>
     <li data-md="">
      <p>If <var>element</var> is a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script⑤">script</a></code> element, then for each <var>attribute</var> in <var>element</var>:</p>
      <ol>
       <li data-md="">
        <p>If <var>attribute</var>’s name is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive①⑥">ASCII case-insensitive</a> match for
  the string "<code>&lt;script</code>" or the string
  "<code>&lt;style</code>", return "<code>Not Nonceable</code>".</p>
       <li data-md="">
        <p>If <var>attribute</var>’s value contains an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive①⑦">ASCII case-insensitive</a> match
  the string "<code>&lt;script</code>" or the string
  "<code>&lt;style</code>", return "<code>Not Nonceable</code>".</p>
      </ol>
     <li data-md="">
      <p>If <var>element</var> had a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/parsing.html#parse-error-duplicate-attribute" id="ref-for-parse-error-duplicate-attribute">duplicate-attribute</a> <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-script-parse-error" id="ref-for-concept-script-parse-error">parse error</a> during tokenization, return
  "<code>Not Nonceable</code>".</p>
      <p class="issue" id="issue-e2d81ee7"><a class="self-link" href="#issue-e2d81ee7"></a> We need some sort of hook in HTML to record this error if we’re
  planning on using it here. <a href="https://github.com/whatwg/html/issues/3257">&lt;https://github.com/whatwg/html/issues/3257></a></p>
     <li data-md="">
      <p>Return "<code>Nonceable</code>".</p>
    </ol>
    <p class="issue" id="issue-c41e2850"><a class="self-link" href="#issue-c41e2850"></a> This processing is meant to mitigate the risk
  of dangling markup attacks that steal the nonce from an existing element
  in order to load injected script. It is fairly expensive, however, as it
  requires that we walk through all attributes and their values in order to
  determine whether the script should execute. Here, we try to minimize the
  impact by doing this check only for <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script⑥">script</a></code> elements when a nonce is
  present, but we should probably consider this algorithm as "at risk" until
  we know its impact. <a href="https://github.com/w3c/webappsec-csp/issues/98">&lt;https://github.com/w3c/webappsec-csp/issues/98></a></p>
    <h5 class="heading settled algorithm" data-algorithm="Does a source list allow all inline behavior for type?" data-level="6.6.2.2" id="allow-all-inline"><span class="secno">6.6.2.2. </span><span class="content"> Does a source list allow all inline behavior for <var>type</var>? </span><a class="self-link" href="#allow-all-inline"></a></h5>
    <p>A <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists①⑤">source list</a> <dfn class="dfn-paneled" data-dfn-for="source list" data-dfn-type="dfn" data-export="" data-local-lt="allow all inline behavior" id="source-list-allows-all-inline-behavior">allows all inline behavior</dfn> of a given <var>type</var> if it contains the <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source④"><code>keyword-source</code></a> expression <a data-link-type="grammar" href="#grammardef-unsafe-inline" id="ref-for-grammardef-unsafe-inline③"><code>'unsafe-inline'</code></a>, and does not override that
  expression as described in the following algorithm:</p>
    <p>Given a <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists①⑥">source list</a> (<var>list</var>) and a string (<var>type</var>), the following
  algorithm returns "<code>Allows</code>" if all inline content of a given <var>type</var> is
  allowed and "<code>Does Not Allow</code>" otherwise.</p>
    <ol>
     <li data-md="">
      <p>Let <var>allow all inline</var> be <code>false</code>.</p>
     <li data-md="">
      <p>For each <var>expression</var> in <var>list</var>:</p>
      <ol>
       <li data-md="">
        <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source⑦"><code>nonce-source</code></a> or <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source⑦"><code>hash-source</code></a> grammar, return "<code>Does Not Allow</code>".</p>
       <li data-md="">
        <p>If <var>type</var> is "<code>script</code>" or "<code>script attribute</code>" and <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source⑤">keyword-source</a> "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic⑤"><code>'strict-dynamic'</code></a>", return "<code>Does Not Allow</code>".</p>
        <p class="note" role="note"><span>Note:</span> <code>'strict-dynamic'</code> only applies to scripts, not other resource
  types. Usage is explained in more detail in <a href="#strict-dynamic-usage">§8.2 Usage of "'strict-dynamic'"</a>.</p>
       <li data-md="">
        <p>If <var>expression</var> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive①⑧">ASCII case-insensitive</a> match for the <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source⑥"><code>keyword-source</code></a> "<a data-link-type="grammar" href="#grammardef-unsafe-inline" id="ref-for-grammardef-unsafe-inline④"><code>'unsafe-inline'</code></a>",
  set <var>allow all inline</var> to <code>true</code>.</p>
      </ol>
     <li data-md="">
      <p>If <var>allow all inline</var> is <code>true</code>, return "<code>Allows</code>".
  Otherwise, return "<code>Does Not Allow</code>".</p>
    </ol>
    <div class="example" id="example-da6a7e8f">
     <a class="self-link" href="#example-da6a7e8f"></a> <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists①⑦">Source lists</a> that <a data-link-type="dfn" href="#source-list-allows-all-inline-behavior" id="ref-for-source-list-allows-all-inline-behavior">allow all inline behavior</a>: 
<pre>'unsafe-inline' http://a.com http://b.com
'unsafe-inline'
</pre>
     <p><a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists①⑧">Source lists</a> that do not <a data-link-type="dfn" href="#source-list-allows-all-inline-behavior" id="ref-for-source-list-allows-all-inline-behavior①">allow all inline behavior</a> due to
    the presence of nonces and/or hashes, or absence of '<code>unsafe-inline</code>':</p>
<pre>'sha512-321cba' 'nonce-abc'
http://example.com 'unsafe-inline' 'nonce-abc'
</pre>
     <p><a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists①⑨">Source lists</a> that do not <a data-link-type="dfn" href="#source-list-allows-all-inline-behavior" id="ref-for-source-list-allows-all-inline-behavior②">allow all inline behavior</a> when <var>type</var> is
     '<code>script</code>' or '<code>script attribute</code>' due to the presence of
     '<code>strict-dynamic</code>', but <a data-link-type="dfn" href="#source-list-allows-all-inline-behavior" id="ref-for-source-list-allows-all-inline-behavior③">allow all inline behavior</a> otherwise:</p>
<pre>'unsafe-inline' 'strict-dynamic'
http://example.com 'strict-dynamic' 'unsafe-inline'
</pre>
    </div>
    <h5 class="heading settled algorithm" data-algorithm="Does element match source list for type and source?" data-level="6.6.2.3" id="match-element-to-source-list"><span class="secno">6.6.2.3. </span><span class="content"> Does <var>element</var> match source list for <var>type</var> and <var>source</var>? </span><a class="self-link" href="#match-element-to-source-list"></a></h5>
    <p>Given an <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#element" id="ref-for-element⑥">Element</a></code> (<var>element</var>), a <a data-link-type="dfn" href="#source-lists" id="ref-for-source-lists②⓪">source list</a> (<var>list</var>), a string
  (<var>type</var>), and a string (<var>source</var>), this algorithm returns "<code>Matches</code>" or
  "<code>Does Not Match</code>".</p>
    <ol>
     <li data-md="">
      <p class="assertion">Assert: <var>source</var> contains the value of a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script⑦">script</a></code> element’s <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/scripting.html#dom-script-text" id="ref-for-dom-script-text">text</a></code> IDL attribute, the value of a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#the-style-element" id="ref-for-the-style-element①">style</a></code> element’s <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#dom-node-textcontent" id="ref-for-dom-node-textcontent">textContent</a></code> IDL attribute, or the value of one of a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script⑧">script</a></code> element’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/webappapis.html#event-handler-idl-attributes" id="ref-for-event-handler-idl-attributes">event handler IDL attribute</a>.</p>
      <p class="note" role="note"><span>Note:</span> This means that <var>source</var> will be interpreted with the encoding
  of the page in which it is embedded. See the integration points
  in <a href="#html-integration">§4.2 Integration with HTML</a> for more detail.</p>
     <li data-md="">
      <p>If <a href="#allow-all-inline">§6.6.2.2 Does a source list allow all inline behavior for type?</a> returns "<code>Allows</code>" given <var>list</var> and <var>type</var>,
  return "<code>Matches</code>".</p>
     <li data-md="">
      <p>If <var>type</var> is "<code>script</code>" or "<code>style</code>", and <a href="#is-element-nonceable">§6.6.2.1 Is element nonceable?</a> returns "<code>Nonceable</code>" when executed upon <var>element</var>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>expression</var> in <var>list</var>:</p>
        <ol>
         <li data-md="">
          <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source⑧"><code>nonce-source</code></a> grammar,
  and <var>element</var> has a <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/urls-and-fetching.html#dom-noncedelement-nonce" id="ref-for-dom-noncedelement-nonce">nonce</a></code> attribute whose value is a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#case-sensitive" id="ref-for-case-sensitive⑤">case-sensitive</a> match for <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value⑥"><code>base64-value</code></a> part, return "<code>Matches</code>".</p>
        </ol>
      </ol>
      <p class="note" role="note"><span>Note:</span> Nonces only apply to inline <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script⑨">script</a></code> and inline <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#the-style-element" id="ref-for-the-style-element②">style</a></code>, not to
  attributes of either element.</p>
     <li data-md="">
      <p>Let <var>hashes match attributes</var> be <code>false</code>.</p>
     <li data-md="">
      <p>For each <var>expression</var> in <var>list</var>:</p>
      <ol>
       <li data-md="">
        <p>If <var>expression</var> is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive①⑨">ASCII case-insensitive</a> match for the <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source⑦"><code>keyword-source</code></a> "<a data-link-type="grammar" href="#grammardef-unsafe-hashed-attributes" id="ref-for-grammardef-unsafe-hashed-attributes"><code>'unsafe-hashed-attributes'</code></a>",
  set <var>hashes match attributes</var> to <code>true</code>. Break out of the loop.</p>
      </ol>
     <li data-md="">
      <p>If <var>type</var> is "<code>script</code>" or "<code>style</code>", or <var>hashes match attributes</var> is <code>true</code>:</p>
      <ol>
       <li data-md="">
        <p>For each <var>expression</var> in <var>list</var>:</p>
        <ol>
         <li data-md="">
          <p>If <var>expression</var> matches the <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source⑧"><code>hash-source</code></a> grammar:</p>
          <ol>
           <li data-md="">
            <p>Let <var>algorithm</var> be <code>null</code>.</p>
           <li data-md="">
            <p>If <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-hash-algorithm" id="ref-for-grammardef-hash-algorithm②"><code>hash-algorithm</code></a> part is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive②⓪">ASCII case-insensitive</a> match for "sha256", set <var>algorithm</var> to <a data-link-type="dfn" href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#">SHA-256</a>.</p>
           <li data-md="">
            <p>If <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-hash-algorithm" id="ref-for-grammardef-hash-algorithm③"><code>hash-algorithm</code></a> part is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive②①">ASCII case-insensitive</a> match for "sha384", set <var>algorithm</var> to <a data-link-type="dfn" href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#">SHA-384</a>.</p>
           <li data-md="">
            <p>If <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-hash-algorithm" id="ref-for-grammardef-hash-algorithm④"><code>hash-algorithm</code></a> part is an <a data-link-type="dfn" href="https://infra.spec.whatwg.org/#ascii-case-insensitive" id="ref-for-ascii-case-insensitive②②">ASCII case-insensitive</a> match for "sha512", set <var>algorithm</var> to <a data-link-type="dfn" href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#">SHA-512</a>.</p>
           <li data-md="">
            <p>If <var>algorithm</var> is not <code>null</code>:</p>
            <ol>
             <li data-md="">
              <p>Let <var>actual</var> be the result of <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4648#section-4" id="ref-for-section-4①">base64 encoding</a> the
  result of applying <var>algorithm</var> to <var>source</var>.</p>
             <li data-md="">
              <p>Let <var>expected</var> be <var>expression</var>’s <a data-link-type="grammar" href="#grammardef-base64-value" id="ref-for-grammardef-base64-value⑦"><code>base64-value</code></a> part,
  with all '<code>-</code>' characters replaced with '<code>+</code>', and all '<code>_</code>' characters
  replaced with '<code>/</code>'.</p>
              <p class="note" role="note"><span>Note:</span> This replacement normalizes hashes expressed in <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4648#section-5" id="ref-for-section-5①">base64url
  encoding</a> into <a data-link-type="dfn" href="https://tools.ietf.org/html/rfc4648#section-4" id="ref-for-section-4②">base64 encoding</a> for matching.</p>
             <li data-md="">
              <p>If <var>actual</var> is a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/infrastructure.html#case-sensitive" id="ref-for-case-sensitive⑥">case-sensitive</a> match for <var>expected</var>, return
  "<code>Matches</code>".</p>
            </ol>
          </ol>
        </ol>
      </ol>
      <p class="note" role="note"><span>Note:</span> Hashes apply to inline <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script①⓪">script</a></code> and inline <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#the-style-element" id="ref-for-the-style-element③">style</a></code>. If the
  "<a data-link-type="grammar" href="#grammardef-unsafe-hashed-attributes" id="ref-for-grammardef-unsafe-hashed-attributes①"><code>'unsafe-hashed-attributes'</code></a>" source expression is present,
  they will also apply to event handlers and style attributes.</p>
     <li data-md="">
      <p>Return "<code>Does Not Match</code>".</p>
    </ol>
   </section>
   <section>
    <h2 class="heading settled" data-level="7" id="security-considerations"><span class="secno">7. </span><span class="content">Security and Privacy Considerations</span><a class="self-link" href="#security-considerations"></a></h2>
    <h3 class="heading settled" data-level="7.1" id="security-nonces"><span class="secno">7.1. </span><span class="content">Nonce Reuse</span><a class="self-link" href="#security-nonces"></a></h3>
    <p>Nonces override the other restrictions present in the directive in which
  they’re delivered. It is critical, then, that they remain unguessable, as
  bypassing a resource’s policy is otherwise trivial.</p>
    <p>If a server delivers a <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source⑨">nonce-source</a> expression as part of a <a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑤⑧">policy</a>, the server MUST generate a unique value each time it
  transmits a policy. The generated value SHOULD be at least 128 bits long
  (before encoding), and SHOULD be generated via a cryptographically secure
  random number generator in order to ensure that the value is difficult for
  an attacker to predict.</p>
    <p class="note" role="note"><span>Note:</span> Using a nonce to allow inline script or style is less secure than
  not using a nonce, as nonces override the restrictions in the directive in
  which they are present. An attacker who can gain access to the nonce can
  execute whatever script they like, whenever they like. That said, nonces
  provide a substantial improvement over <a data-link-type="grammar" href="#grammardef-unsafe-inline" id="ref-for-grammardef-unsafe-inline⑤">'unsafe-inline'</a> when
  layering a content security policy on top of old code. When considering <a data-link-type="grammar" href="#grammardef-unsafe-inline" id="ref-for-grammardef-unsafe-inline⑥">'unsafe-inline'</a>, authors are encouraged to consider nonces
  (or hashes) instead.</p>
    <h3 class="heading settled" data-level="7.2" id="security-nonce-stealing"><span class="secno">7.2. </span><span class="content">Nonce Stealing</span><a class="self-link" href="#security-nonce-stealing"></a></h3>
    <p>Dangling markup attacks such as those discussed in <a data-link-type="biblio" href="#biblio-filedescriptor-2015">[FILEDESCRIPTOR-2015]</a> can be used to repurpose a page’s legitimate nonces for injections. For
  example, given an injection point before a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script①①">script</a></code> element:</p>
<pre class="highlight"><span class="nt">&lt;p></span>Hello, [INJECTION POINT]<span class="nt">&lt;/p></span>
<span class="nt">&lt;script </span><span class="na">nonce=</span><span class="s">abc</span> <span class="na">src=</span><span class="s">/good.js</span><span class="nt">>&lt;/script></span>
</pre>
    <p>If an attacker injects the string "<code>&lt;script src='https://evil.com/evil.js' </code>",
  then the browser will receive the following:</p>
<pre class="highlight"><span class="nt">&lt;p></span>Hello, <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">'https://evil.com/evil.js'</span> &lt;/<span class="na">p</span><span class="nt">></span>
<span class="o">&lt;</span>script nonce<span class="o">=</span>abc src<span class="o">=</span>/good.js><span class="nt">&lt;/script></span>
</pre>
    <p>It will then parse that code, ending up with a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script①②">script</a></code> element with a <code>src</code> attribute pointing to a malicious payload, an attribute named <code>&lt;/p></code>,
  an attribute named "<code>&lt;script</code>", a <code>nonce</code> attribute, and a
  second <code>src</code> attribute which is helpfully discarded as duplicate by the parser.</p>
    <p>The <a href="#is-element-nonceable">§6.6.2.1 Is element nonceable?</a> algorithm attempts to mitigate this specific
  attack by walking through <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script①③">script</a></code> element attributes, looking for the
  string "<code>&lt;script</code>" or "<code>&lt;style</code>" in their names or values.</p>
    <h3 class="heading settled" data-level="7.3" id="security-nonce-retargeting"><span class="secno">7.3. </span><span class="content">Nonce Retargeting</span><a class="self-link" href="#security-nonce-retargeting"></a></h3>
    <p>Nonces bypass <a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source⑤">host-source</a> expressions, enabling developers to load code from any
  origin. This, generally, is fine, and desirable from the developer’s perspective. However, if an
  attacker can inject a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#the-base-element" id="ref-for-the-base-element③">base</a></code> element, then an otherwise safe page can be subverted when relative
  URLs are resolved. That is, on <code>https://example.com/</code> the following code will load <code>https://example.com/good.js</code>:</p>
<pre class="highlight"><span class="nt">&lt;script </span><span class="na">nonce=</span><span class="s">abc</span> <span class="na">src=</span><span class="s">/good.js</span><span class="nt">>&lt;/script></span>
</pre>
    <p>However, the following will load <code>https://evil.com/good.js</code>:</p>
<pre class="highlight"><span class="nt">&lt;base</span> <span class="na">href=</span><span class="s">"https://evil.com"</span><span class="nt">></span>
<span class="nt">&lt;script </span><span class="na">nonce=</span><span class="s">abc</span> <span class="na">src=</span><span class="s">/good.js</span><span class="nt">>&lt;/script></span>
</pre>
    <p>To mitigate this risk, it is advisable to set an explicit <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#the-base-element" id="ref-for-the-base-element④">base</a></code> element on every page, or to
  limit the ability of an attacker to inject their own <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/semantics.html#the-base-element" id="ref-for-the-base-element⑤">base</a></code> element by setting a <a data-link-type="dfn" href="#base-uri" id="ref-for-base-uri①"><code>base-uri</code></a> directive in your page’s policy. For example, <code>base-uri 'none'</code>.</p>
    <h3 class="heading settled" data-level="7.4" id="security-css-parsing"><span class="secno">7.4. </span><span class="content">CSS Parsing</span><a class="self-link" href="#security-css-parsing"></a></h3>
    <p>The <a data-link-type="dfn" href="#style-src" id="ref-for-style-src②">style-src</a> directive restricts the locations from which the
  protected resource can load styles. However, if the user agent uses a lax CSS
  parsing algorithm, an attacker might be able to trick the user agent into
  accepting malicious "stylesheets" hosted by an otherwise trustworthy origin.</p>
    <p>These attacks are similar to the CSS cross-origin data leakage attack
  described by Chris Evans in 2009 <a data-link-type="biblio" href="#biblio-css-abuse">[CSS-ABUSE]</a>. User agents SHOULD defend
  against both attacks using the same mechanism: stricter CSS parsing rules for
  style sheets with improper MIME types.</p>
    <h3 class="heading settled" data-level="7.5" id="security-violation-reports"><span class="secno">7.5. </span><span class="content">Violation Reports</span><a class="self-link" href="#security-violation-reports"></a></h3>
    <p>The violation reporting mechanism in this document has been designed to
  mitigate the risk that a malicious web site could use violation reports to
  probe the behavior of other servers. For example, consider a malicious web
  site that allows <code>https://example.com</code> as a source of images. If the
  malicious site attempts to load <code>https://example.com/login</code> as an image, and
  the <code>example.com</code> server redirects to an identity provider (e.g. <code>identityprovider.example.net</code>), CSP will block the request. If violation
  reports contained the full blocked URL, the violation report might contain
  sensitive information contained in the redirected URL, such as session
  identifiers or purported identities. For this reason, the user agent includes
  only the URL of the original request, not the redirect target.</p>
    <p>Note also that violation reports should be considered attacker-controlled data. Developers who
  wish to collect violation reports in a dashboard or similar service should be careful to properly
  escape their content before rendering it (and should probably themselves use CSP to further
  mitigate the risk of injection). This is especially true for the "<code>script-sample</code>" property of
  violation reports, and the <code class="idl"><a data-link-type="idl" href="#dom-securitypolicyviolationevent-sample" id="ref-for-dom-securitypolicyviolationevent-sample②">sample</a></code> property of <code class="idl"><a data-link-type="idl" href="#securitypolicyviolationevent" id="ref-for-securitypolicyviolationevent③">SecurityPolicyViolationEvent</a></code>, which are both completely attacker-controlled strings.</p>
    <h3 class="heading settled" data-level="7.6" id="source-list-paths-and-redirects"><span class="secno">7.6. </span><span class="content">Paths and Redirects</span><a class="self-link" href="#source-list-paths-and-redirects"></a></h3>
    <p>To avoid leaking path information cross-origin (as discussed
  in Egor Homakov’s <a href="http://homakov.blogspot.de/2014/01/using-content-security-policy-for-evil.html">Using Content-Security-Policy for Evil</a>),
  the matching algorithm ignores the path component of a source
  expression if the resource being loaded is the result of a
  redirect. For example, given a page with an active policy of <code><a data-link-type="dfn" href="#img-src" id="ref-for-img-src③">img-src</a> example.com example.org/path</code>:</p>
    <ul>
     <li data-md="">
      <p>Directly loading <code>https://example.org/not-path</code> would fail, as it doesn’t match the policy.</p>
     <li data-md="">
      <p>Directly loading <code>https://example.com/redirector</code> would pass, as it matches <code>example.com</code>.</p>
     <li data-md="">
      <p>Assuming that <code>https://example.com/redirector</code> delivered a redirect response pointing to <code>https://example.org/not-path</code>,
  the load would succeed, as the initial URL matches <code>example.com</code>,
  and the redirect target matches <code>example.org/path</code> if we ignore its path component.</p>
    </ul>
    <p>This restriction reduces the granularity of a document’s policy when redirects are in play, a
  necessary compromise to avoid brute-forced information leaks of this type.</p>
    <p>The relatively long thread <a href="http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0036.html">"Remove paths from CSP?"</a> from public-webappsec@w3.org has more detailed discussion around alternate proposals.</p>
    <h3 class="heading settled" data-level="7.7" id="security-secure-upgrades"><span class="secno">7.7. </span><span class="content">Secure Upgrades</span><a class="self-link" href="#security-secure-upgrades"></a></h3>
    <p>To mitigate one variant of history-scanning attacks like Yan Zhu’s <a href="http://diracdeltas.github.io/sniffly/">Sniffly</a>, CSP will not allow pages to lock
  themselves into insecure URLs via policies like <code>script-src http://example.com</code>. As described in <a href="#match-schemes">§6.6.1.7 scheme-part matching</a>, the scheme portion of a source expression will always allow upgrading to a
  secure variant.</p>
    <h3 class="heading settled" data-level="7.8" id="security-inherit-csp"><span class="secno">7.8. </span><span class="content"> CSP Inheriting to avoid bypasses </span><a class="self-link" href="#security-inherit-csp"></a></h3>
    <p>As described in <a href="#initialize-document-csp">§4.2.1 Initialize a Document's CSP list</a> and <a href="#initialize-global-object-csp">§4.2.2 Initialize a global object’s CSP list</a>,
  documents loaded from <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#local-scheme" id="ref-for-local-scheme⑤">local schemes</a> will inherit a copy of the
  policies in the <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list①⑧">CSP list</a> of the <a data-link-type="dfn" href="#embedding-document" id="ref-for-embedding-document③">embedding document</a> or <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#opener-browsing-context" id="ref-for-opener-browsing-context②">opener browsing context</a>. The goal is to ensure that a page can’t
  bypass its policy by embedding a frame or opening a new window containg
  content that is entirely under its control (<code>srcdoc</code> documents, <code>blob:</code> or <code>data:</code> URLs, <code>about:blank</code> documents that can be manipulated via <code>document.write()</code>, etc).</p>
    <div class="example" id="example-7a5b0df0">
     <a class="self-link" href="#example-7a5b0df0"></a> If this would not happen a page could execute inline scripts even without <code>unsafe-inline</code> in the page’s execution context by simply embedding a <code>srcdoc</code> <code>iframe</code>. 
<pre class="highlight"><span class="nt">&lt;iframe</span> <span class="na">srcdoc=</span><span class="s">"&lt;script>alert(1);&lt;/script>"</span><span class="nt">>&lt;/iframe></span>
</pre>
    </div>
    <p>Note that we create a copy of the <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list①⑨">CSP list</a> which
  means that the new <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document①⑨">Document</a></code>'s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list②⓪">CSP list</a> is a
  snapshot of the relevant policies at its creation time. Modifications in the <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list②①">CSP list</a> of the new <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document②⓪">Document</a></code> won’t affect the <a data-link-type="dfn" href="#embedding-document" id="ref-for-embedding-document④">embedding document</a> or <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#opener-browsing-context" id="ref-for-opener-browsing-context③">opener browsing context</a>’s <a data-link-type="dfn" href="#global-object-csp-list" id="ref-for-global-object-csp-list②②">CSP list</a> or vice-versa.</p>
    <div class="example" id="example-3c6e0109">
     <a class="self-link" href="#example-3c6e0109"></a> In the example below the image inside the iframe will not load because it is
    blocked by the policy in the <code>meta</code> tag of the iframe. The image outside the
    iframe will load (assuming the main page policy does not block it) since the
    policy inserted in the iframe will not affect it. 
<pre class="highlight"><span class="nt">&lt;iframe</span> <span class="na">srcdoc=</span><span class="s">'&lt;meta http-equiv="Content-Security-Policy" content="img-src example.com;"></span>
<span class="s">                   &lt;img src="not-example.com/image">'</span><span class="nt">>&lt;/iframe></span>

<span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">"not-example.com/image"</span><span class="nt">></span>
</pre>
    </div>
   </section>
   <section>
    <h2 class="heading settled" data-level="8" id="authoring-considerations"><span class="secno">8. </span><span class="content">Authoring Considerations</span><a class="self-link" href="#authoring-considerations"></a></h2>
    <h3 class="heading settled" data-level="8.1" id="multiple-policies"><span class="secno">8.1. </span><span class="content"> The effect of multiple policies </span><a class="self-link" href="#multiple-policies"></a></h3>
    <p><em>This section is not normative.</em></p>
    <p>The above sections note that when multiple policies are present, each must be
  enforced or reported, according to its type. An example will help clarify how
  that ought to work in practice. The behavior of an <code>XMLHttpRequest</code> might seem unclear given a site that, for whatever reason, delivered the
  following HTTP headers:</p>
    <div class="example" id="example-ef0bfc7a">
     <a class="self-link" href="#example-ef0bfc7a"></a> 
<pre>Content-Security-Policy: default-src 'self' http://example.com http://example.net;
                         connect-src 'none';
Content-Security-Policy: connect-src http://example.com/;
                         script-src http://example.com/
</pre>
    </div>
    <p>Is a connection to example.com allowed or not? The short answer is that the
  connection is not allowed. Enforcing both policies means that a potential
  connection would have to pass through both unscathed. Even though the second
  policy would allow this connection, the first policy contains <code>connect-src 'none'</code>, so its enforcement blocks the connection. The
  impact is that adding additional policies to the list of policies to enforce
  can <em>only</em> further restrict the capabilities of the protected resource.</p>
    <p>To demonstrate that further, consider a script tag on this page. The first
  policy would lock scripts down to <code>'self'</code>, <code>http://example.com</code> and <code>http://example.net</code> via the <code>default-src</code> directive. The second, however,
  would only allow script from <code>http://example.com/</code>. Script will only load if
  it meets both policy’s criteria: in this case, the only origin that can match
  is <code>http://example.com</code>, as both policies allow it.</p>
    <h3 class="heading settled" data-level="8.2" id="strict-dynamic-usage"><span class="secno">8.2. </span><span class="content"> Usage of "<code>'strict-dynamic'</code>" </span><a class="self-link" href="#strict-dynamic-usage"></a></h3>
    <p>Host- and path-based policies are tough to get right, especially on sprawling origins like CDNs.
  The <a href="https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22#107-bytes">solutions
  to Cure53’s H5SC Minichallenge 3: "Sh*t, it’s CSP!"</a> <a data-link-type="biblio" href="#biblio-h5sc3">[H5SC3]</a> are good examples of the
  kinds of bypasses which such policies can enable, and though CSP is capable of mitigating these
  bypasses via exhaustive declaration of specific resources, those lists end up being brittle,
  awkward, and difficult to implement and maintain.</p>
    <p>The "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic⑥"><code>'strict-dynamic'</code></a>" source expression aims to make Content
  Security Policy simpler to deploy for existing applications who have a high
  degree of confidence in the scripts they load directly, but low confidence in
  their ability to provide a reasonable list of resources to load up front.</p>
    <p>If present in a <a data-link-type="dfn" href="#script-src" id="ref-for-script-src⑤"><code>script-src</code></a> or <a data-link-type="dfn" href="#default-src" id="ref-for-default-src④"><code>default-src</code></a> directive, it has
  two main effects:</p>
    <ol>
     <li data-md="">
      <p><a data-link-type="grammar" href="#grammardef-host-source" id="ref-for-grammardef-host-source⑥">host-source</a> and <a data-link-type="grammar" href="#grammardef-scheme-source" id="ref-for-grammardef-scheme-source④">scheme-source</a> expressions, as well as the "<a data-link-type="grammar" href="#grammardef-unsafe-inline" id="ref-for-grammardef-unsafe-inline⑦"><code>'unsafe-inline'</code></a>"
  and "<a data-link-type="grammar" href="#grammardef-self" id="ref-for-grammardef-self②③"><code>'self'</code></a> <a data-link-type="grammar" href="#grammardef-keyword-source" id="ref-for-grammardef-keyword-source⑧">keyword-source</a>s will be
  ignored when loading script.</p>
      <p><a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source⑨">hash-source</a> and <a data-link-type="grammar" href="#grammardef-nonce-source" id="ref-for-grammardef-nonce-source①⓪">nonce-source</a> expressions
  will be honored.</p>
     <li data-md="">
      <p>Script requests which are triggered by non-<a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/scripting.html#parser-inserted" id="ref-for-parser-inserted③">"parser-inserted"</a> <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script①④">script</a></code> elements are allowed.</p>
    </ol>
    <p>The first change allows you to deploy "<a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic⑦"><code>'strict-dynamic'</code></a> in a
  backwards compatible way, without requiring user-agent sniffing: the policy <code>'unsafe-inline' https: 'nonce-abcdefg' 'strict-dynamic'</code> will act like <code>'unsafe-inline' https:</code> in browsers that support CSP1, <code>https: 'nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV'</code> in browsers that support CSP2, and <code>'nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV' 'strict-dynamic'</code> in browsers that
  support CSP3.</p>
    <p>The second allows scripts which are given access to the page via nonces or
  hashes to bring in their dependencies without adding them explicitly to the
  page’s policy.</p>
    <div class="example" id="example-e30022c4">
     <a class="self-link" href="#example-e30022c4"></a> Suppose MegaCorp, Inc. deploys the following policy: 
<pre><a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#header-content-security-policy" id="ref-for-header-content-security-policy⑥">Content-Security-Policy</a>: <a data-link-type="dfn" href="#script-src" id="ref-for-script-src⑥">script-src</a> 'nonce-DhcnhD3khTMePgXwdayK9BsMqXjhguVV' <a data-link-type="grammar" href="#grammardef-strict-dynamic" id="ref-for-grammardef-strict-dynamic⑧">'strict-dynamic'</a>
</pre>
     <p>And serves the following HTML with that policy active:</p>
<pre class="highlight">...
<span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://cdn.example.com/script.js"</span> <span class="na">nonce=</span><span class="s">"DhcnhD3khTMePgXwdayK9BsMqXjhguVV"</span> <span class="nt">>&lt;/script></span>
...
</pre>
     <p>This will generate a request for <code>https://cdn.example.com/script.js</code>, which
    will not be blocked because of the matching <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/urls-and-fetching.html#dom-noncedelement-nonce" id="ref-for-dom-noncedelement-nonce①">nonce</a></code> attribute.</p>
     <p>If <code>script.js</code> contains the following code:</p>
<pre class="highlight"><span class="kd">var</span> s <span class="o">=</span> document<span class="p">.</span>createElement<span class="p">(</span><span class="s1">'script'</span><span class="p">);</span>
s<span class="p">.</span>src <span class="o">=</span> <span class="s1">'https://othercdn.not-example.net/dependency.js'</span><span class="p">;</span>
document<span class="p">.</span>head<span class="p">.</span>appendChild<span class="p">(</span><span class="s1">'s'</span><span class="p">);</span>

document<span class="p">.</span>write<span class="p">(</span><span class="s1">'&lt;scr'</span> <span class="o">+</span> <span class="s1">'ipt src='</span><span class="o">/</span>sadness<span class="p">.</span>js<span class="s1">'>&lt;/scr'</span> <span class="o">+</span> <span class="s1">'ipt>'</span><span class="p">);</span>
</pre>
     <p><code>dependency.js</code> will load, as the <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script①⑤">script</a></code> element created by <code>createElement()</code> is not <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/scripting.html#parser-inserted" id="ref-for-parser-inserted④">"parser-inserted"</a>.</p>
     <p><code>sadness.js</code> will <em>not</em> load, however, as <code>document.write()</code> produces <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script①⑥">script</a></code> elements which are <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/scripting.html#parser-inserted" id="ref-for-parser-inserted⑤">"parser-inserted"</a>.</p>
    </div>
    <section class="wip">
     <h3 class="heading settled" data-level="8.3" id="unsafe-hashed-attributes-usage"><span class="secno">8.3. </span><span class="content"> Usage of "<code>'unsafe-hashed-attributes'</code>" </span><a class="self-link" href="#unsafe-hashed-attributes-usage"></a></h3>
     <p><em>This section is not normative.</em></p>
     <p class="issue" id="issue-0e25e974"><a class="self-link" href="#issue-0e25e974"></a> Work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/13">&lt;https://github.com/w3c/webappsec-csp/issues/13></a></p>
     <p>Legacy websites and websites with legacy dependencies might find it difficult
    to entirely externalize event handlers. These sites could enable such handlers
    by allowing <code>'unsafe-inline'</code>, but that’s a big hammer with a lot of
    associated risk (and cannot be used in conjunction with nonces or hashes).</p>
     <p>The "<a data-link-type="grammar" href="#grammardef-unsafe-hashed-attributes" id="ref-for-grammardef-unsafe-hashed-attributes②"><code>'unsafe-hashed-attributes'</code></a>" source expression aims to make
    CSP deployment simpler and safer in these situations by allowing developers
    to enable specific handlers via hashes.</p>
     <div class="example" id="example-58b9ab8c">
      <a class="self-link" href="#example-58b9ab8c"></a> MegaCorp, Inc. can’t quite get rid of the following HTML on anything
      resembling a reasonable schedule: 
<pre class="highlight"><span class="nt">&lt;button</span> <span class="na">id=</span><span class="s">"action"</span> <span class="na">onclick=</span><span class="s">"doSubmit()"</span><span class="nt">></span>
</pre>
      <p>Rather than reducing security by specifying "<code>'unsafe-inline'</code>", they decide to use
      "<code>'unsafe-hashed-attributes'</code>" along with a hash source expression, as follows:</p>
<pre><a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#header-content-security-policy" id="ref-for-header-content-security-policy⑦">Content-Security-Policy</a>:  <a data-link-type="dfn" href="#script-src" id="ref-for-script-src⑦">script-src</a> <a data-link-type="grammar" href="#grammardef-unsafe-hashed-attributes" id="ref-for-grammardef-unsafe-hashed-attributes③">'unsafe-hashed-attributes'</a> 'sha256-jzgBGA4UWFFmpOBq0JpdsySukE1FrEN5bUpoK8Z29fY='
</pre>
     </div>
     <p>The capabilities <code>'unsafe-hashed-attributes'</code> provides is useful for legacy sites, but should be
    avoided for modern sites. In particular, note that hashes allow a particular script to execute,
    but do not ensure that it executes in the way a developer intends. If an interesting capability
    is exposed as an inline event handler (say <code>&lt;a onclick="transferAllMyMoney()">Transfer&lt;/a></code>),
    then that script becomes available for an attacker to inject as <code>&lt;script>transferAllMyMoney()&lt;/script></code>. Developers should be careful to balance the risk of
    allowing specific scripts to execute against the deployment advantages that allowing inline
    event handlers might provide.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="8.4" id="external-hash"><span class="secno">8.4. </span><span class="content"> Allowing external JavaScript via hashes </span><a class="self-link" href="#external-hash"></a></h3>
     <p>In <a data-link-type="biblio" href="#biblio-csp2">[CSP2]</a>, hash <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression⑧">source expressions</a> could only match inlined
    script, but now that Subresource Integrity is widely deployed, we can expand
    the scope to enable externalized JavaScript as well.</p>
     <p>If multiple sets of integrity metadata are specified for a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script①⑦">script</a></code>, the
    request will match a policy’s <a data-link-type="grammar" href="#grammardef-hash-source" id="ref-for-grammardef-hash-source①⓪">hash-source</a>s if and only if <em>each</em> item in a <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script①⑧">script</a></code>'s integrity metadata matches the policy.</p>
     <div class="example" id="example-7bc6634d">
      <a class="self-link" href="#example-7bc6634d"></a> MegaCorp, Inc. wishes to allow two specific scripts on a page in a way
      that ensures that the content matches their expectations. They do so by
      setting the following policy: 
<pre>Content-Security-Policy: script-src 'sha256-abc123' 'sha512-321cba'
</pre>
      <p>In the presence of that policy, the following <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script①⑨">script</a></code> elements would be
      allowed to execute because they contain only integrity metadata that matches
      the policy:</p>
<pre class="highlight"><span class="nt">&lt;script </span><span class="na">integrity=</span><span class="s">"sha256-abc123"</span> ...<span class="nt">>&lt;/script></span>
<span class="nt">&lt;script </span><span class="na">integrity=</span><span class="s">"sha512-321cba"</span> ...<span class="nt">>&lt;/script></span>
<span class="nt">&lt;script </span><span class="na">integrity=</span><span class="s">"sha256-abc123 sha512-321cba"</span> ...<span class="nt">>&lt;/script></span>
</pre>
      <p>While the following <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script" id="ref-for-script②⓪">script</a></code> elements would not execute because they
      contain valid metadata that does not match the policy (even though other
      metadata does match):</p>
<pre class="highlight"><span class="nt">&lt;script </span><span class="na">integrity=</span><span class="s">"</span><b><span class="s">sha384-xyz789</span></b><span class="s">"</span> ...<span class="nt">>&lt;/script></span>
<span class="nt">&lt;script </span><span class="na">integrity=</span><span class="s">"</span><b><span class="s">sha384-xyz789</span></b><span class="s"> sha512-321cba"</span> ...<span class="nt">>&lt;/script></span>
<span class="nt">&lt;script </span><span class="na">integrity=</span><span class="s">"sha256-abc123 </span><b><span class="s">sha384-xyz789</span></b><span class="s"> sha512-321cba"</span> ...<span class="nt">>&lt;/script></span>
</pre>
      <p>Metadata that is not recognized (either because it’s entirely invalid, or
      because it specifies a not-yet-supported hashing algorithm) does not affect
      the behavior described here. That is, the following elements would be
      allowed to execute in the presence of the above policy, as the additional
      metadata is invalid and therefore wouldn’t allow a script whose content
      wasn’t listed explicitly in the policy to execute:</p>
<pre class="highlight"><span class="nt">&lt;script </span><span class="na">integrity=</span><span class="s">"sha256-abc123 </span><b><span class="s">sha1024-abcd</span></b><span class="s">"</span> ...<span class="nt">>&lt;/script></span>
<span class="nt">&lt;script </span><span class="na">integrity=</span><span class="s">"sha512-321cba </span><b><span class="s">entirely-invalid</span></b><span class="s">"</span> ...<span class="nt">>&lt;/script></span>
<span class="nt">&lt;script </span><span class="na">integrity=</span><span class="s">"sha256-abc123 </span><b><span class="s">not-a-hash-at-all</span></b><span class="s"> sha512-321cba"</span> ...<span class="nt">>&lt;/script></span>
</pre>
     </div>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="9" id="implementation-considerations"><span class="secno">9. </span><span class="content">Implementation Considerations</span><a class="self-link" href="#implementation-considerations"></a></h2>
    <h3 class="heading settled" data-level="9.1" id="extensions"><span class="secno">9.1. </span><span class="content">Vendor-specific Extensions and Addons</span><a class="self-link" href="#extensions"></a></h3>
    <p><a data-link-type="dfn" href="#content-security-policy-object" id="ref-for-content-security-policy-object⑤⑨">Policy</a> enforced on a resource SHOULD NOT interfere with the operation
  of user-agent features like addons, extensions, or bookmarklets. These kinds
  of features generally advance the user’s priority over page authors, as
  espoused in <a data-link-type="biblio" href="#biblio-html-design">[HTML-DESIGN]</a>.</p>
    <p>Moreover, applying CSP to these kinds of features produces a substantial
  amount of noise in violation reports, significantly reducing their value to
  developers.</p>
    <p>Chrome, for example, excludes the <code>chrome-extension:</code> scheme from CSP checks,
  and does some work to ensure that extension-driven injections are allowed,
  regardless of a page’s policy.</p>
   </section>
   <section>
    <h2 class="heading settled" data-level="10" id="iana-considerations"><span class="secno">10. </span><span class="content">IANA Considerations</span><a class="self-link" href="#iana-considerations"></a></h2>
    <h3 class="heading settled" data-level="10.1" id="iana-registry"><span class="secno">10.1. </span><span class="content"> Directive Registry </span><a class="self-link" href="#iana-registry"></a></h3>
    <p>The Content Security Policy Directive registry should be updated with the
  following directives and references <a data-link-type="biblio" href="#biblio-rfc7762">[RFC7762]</a>:</p>
    <dl>
     <dt data-md=""><a data-link-type="dfn" href="#base-uri" id="ref-for-base-uri②"><code>base-uri</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-base-uri">§6.2.1 base-uri</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#child-src" id="ref-for-child-src②"><code>child-src</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-child-src">§6.1.1 child-src</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#connect-src" id="ref-for-connect-src③"><code>connect-src</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-connect-src">§6.1.2 connect-src</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#default-src" id="ref-for-default-src⑤"><code>default-src</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-default-src">§6.1.3 default-src</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#disown-opener" id="ref-for-disown-opener①"><code>disown-opener</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-disown-opener">§6.2.4 disown-opener</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#font-src" id="ref-for-font-src④"><code>font-src</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-font-src">§6.1.4 font-src</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#form-action" id="ref-for-form-action"><code>form-action</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-form-action">§6.3.1 form-action</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#frame-ancestors" id="ref-for-frame-ancestors③"><code>frame-ancestors</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-frame-ancestors">§6.3.2 frame-ancestors</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#frame-src" id="ref-for-frame-src④"><code>frame-src</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-frame-src">§6.1.5 frame-src</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#img-src" id="ref-for-img-src④"><code>img-src</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-img-src">§6.1.6 img-src</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#manifest-src" id="ref-for-manifest-src③"><code>manifest-src</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-manifest-src">§6.1.7 manifest-src</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#media-src" id="ref-for-media-src③"><code>media-src</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-media-src">§6.1.8 media-src</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#object-src" id="ref-for-object-src④"><code>object-src</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-object-src">§6.1.9 object-src</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#plugin-types" id="ref-for-plugin-types②"><code>plugin-types</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-plugin-types">§6.2.2 plugin-types</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#report-uri" id="ref-for-report-uri④"><code>report-uri</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-report-uri">§6.4.1 report-uri</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#report-to" id="ref-for-report-to⑤"><code>report-to</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-report-to">§6.4.2 report-to</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#sandbox" id="ref-for-sandbox①"><code>sandbox</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-sandbox">§6.2.3 sandbox</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#script-src" id="ref-for-script-src⑧"><code>script-src</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-script-src">§6.1.10 script-src</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#style-src" id="ref-for-style-src③"><code>style-src</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-style-src">§6.1.11 style-src</a>)</p>
     <dt data-md=""><a data-link-type="dfn" href="#worker-src" id="ref-for-worker-src④"><code>worker-src</code></a>
     <dd data-md="">
      <p>This document (see <a href="#directive-worker-src">§6.1.12 worker-src</a>)</p>
    </dl>
    <h3 class="heading settled" data-level="10.2" id="iana-headers"><span class="secno">10.2. </span><span class="content"> Headers </span><a class="self-link" href="#iana-headers"></a></h3>
    <p>The permanent message header field registry should be updated
  with the following registrations: <a data-link-type="biblio" href="#biblio-rfc3864">[RFC3864]</a></p>
    <h4 class="heading settled" data-level="10.2.1" id="iana-csp"><span class="secno">10.2.1. </span><span class="content">Content-Security-Policy</span><a class="self-link" href="#iana-csp"></a></h4>
    <dl>
     <dt>Header field name
     <dd>Content-Security-Policy
     <dt>Applicable protocol
     <dd>http
     <dt>Status
     <dd>standard
     <dt>Author/Change controller
     <dd>W3C
     <dt>Specification document
     <dd>This specification (See <a href="#csp-header">§3.1 The Content-Security-Policy HTTP Response Header Field</a>)
    </dl>
    <h4 class="heading settled" data-level="10.2.2" id="iana-cspro"><span class="secno">10.2.2. </span><span class="content">Content-Security-Policy-Report-Only</span><a class="self-link" href="#iana-cspro"></a></h4>
    <dl>
     <dt>Header field name
     <dd>Content-Security-Policy-Report-Only
     <dt>Applicable protocol
     <dd>http
     <dt>Status
     <dd>standard
     <dt>Author/Change controller
     <dd>W3C
     <dt>Specification document
     <dd>This specification (See <a href="#cspro-header">§3.2 The Content-Security-Policy-Report-Only HTTP Response Header Field</a>)
    </dl>
   </section>
   <section>
    <h2 class="heading settled" data-level="11" id="acknowledgements"><span class="secno">11. </span><span class="content">Acknowledgements</span><a class="self-link" href="#acknowledgements"></a></h2>
    <p>Lots of people are awesome. For instance:</p>
    <ul>
     <li data-md="">
      <p>Mario and all of Cure53.</p>
     <li data-md="">
      <p>Artur Janc, Michele Spagnuolo, Lukas Weichselbaum, Jochen Eisinger, and the
rest of Google’s CSP Cabal.</p>
    </ul>
   </section>
  </main>
  <h2 class="no-ref no-num heading settled" id="conformance"><span class="content">Conformance</span><a class="self-link" href="#conformance"></a></h2>
  <h3 class="no-ref no-num heading settled" id="conventions"><span class="content">Document conventions</span><a class="self-link" href="#conventions"></a></h3>
  <p>Conformance requirements are expressed with a combination of
    descriptive assertions and RFC 2119 terminology. The key words “MUST”,
    “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”,
    “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this
    document are to be interpreted as described in RFC 2119.
    However, for readability, these words do not appear in all uppercase
    letters in this specification. </p>
  <p>All of the text of this specification is normative except sections
    explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a></p>
  <p>Examples in this specification are introduced with the words “for example”
    or are set apart from the normative text with <code>class="example"</code>,
    like this: </p>
  <div class="example" id="example-f839f6c8">
   <a class="self-link" href="#example-f839f6c8"></a> 
   <p>This is an example of an informative example.</p>
  </div>
  <p>Informative notes begin with the word “Note” and are set apart from the
    normative text with <code>class="note"</code>, like this: </p>
  <p class="note" role="note">Note, this is an informative note.</p>
  <h3 class="no-ref no-num heading settled" id="conformant-algorithms"><span class="content">Conformant Algorithms</span><a class="self-link" href="#conformant-algorithms"></a></h3>
  <p>Requirements phrased in the imperative as part of algorithms (such as
    "strip any leading space characters" or "return false and abort these
    steps") are to be interpreted with the meaning of the key word ("must",
    "should", "may", etc) used in introducing the algorithm.</p>
  <p>Conformance requirements phrased as algorithms or specific steps can be
    implemented in any manner, so long as the end result is equivalent. In
    particular, the algorithms defined in this specification are intended to
    be easy to understand and are not intended to be performant. Implementers
    are encouraged to optimize.</p>
<script src="https://www.w3.org/scripts/TR/2016/fixup.js"></script>
  <h2 class="no-num no-ref heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
  <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3>
  <ul class="index">
   <li><a href="#source-list-allows-all-inline-behavior">allow all inline behavior</a><span>, in §6.6.2.2</span>
   <li><a href="#source-list-allows-all-inline-behavior">allows all inline behavior</a><span>, in §6.6.2.2</span>
   <li><a href="#grammardef-ancestor-source">ancestor-source</a><span>, in §6.3.2</span>
   <li><a href="#grammardef-ancestor-source-list">ancestor-source-list</a><span>, in §6.3.2</span>
   <li><a href="#grammardef-base64-value">base64-value</a><span>, in §2.3.1</span>
   <li><a href="#base-uri">base-uri</a><span>, in §6.2.1</span>
   <li>
    blockedURI
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-blockeduri">attribute for SecurityPolicyViolationEvent</a><span>, in §5.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-blockeduri">dict-member for SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
    </ul>
   <li><a href="#child-src">child-src</a><span>, in §6.1.1</span>
   <li><a href="#violation-column-number">column number</a><span>, in §2.4</span>
   <li>
    columnNumber
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-columnnumber">attribute for SecurityPolicyViolationEvent</a><span>, in §5.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-columnnumber">dict-member for SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
    </ul>
   <li><a href="#connect-src">connect-src</a><span>, in §6.1.2</span>
   <li><a href="#contains-a-header-delivered-content-security-policy">contains a header-delivered Content Security Policy</a><span>, in §2.2</span>
   <li><a href="#header-content-security-policy">Content-Security-Policy</a><span>, in §3.1</span>
   <li><a href="#content-security-policy">Content Security Policy</a><span>, in §1</span>
   <li><a href="#content-security-policy-object">content security policy object</a><span>, in §2.2</span>
   <li><a href="#header-content-security-policy-report-only">Content-Security-Policy-Report-Only</a><span>, in §3.2</span>
   <li>
    CSP list
    <ul>
     <li><a href="#csp-list">definition of</a><span>, in §2.2</span>
     <li><a href="#global-object-csp-list">dfn for global object</a><span>, in §4.2</span>
    </ul>
   <li><a href="#default-src">default-src</a><span>, in §6.1.3</span>
   <li><a href="#grammardef-directive-name">directive-name</a><span>, in §2.3</span>
   <li><a href="#directives">directives</a><span>, in §2.3</span>
   <li><a href="#policy-directive-set">directive set</a><span>, in §2.2</span>
   <li><a href="#grammardef-directive-value">directive-value</a><span>, in §2.3</span>
   <li><a href="#disown-opener">disown-opener</a><span>, in §6.2.4</span>
   <li>
    disposition
    <ul>
     <li><a href="#policy-disposition">dfn for policy</a><span>, in §2.2</span>
     <li><a href="#violation-disposition">dfn for violation</a><span>, in §2.4</span>
     <li><a href="#dom-securitypolicyviolationevent-disposition">attribute for SecurityPolicyViolationEvent</a><span>, in §5.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-disposition">dict-member for SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
    </ul>
   <li>
    documentURI
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-documenturi">attribute for SecurityPolicyViolationEvent</a><span>, in §5.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-documenturi">dict-member for SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
    </ul>
   <li>
    effective directive
    <ul>
     <li><a href="#violation-effective-directive">dfn for violation</a><span>, in §2.4</span>
     <li><a href="#request-effective-directive">dfn for request</a><span>, in §6.6.1.11</span>
    </ul>
   <li>
    effectiveDirective
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-effectivedirective">attribute for SecurityPolicyViolationEvent</a><span>, in §5.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-effectivedirective">dict-member for SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
    </ul>
   <li><a href="#violation-element">element</a><span>, in §2.4</span>
   <li><a href="#embedding-document">embedding document</a><span>, in §4.2</span>
   <li><a href="#dom-securitypolicyviolationeventdisposition-enforce">enforce</a><span>, in §5.1</span>
   <li><a href="#dom-securitypolicyviolationeventdisposition-enforce">"enforce"</a><span>, in §5.1</span>
   <li><a href="#enforced">enforced</a><span>, in §4.2</span>
   <li><a href="#can-compile-strings">EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source)</a><span>, in §4.3</span>
   <li><a href="#fetch-directives">Fetch directives</a><span>, in §6.1</span>
   <li><a href="#font-src">font-src</a><span>, in §6.1.4</span>
   <li><a href="#form-action">form-action</a><span>, in §6.3.1</span>
   <li><a href="#frame-ancestors">frame-ancestors</a><span>, in §6.3.2</span>
   <li><a href="#frame-src">frame-src</a><span>, in §6.1.5</span>
   <li><a href="#violation-global-object">global object</a><span>, in §2.4</span>
   <li><a href="#grammardef-hash-algorithm">hash-algorithm</a><span>, in §2.3.1</span>
   <li><a href="#grammardef-hash-source">hash-source</a><span>, in §2.3.1</span>
   <li><a href="#grammardef-host-char">host-char</a><span>, in §2.3.1</span>
   <li><a href="#grammardef-host-part">host-part</a><span>, in §2.3.1</span>
   <li><a href="#host-part-match">host-part match</a><span>, in §6.6.1.8</span>
   <li><a href="#grammardef-host-source">host-source</a><span>, in §2.3.1</span>
   <li><a href="#img-src">img-src</a><span>, in §6.1.6</span>
   <li><a href="#directive-initialization">initialization</a><span>, in §2.3</span>
   <li><a href="#directive-inline-check">inline check</a><span>, in §2.3</span>
   <li><a href="#grammardef-keyword-source">keyword-source</a><span>, in §2.3.1</span>
   <li><a href="#violation-line-number">line number</a><span>, in §2.4</span>
   <li>
    lineNumber
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-linenumber">attribute for SecurityPolicyViolationEvent</a><span>, in §5.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-linenumber">dict-member for SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
    </ul>
   <li><a href="#manifest-src">manifest-src</a><span>, in §6.1.7</span>
   <li><a href="#media-src">media-src</a><span>, in §6.1.8</span>
   <li><a href="#grammardef-media-type">media-type</a><span>, in §6.2.2</span>
   <li><a href="#grammardef-media-type-list">media-type-list</a><span>, in §6.2.2</span>
   <li><a href="#monitored">monitored</a><span>, in §4.2</span>
   <li><a href="#directive-name">name</a><span>, in §2.3</span>
   <li><a href="#directive-navigation-response-check">navigation response check</a><span>, in §2.3</span>
   <li><a href="#navigation-to">navigation-to</a><span>, in §6.3.3</span>
   <li><a href="#grammardef-nonce-source">nonce-source</a><span>, in §2.3.1</span>
   <li><a href="#grammardef-none">'none'</a><span>, in §2.3.1</span>
   <li><a href="#object-src">object-src</a><span>, in §6.1.9</span>
   <li>
    originalPolicy
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-originalpolicy">attribute for SecurityPolicyViolationEvent</a><span>, in §5.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-originalpolicy">dict-member for SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
    </ul>
   <li><a href="#abstract-opdef-parse-a-serialized-csp">parse a serialized CSP</a><span>, in §2.2.1</span>
   <li><a href="#abstract-opdef-parse-a-serialized-csp-list">parse a serialized CSP list</a><span>, in §2.2.2</span>
   <li><a href="#grammardef-path-part">path-part</a><span>, in §2.3.1</span>
   <li><a href="#path-part-match">path-part match</a><span>, in §6.6.1.10</span>
   <li><a href="#plugin-types">plugin-types</a><span>, in §6.2.2</span>
   <li><a href="#plugin-types-post-request-check">plugin-types Post-Request Check</a><span>, in §6.2.2</span>
   <li>
    policy
    <ul>
     <li><a href="#content-security-policy-object">definition of</a><span>, in §2.2</span>
     <li><a href="#violation-policy">dfn for violation</a><span>, in §2.4</span>
    </ul>
   <li><a href="#grammardef-port-part">port-part</a><span>, in §2.3.1</span>
   <li><a href="#port-part-matches">port-part matches</a><span>, in §6.6.1.9</span>
   <li><a href="#directive-post-request-check">post-request check</a><span>, in §2.3</span>
   <li><a href="#directive-pre-navigation-check">pre-navigation check</a><span>, in §2.3</span>
   <li><a href="#directive-pre-request-check">pre-request check</a><span>, in §2.3</span>
   <li>
    referrer
    <ul>
     <li><a href="#violation-referrer">dfn for violation</a><span>, in §2.4</span>
     <li><a href="#dom-securitypolicyviolationevent-referrer">attribute for SecurityPolicyViolationEvent</a><span>, in §5.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-referrer">dict-member for SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
    </ul>
   <li><a href="#dom-securitypolicyviolationeventdisposition-report">report</a><span>, in §5.1</span>
   <li><a href="#dom-securitypolicyviolationeventdisposition-report">"report"</a><span>, in §5.1</span>
   <li><a href="#grammardef-report-sample">'report-sample'</a><span>, in §2.3.1</span>
   <li><a href="#report-to">report-to</a><span>, in §6.4.2</span>
   <li><a href="#report-uri">report-uri</a><span>, in §6.4.1</span>
   <li><a href="#violation-resource">resource</a><span>, in §2.4</span>
   <li><a href="#directive-response-check">response check</a><span>, in §2.3</span>
   <li>
    sample
    <ul>
     <li><a href="#violation-sample">dfn for violation</a><span>, in §2.4</span>
     <li><a href="#dom-securitypolicyviolationevent-sample">attribute for SecurityPolicyViolationEvent</a><span>, in §5.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-sample">dict-member for SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
    </ul>
   <li><a href="#sandbox">sandbox</a><span>, in §6.2.3</span>
   <li><a href="#grammardef-scheme-part">scheme-part</a><span>, in §2.3.1</span>
   <li><a href="#scheme-part-match">scheme-part match</a><span>, in §6.6.1.7</span>
   <li><a href="#grammardef-scheme-source">scheme-source</a><span>, in §2.3.1</span>
   <li><a href="#script-src">script-src</a><span>, in §6.1.10</span>
   <li><a href="#securitypolicyviolationevent">SecurityPolicyViolationEvent</a><span>, in §5.1</span>
   <li><a href="#enumdef-securitypolicyviolationeventdisposition">SecurityPolicyViolationEventDisposition</a><span>, in §5.1</span>
   <li><a href="#dictdef-securitypolicyviolationeventinit">SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
   <li><a href="#dom-securitypolicyviolationevent-securitypolicyviolationevent">SecurityPolicyViolationEvent(type)</a><span>, in §5.1</span>
   <li><a href="#dom-securitypolicyviolationevent-securitypolicyviolationevent">SecurityPolicyViolationEvent(type, eventInitDict)</a><span>, in §5.1</span>
   <li><a href="#grammardef-self">'self'</a><span>, in §2.3.1</span>
   <li><a href="#serialized-csp">serialized CSP</a><span>, in §2.2</span>
   <li><a href="#serialized-csp-list">serialized CSP list</a><span>, in §2.2</span>
   <li><a href="#serialized-directive">serialized directive</a><span>, in §2.3</span>
   <li><a href="#grammardef-serialized-directive">serialized-directive</a><span>, in §2.3</span>
   <li><a href="#grammardef-serialized-policy">serialized-policy</a><span>, in §2.2</span>
   <li><a href="#grammardef-serialized-policy-list">serialized-policy-list</a><span>, in §2.2</span>
   <li><a href="#serialized-source-list">serialized source list</a><span>, in §2.3.1</span>
   <li><a href="#grammardef-serialized-source-list">serialized-source-list</a><span>, in §2.3.1</span>
   <li><a href="#should-plugin-element-be-blocked-a-priori-by-content-security-policy">Should plugin element be blocked a priori by Content Security Policy?:</a><span>, in §6.2.2.1</span>
   <li><a href="#policy-source">source</a><span>, in §2.2</span>
   <li><a href="#grammardef-source-expression">source-expression</a><span>, in §2.3.1</span>
   <li><a href="#source-expression">source expression</a><span>, in §2.3.1</span>
   <li><a href="#violation-source-file">source file</a><span>, in §2.4</span>
   <li>
    sourceFile
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-sourcefile">attribute for SecurityPolicyViolationEvent</a><span>, in §5.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-sourcefile">dict-member for SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
    </ul>
   <li><a href="#source-lists">source lists</a><span>, in §2.3.1</span>
   <li><a href="#violation-status">status</a><span>, in §2.4</span>
   <li>
    statusCode
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-statuscode">attribute for SecurityPolicyViolationEvent</a><span>, in §5.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-statuscode">dict-member for SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
    </ul>
   <li><a href="#grammardef-strict-dynamic">'strict-dynamic'</a><span>, in §2.3.1</span>
   <li><a href="#style-src">style-src</a><span>, in §6.1.11</span>
   <li><a href="#grammardef-unsafe-eval">'unsafe-eval'</a><span>, in §2.3.1</span>
   <li><a href="#grammardef-unsafe-hashed-attributes">'unsafe-hashed-attributes'</a><span>, in §2.3.1</span>
   <li><a href="#grammardef-unsafe-inline">'unsafe-inline'</a><span>, in §2.3.1</span>
   <li><a href="#violation-url">url</a><span>, in §2.4</span>
   <li><a href="#directive-value">value</a><span>, in §2.3</span>
   <li>
    violatedDirective
    <ul>
     <li><a href="#dom-securitypolicyviolationevent-violateddirective">attribute for SecurityPolicyViolationEvent</a><span>, in §5.1</span>
     <li><a href="#dom-securitypolicyviolationeventinit-violateddirective">dict-member for SecurityPolicyViolationEventInit</a><span>, in §5.1</span>
    </ul>
   <li><a href="#violation">violation</a><span>, in §2.4</span>
   <li><a href="#violation-report">violation report</a><span>, in §5</span>
   <li><a href="#worker-src">worker-src</a><span>, in §6.1.12</span>
  </ul>
  <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
  <ul class="index">
   <li>
    <a data-link-type="biblio">[CSP3]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/CSP3/#header-content-security-policy">content-security-policy</a>
     <li><a href="https://www.w3.org/TR/CSP3/#parse-serialized-policy">parse a serialized csp</a>
    </ul>
   <li>
    <a data-link-type="biblio">[css-cascade-4]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/css-cascade-4/#at-ruledef-import">@import</a>
    </ul>
   <li>
    <a data-link-type="biblio">[CSSOM]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/cssom-1/#insert-a-css-rule">insert a css rule</a>
     <li><a href="https://www.w3.org/TR/cssom-1/#parse-a-css-declaration-block">parse a css declaration block</a>
     <li><a href="https://www.w3.org/TR/cssom-1/#parse-a-css-rule">parse a css rule</a>
     <li><a href="https://www.w3.org/TR/cssom-1/#parse-a-group-of-selectors">parse a group of selectors</a>
    </ul>
   <li>
    <a data-link-type="biblio">[DOM]</a> defines the following terms:
    <ul>
     <li><a href="https://dom.spec.whatwg.org/#document">Document</a>
     <li><a href="https://dom.spec.whatwg.org/#element">Element</a>
     <li><a href="https://dom.spec.whatwg.org/#event">Event</a>
     <li><a href="https://dom.spec.whatwg.org/#dictdef-eventinit">EventInit</a>
     <li><a href="https://dom.spec.whatwg.org/#dom-event-bubbles">bubbles</a>
     <li><a href="https://dom.spec.whatwg.org/#dom-event-composed">composed</a>
     <li><a href="https://dom.spec.whatwg.org/#connected">connected</a>
     <li><a href="https://dom.spec.whatwg.org/#concept-event-fire">fire an event</a>
     <li><a href="https://dom.spec.whatwg.org/#concept-node-document">node document</a>
     <li><a href="https://dom.spec.whatwg.org/#concept-shadow-including-root">shadow-including root</a>
     <li><a href="https://dom.spec.whatwg.org/#dom-event-target">target</a>
     <li><a href="https://dom.spec.whatwg.org/#dom-node-textcontent">textContent</a>
    </ul>
   <li>
    <a data-link-type="biblio">[ECMA262]</a> defines the following terms:
    <ul>
     <li><a href="https://tc39.github.io/ecma262#sec-function-objects">Function()</a>
     <li><a href="https://tc39.github.io/ecma262#sec-hostensurecancompilestrings">HostEnsureCanCompileStrings()</a>
     <li><a href="https://tc39.github.io/ecma262#sec-json.stringify">JSON.stringify()</a>
     <li><a href="https://tc39.github.io/ecma262#sec-eval-x">eval()</a>
     <li><a href="https://tc39.github.io/ecma262#realm">realm</a>
    </ul>
   <li>
    <a data-link-type="biblio">[FETCH]</a> defines the following terms:
    <ul>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-body">body</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-credentials-mode">credentials mode</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata">cryptographic nonce metadata</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-response-csp-list">csp list</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-current-url">current url</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-destination">destination</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-header-extract-mime-type">extract a mime type</a>
     <li><a href="https://fetch.spec.whatwg.org/#extract-header-list-values">extracting header list values</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-fetch">fetch</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-header-list">header list <small>(for request)</small></a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-response-header-list">header list <small>(for response)</small></a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-http-fetch">http fetch</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-http-network-fetch">http-network fetch</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-integrity-metadata">integrity metadata</a>
     <li><a href="https://fetch.spec.whatwg.org/#request-keepalive-flag">keepalive flag</a>
     <li><a href="https://fetch.spec.whatwg.org/#local-scheme">local scheme</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-main-fetch">main fetch</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-method">method</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-mode">mode</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-network-error">network error</a>
     <li><a href="https://fetch.spec.whatwg.org/#network-scheme">network scheme</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-origin">origin</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-parser-metadata">parser metadata</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-redirect-count">redirect count</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-redirect-mode">redirect mode</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request">request</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-response">response</a>
     <li><a href="https://fetch.spec.whatwg.org/#request-destination-script-like">script-like</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-target-browsing-context">target browsing context</a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-url">url <small>(for request)</small></a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-response-url">url <small>(for response)</small></a>
     <li><a href="https://fetch.spec.whatwg.org/#concept-request-window">window</a>
    </ul>
   <li>
    <a data-link-type="biblio">[HTML]</a> defines the following terms:
    <ul>
     <li><a href="https://html.spec.whatwg.org/multipage/scripting.html#parser-inserted">"parser-inserted"</a>
     <li><a href="https://html.spec.whatwg.org/multipage/workers.html#dedicatedworkerglobalscope">DedicatedWorkerGlobalScope</a>
     <li><a href="https://html.spec.whatwg.org/multipage/workers.html#sharedworker">SharedWorker</a>
     <li><a href="https://html.spec.whatwg.org/multipage/workers.html#sharedworkerglobalscope">SharedWorkerGlobalScope</a>
     <li><a href="https://html.spec.whatwg.org/multipage/window-object.html#window">Window</a>
     <li><a href="https://html.spec.whatwg.org/multipage/workers.html#worker">Worker</a>
     <li><a href="https://html.spec.whatwg.org/multipage/workers.html#workerglobalscope">WorkerGlobalScope</a>
     <li><a href="https://html.spec.whatwg.org/multipage/text-level-semantics.html#the-a-element">a</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#active-document">active document</a>
     <li><a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#an-iframe-srcdoc-document">an iframe srcdoc document</a>
     <li><a href="https://html.spec.whatwg.org/multipage/obsolete.html#applet">applet</a>
     <li><a href="https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin">ascii serialization of an origin</a>
     <li><a href="https://html.spec.whatwg.org/multipage/window-object.html#concept-document-window">associated document</a>
     <li><a href="https://html.spec.whatwg.org/multipage/semantics.html#the-base-element">base</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context">browsing context</a>
     <li><a href="https://html.spec.whatwg.org/multipage/infrastructure.html#case-sensitive">case-sensitive</a>
     <li><a href="https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-content">content</a>
     <li><a href="https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-content-security-policy">content security policy state</a>
     <li><a href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-csp-list">csp list</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#current-settings-object">current settings object</a>
     <li><a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-object-data">data</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#disowned-its-opener">disown its opener</a>
     <li><a href="https://html.spec.whatwg.org/multipage/window-object.html#dom-document-2">document</a>
     <li><a href="https://html.spec.whatwg.org/multipage/parsing.html#parse-error-duplicate-attribute">duplicate-attribute</a>
     <li><a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element">embed</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#event-handler-idl-attributes">event handler idl attribute</a>
     <li><a href="https://html.spec.whatwg.org/multipage/urls-and-fetching.html#fallback-base-url">fallback base url</a>
     <li><a href="https://html.spec.whatwg.org/multipage/origin.html#forced-sandboxing-flag-set">forced sandboxing flag set</a>
     <li><a href="https://html.spec.whatwg.org/multipage/forms.html#the-form-element">form</a>
     <li><a href="https://html.spec.whatwg.org/multipage/obsolete.html#frame">frame</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#global-object">global object</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-realm-global">global object <small>(for Realm)</small></a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-global">global object <small>(for environment settings object)</small></a>
     <li><a href="https://html.spec.whatwg.org/multipage/semantics.html#attr-base-href">href</a>
     <li><a href="https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv">http-equiv</a>
     <li><a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element">iframe</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object">initializing a new document object</a>
     <li><a href="https://html.spec.whatwg.org/multipage/semantics.html#the-link-element">link</a>
     <li><a href="https://html.spec.whatwg.org/multipage/semantics.html#meta">meta</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context">nested browsing context</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-nested-through">nested through</a>
     <li><a href="https://html.spec.whatwg.org/multipage/urls-and-fetching.html#dom-noncedelement-nonce">nonce</a>
     <li><a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element">object</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#opener-browsing-context">opener browsing context</a>
     <li><a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin">origin</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-settings-object-origin">origin <small>(for environment settings object)</small></a>
     <li><a href="https://html.spec.whatwg.org/#concept-WorkerGlobalScope-owner-set">owner set</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#parent-browsing-context">parent browsing context</a>
     <li><a href="https://html.spec.whatwg.org/multipage/origin.html#parse-a-sandboxing-directive">parse a sandboxing directive</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-script-parse-error">parse error</a>
     <li><a href="https://html.spec.whatwg.org/multipage/text-level-semantics.html#dom-a-ping">ping</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#plugin-document">plugin document</a>
     <li><a href="https://html.spec.whatwg.org/multipage/scripting.html#prepare-a-script">prepare a script</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#process-a-navigate-fetch">process a navigate fetch</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#process-a-navigate-response">process a navigate response</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#queue-a-task">queue a task</a>
     <li><a href="https://html.spec.whatwg.org/multipage/dom.html#dom-document-referrer">referrer</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#concept-relevant-global">relevant global object</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#relevant-settings-object">relevant settings object</a>
     <li><a href="https://html.spec.whatwg.org/multipage/webappapis.html#responsible-browsing-context">responsible browsing context</a>
     <li><a href="https://html.spec.whatwg.org/multipage/workers.html#run-a-worker">run a worker</a>
     <li><a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox">sandbox</a>
     <li><a href="https://html.spec.whatwg.org/multipage/origin.html#sandboxed-origin-browsing-context-flag">sandboxed origin browsing context flag</a>
     <li><a href="https://html.spec.whatwg.org/multipage/origin.html#sandboxed-scripts-browsing-context-flag">sandboxed scripts browsing context flag</a>
     <li><a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-scheme">scheme</a>
     <li><a href="https://html.spec.whatwg.org/multipage/scripting.html#script">script</a>
     <li><a href="https://html.spec.whatwg.org/multipage/semantics.html#set-the-frozen-base-url">set the frozen base url</a>
     <li><a href="https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval">setInterval()</a>
     <li><a href="https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-settimeout">setTimeout()</a>
     <li><a href="https://html.spec.whatwg.org/multipage/semantics.html#the-style-element">style</a>
     <li><a href="https://html.spec.whatwg.org/multipage/scripting.html#dom-script-text">text</a>
     <li><a href="https://html.spec.whatwg.org/multipage/browsers.html#top-level-browsing-context">top-level browsing context</a>
     <li><a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-embed-type">type</a>
     <li><a href="https://html.spec.whatwg.org/multipage/semantics.html#update-a-style-block">update a style block</a>
    </ul>
   <li>
    <a data-link-type="biblio">[INFRA]</a> defines the following terms:
    <ul>
     <li><a href="https://infra.spec.whatwg.org/#list-append">append <small>(for list)</small></a>
     <li><a href="https://infra.spec.whatwg.org/#set-append">append <small>(for set)</small></a>
     <li><a href="https://infra.spec.whatwg.org/#ascii-case-insensitive">ascii case-insensitive</a>
     <li><a href="https://infra.spec.whatwg.org/#ascii-string">ascii string</a>
     <li><a href="https://infra.spec.whatwg.org/#ascii-whitespace">ascii whitespace</a>
     <li><a href="https://infra.spec.whatwg.org/#collect-a-sequence-of-code-points">collecting a sequence of code points</a>
     <li><a href="https://infra.spec.whatwg.org/#list-contain">contain</a>
     <li><a href="https://infra.spec.whatwg.org/#iteration-continue">continue</a>
     <li><a href="https://infra.spec.whatwg.org/#list-is-empty">is empty</a>
     <li><a href="https://infra.spec.whatwg.org/#list">list</a>
     <li><a href="https://infra.spec.whatwg.org/#ordered-set">ordered set</a>
     <li><a href="https://infra.spec.whatwg.org/#ordered-set">set</a>
     <li><a href="https://infra.spec.whatwg.org/#split-on-ascii-whitespace">split a string on ascii whitespace</a>
     <li><a href="https://infra.spec.whatwg.org/#split-on-commas">split a string on commas</a>
     <li><a href="https://infra.spec.whatwg.org/#strictly-split">strictly split a string</a>
     <li><a href="https://infra.spec.whatwg.org/#string">string</a>
     <li><a href="https://infra.spec.whatwg.org/#strip-leading-and-trailing-ascii-whitespace">strip leading and trailing ascii whitespace</a>
    </ul>
   <li>
    <a data-link-type="biblio">[MIMESNIFF]</a> defines the following terms:
    <ul>
     <li><a href="https://mimesniff.spec.whatwg.org/#valid-mime-type">valid mime type</a>
    </ul>
   <li>
    <a data-link-type="biblio">[REPORTING]</a> defines the following terms:
    <ul>
     <li><a href="https://w3c.github.io/reporting/#group">group</a>
     <li><a href="https://w3c.github.io/reporting/#queue-report">queue report</a>
    </ul>
   <li>
    <a data-link-type="biblio">[rfc2045]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc2045#section-5.1">subtype</a>
     <li><a href="https://tools.ietf.org/html/rfc2045#section-5.1">type</a>
    </ul>
   <li>
    <a data-link-type="biblio">[RFC3986]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc3986#section-3.2.2">ipv4address</a>
     <li><a href="https://tools.ietf.org/html/rfc3986#section-3.3">path-absolute</a>
     <li><a href="https://tools.ietf.org/html/rfc3986#section-3.1">scheme</a>
     <li><a href="https://tools.ietf.org/html/rfc3986#section-4.1">uri-reference</a>
    </ul>
   <li>
    <a data-link-type="biblio">[rfc4648]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc4648#section-4">base64 encoding</a>
     <li><a href="https://tools.ietf.org/html/rfc4648#section-5">base64url encoding</a>
    </ul>
   <li>
    <a data-link-type="biblio">[RFC5234]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc5234#appendix-B.1">alpha</a>
     <li><a href="https://tools.ietf.org/html/rfc5234#appendix-B.1">digit</a>
     <li><a href="https://tools.ietf.org/html/rfc5234#appendix-B.1">vchar</a>
    </ul>
   <li>
    <a data-link-type="biblio">[RFC7230]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc7230#section-3.2.3">ows</a>
     <li><a href="https://tools.ietf.org/html/rfc7230#section-3.2.3">rws</a>
     <li><a href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a>
    </ul>
   <li>
    <a data-link-type="biblio">[rfc7231]</a> defines the following terms:
    <ul>
     <li><a href="https://tools.ietf.org/html/rfc7231#section-3">representation</a>
     <li><a href="https://tools.ietf.org/html/rfc7231#section-3">resource representation</a>
    </ul>
   <li>
    <a data-link-type="biblio">[service-workers-1]</a> defines the following terms:
    <ul>
     <li><a href="https://w3c.github.io/ServiceWorker/#serviceworker">ServiceWorker</a>
     <li><a href="https://w3c.github.io/ServiceWorker/#serviceworkerglobalscope">ServiceWorkerGlobalScope</a>
    </ul>
   <li>
    <a data-link-type="biblio">[SHA2]</a> defines the following terms:
    <ul>
     <li><a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#">sha-256</a>
     <li><a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#">sha-384</a>
     <li><a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#">sha-512</a>
    </ul>
   <li>
    <a data-link-type="biblio">[URL]</a> defines the following terms:
    <ul>
     <li><a href="https://url.spec.whatwg.org/#url">URL</a>
     <li><a href="https://url.spec.whatwg.org/#concept-base-url">base url</a>
     <li><a href="https://url.spec.whatwg.org/#default-port">default port</a>
     <li><a href="https://url.spec.whatwg.org/#dom-url-host">host <small>(for URL)</small></a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-host">host <small>(for url)</small></a>
     <li><a href="https://url.spec.whatwg.org/#concept-ipv6">ipv6 address</a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-origin">origin</a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-path">path</a>
     <li><a href="https://url.spec.whatwg.org/#percent-decode">percent decode</a>
     <li><a href="https://url.spec.whatwg.org/#dom-url-port">port <small>(for URL)</small></a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-port">port <small>(for url)</small></a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-scheme">scheme</a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-parser">url parser</a>
     <li><a href="https://url.spec.whatwg.org/#concept-url-serializer">url serializer</a>
    </ul>
   <li>
    <a data-link-type="biblio">[WebIDL]</a> defines the following terms:
    <ul>
     <li><a href="https://heycam.github.io/webidl/#idl-DOMString">DOMString</a>
     <li><a href="https://heycam.github.io/webidl/#idl-long">long</a>
     <li><a href="https://heycam.github.io/webidl/#idl-unsigned-short">unsigned short</a>
    </ul>
   <li>
    <a data-link-type="biblio">[worklets-1]</a> defines the following terms:
    <ul>
     <li><a href="https://www.w3.org/TR/worklets-1/#workletglobalscope">WorkletGlobalScope</a>
     <li><a href="https://drafts.css-houdini.org/worklets/#workletglobalscope-owner-document">owner document</a>
    </ul>
  </ul>
  <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num no-ref heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
  <dl>
   <dt id="biblio-csp3">[CSP3]
   <dd>Mike West. <a href="https://www.w3.org/TR/CSP3/">Content Security Policy Level 3</a>. 13 September 2016. WD. URL: <a href="https://www.w3.org/TR/CSP3/">https://www.w3.org/TR/CSP3/</a>
   <dt id="biblio-css-cascade-4">[CSS-CASCADE-4]
   <dd>Elika Etemad; Tab Atkins Jr.. <a href="https://www.w3.org/TR/css-cascade-4/">CSS Cascading and Inheritance Level 4</a>. 14 January 2016. CR. URL: <a href="https://www.w3.org/TR/css-cascade-4/">https://www.w3.org/TR/css-cascade-4/</a>
   <dt id="biblio-cssom">[CSSOM]
   <dd>Simon Pieters; Glenn Adams. <a href="https://www.w3.org/TR/cssom-1/">CSS Object Model (CSSOM)</a>. 17 March 2016. WD. URL: <a href="https://www.w3.org/TR/cssom-1/">https://www.w3.org/TR/cssom-1/</a>
   <dt id="biblio-dom">[DOM]
   <dd>Anne van Kesteren. <a href="https://dom.spec.whatwg.org/">DOM Standard</a>. Living Standard. URL: <a href="https://dom.spec.whatwg.org/">https://dom.spec.whatwg.org/</a>
   <dt id="biblio-ecma262">[ECMA262]
   <dd>Brian Terlson; Allen Wirfs-Brock. <a href="https://tc39.github.io/ecma262/">ECMAScript® Language Specification</a>. URL: <a href="https://tc39.github.io/ecma262/">https://tc39.github.io/ecma262/</a>
   <dt id="biblio-fetch">[FETCH]
   <dd>Anne van Kesteren. <a href="https://fetch.spec.whatwg.org/">Fetch Standard</a>. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a>
   <dt id="biblio-html">[HTML]
   <dd>Anne van Kesteren; et al. <a href="https://html.spec.whatwg.org/multipage/">HTML Standard</a>. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a>
   <dt id="biblio-infra">[INFRA]
   <dd>Anne van Kesteren; Domenic Denicola. <a href="https://infra.spec.whatwg.org/">Infra Standard</a>. Living Standard. URL: <a href="https://infra.spec.whatwg.org/">https://infra.spec.whatwg.org/</a>
   <dt id="biblio-mimesniff">[MIMESNIFF]
   <dd>Gordon P. Hemsley. <a href="https://mimesniff.spec.whatwg.org/">MIME Sniffing Standard</a>. Living Standard. URL: <a href="https://mimesniff.spec.whatwg.org/">https://mimesniff.spec.whatwg.org/</a>
   <dt id="biblio-reporting">[REPORTING]
   <dd>Ilya Gregorik; Mike West. <a href="https://wicg.github.io/reporting/">Reporting API</a>. URL: <a href="https://wicg.github.io/reporting/">https://wicg.github.io/reporting/</a>
   <dt id="biblio-rfc2045">[RFC2045]
   <dd>N. Freed; N. Borenstein. <a href="https://tools.ietf.org/html/rfc2045">Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies</a>. November 1996. Draft Standard. URL: <a href="https://tools.ietf.org/html/rfc2045">https://tools.ietf.org/html/rfc2045</a>
   <dt id="biblio-rfc2119">[RFC2119]
   <dd>S. Bradner. <a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a>
   <dt id="biblio-rfc3492">[RFC3492]
   <dd>A. Costello. <a href="https://tools.ietf.org/html/rfc3492">Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)</a>. March 2003. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc3492">https://tools.ietf.org/html/rfc3492</a>
   <dt id="biblio-rfc3864">[RFC3864]
   <dd>G. Klyne; M. Nottingham; J. Mogul. <a href="https://tools.ietf.org/html/rfc3864">Registration Procedures for Message Header Fields</a>. September 2004. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc3864">https://tools.ietf.org/html/rfc3864</a>
   <dt id="biblio-rfc3986">[RFC3986]
   <dd>T. Berners-Lee; R. Fielding; L. Masinter. <a href="https://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>. January 2005. Internet Standard. URL: <a href="https://tools.ietf.org/html/rfc3986">https://tools.ietf.org/html/rfc3986</a>
   <dt id="biblio-rfc4648">[RFC4648]
   <dd>S. Josefsson. <a href="https://tools.ietf.org/html/rfc4648">The Base16, Base32, and Base64 Data Encodings</a>. October 2006. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc4648">https://tools.ietf.org/html/rfc4648</a>
   <dt id="biblio-rfc5234">[RFC5234]
   <dd>D. Crocker, Ed.; P. Overell. <a href="https://tools.ietf.org/html/rfc5234">Augmented BNF for Syntax Specifications: ABNF</a>. January 2008. Internet Standard. URL: <a href="https://tools.ietf.org/html/rfc5234">https://tools.ietf.org/html/rfc5234</a>
   <dt id="biblio-rfc7034">[RFC7034]
   <dd>D. Ross; T. Gondrom. <a href="https://tools.ietf.org/html/rfc7034">HTTP Header Field X-Frame-Options</a>. October 2013. Informational. URL: <a href="https://tools.ietf.org/html/rfc7034">https://tools.ietf.org/html/rfc7034</a>
   <dt id="biblio-rfc7230">[RFC7230]
   <dd>R. Fielding, Ed.; J. Reschke, Ed.. <a href="https://tools.ietf.org/html/rfc7230">Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing</a>. June 2014. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7230">https://tools.ietf.org/html/rfc7230</a>
   <dt id="biblio-rfc7231">[RFC7231]
   <dd>R. Fielding, Ed.; J. Reschke, Ed.. <a href="https://tools.ietf.org/html/rfc7231">Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</a>. June 2014. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7231">https://tools.ietf.org/html/rfc7231</a>
   <dt id="biblio-rfc7762">[RFC7762]
   <dd>M. West. <a href="https://tools.ietf.org/html/rfc7762">Initial Assignment for the Content Security Policy Directives Registry</a>. January 2016. Informational. URL: <a href="https://tools.ietf.org/html/rfc7762">https://tools.ietf.org/html/rfc7762</a>
   <dt id="biblio-rfc8288">[RFC8288]
   <dd>M. Nottingham. <a href="https://tools.ietf.org/html/rfc8288">Web Linking</a>. October 2017. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc8288">https://tools.ietf.org/html/rfc8288</a>
   <dt id="biblio-service-workers-1">[SERVICE-WORKERS-1]
   <dd>Alex Russell; et al. <a href="https://www.w3.org/TR/service-workers-1/">Service Workers 1</a>. 2 November 2017. WD. URL: <a href="https://www.w3.org/TR/service-workers-1/">https://www.w3.org/TR/service-workers-1/</a>
   <dt id="biblio-sha2">[SHA2]
   <dd><a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">FIPS PUB 180-4, Secure Hash Standard</a>. URL: <a href="http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf</a>
   <dt id="biblio-sri">[SRI]
   <dd>Devdatta Akhawe; et al. <a href="https://www.w3.org/TR/SRI/">Subresource Integrity</a>. 23 June 2016. REC. URL: <a href="https://www.w3.org/TR/SRI/">https://www.w3.org/TR/SRI/</a>
   <dt id="biblio-url">[URL]
   <dd>Anne van Kesteren. <a href="https://url.spec.whatwg.org/">URL Standard</a>. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a>
   <dt id="biblio-webidl">[WebIDL]
   <dd>Cameron McCormack; Boris Zbarsky; Tobie Langel. <a href="https://heycam.github.io/webidl/">Web IDL</a>. 15 December 2016. ED. URL: <a href="https://heycam.github.io/webidl/">https://heycam.github.io/webidl/</a>
   <dt id="biblio-worklets-1">[WORKLETS-1]
   <dd>Ian Kilpatrick. <a href="https://www.w3.org/TR/worklets-1/">Worklets Level 1</a>. 7 June 2016. WD. URL: <a href="https://www.w3.org/TR/worklets-1/">https://www.w3.org/TR/worklets-1/</a>
  </dl>
  <h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-appmanifest">[APPMANIFEST]
   <dd>Marcos Caceres; et al. <a href="https://www.w3.org/TR/appmanifest/">Web App Manifest</a>. 26 October 2017. WD. URL: <a href="https://www.w3.org/TR/appmanifest/">https://www.w3.org/TR/appmanifest/</a>
   <dt id="biblio-beacon">[BEACON]
   <dd>Ilya Grigorik; et al. <a href="https://www.w3.org/TR/beacon/">Beacon</a>. 13 April 2017. CR. URL: <a href="https://www.w3.org/TR/beacon/">https://www.w3.org/TR/beacon/</a>
   <dt id="biblio-csp2">[CSP2]
   <dd>Mike West; Adam Barth; Daniel Veditz. <a href="https://www.w3.org/TR/CSP2/">Content Security Policy Level 2</a>. 15 December 2016. REC. URL: <a href="https://www.w3.org/TR/CSP2/">https://www.w3.org/TR/CSP2/</a>
   <dt id="biblio-css-abuse">[CSS-ABUSE]
   <dd>Chris Evans. <a href="https://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html">Generic cross-browser cross-domain theft</a>. 28 December 2009. URL: <a href="https://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html">https://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html</a>
   <dt id="biblio-eventsource">[EVENTSOURCE]
   <dd>Ian Hickson. <a href="https://www.w3.org/TR/eventsource/">Server-Sent Events</a>. 3 February 2015. REC. URL: <a href="https://www.w3.org/TR/eventsource/">https://www.w3.org/TR/eventsource/</a>
   <dt id="biblio-filedescriptor-2015">[FILEDESCRIPTOR-2015]
   <dd>filedescriptor. <a href="https://blog.innerht.ml/csp-2015/#danglingmarkupinjection">CSP 2015</a>. 23 November 2015. URL: <a href="https://blog.innerht.ml/csp-2015/#danglingmarkupinjection">https://blog.innerht.ml/csp-2015/#danglingmarkupinjection</a>
   <dt id="biblio-h5sc3">[H5SC3]
   <dd>Mario Heiderich. <a href="https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22">H5SC Minichallenge 3: "Sh*t, it's CSP!"</a>. URL: <a href="https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22">https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22</a>
   <dt id="biblio-html-design">[HTML-DESIGN]
   <dd>Anne Van Kesteren; Maciej Stachowiak. <a href="https://www.w3.org/TR/html-design-principles/">HTML Design Principles</a>. URL: <a href="https://www.w3.org/TR/html-design-principles/">https://www.w3.org/TR/html-design-principles/</a>
   <dt id="biblio-mix">[MIX]
   <dd>Mike West. <a href="https://www.w3.org/TR/mixed-content/">Mixed Content</a>. 2 August 2016. CR. URL: <a href="https://www.w3.org/TR/mixed-content/">https://www.w3.org/TR/mixed-content/</a>
   <dt id="biblio-timing">[TIMING]
   <dd>Paul Stone. <a href="http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf">Pixel Perfect Timing Attacks with HTML5</a>. URL: <a href="http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf">http://www.contextis.com/documents/2/Browser_Timing_Attacks.pdf</a>
   <dt id="biblio-uisecurity">[UISECURITY]
   <dd>Brad Hill. <a href="https://www.w3.org/TR/UISecurity/">User Interface Security and the Visibility API</a>. 7 June 2016. WD. URL: <a href="https://www.w3.org/TR/UISecurity/">https://www.w3.org/TR/UISecurity/</a>
   <dt id="biblio-upgrade-insecure-requests">[UPGRADE-INSECURE-REQUESTS]
   <dd>Mike West. <a href="https://www.w3.org/TR/upgrade-insecure-requests/">Upgrade Insecure Requests</a>. 8 October 2015. CR. URL: <a href="https://www.w3.org/TR/upgrade-insecure-requests/">https://www.w3.org/TR/upgrade-insecure-requests/</a>
   <dt id="biblio-websockets">[WEBSOCKETS]
   <dd>Ian Hickson. <a href="https://www.w3.org/TR/websockets/">The WebSocket API</a>. 20 September 2012. CR. URL: <a href="https://www.w3.org/TR/websockets/">https://www.w3.org/TR/websockets/</a>
   <dt id="biblio-xhr">[XHR]
   <dd>Anne van Kesteren. <a href="https://xhr.spec.whatwg.org/">XMLHttpRequest Standard</a>. Living Standard. URL: <a href="https://xhr.spec.whatwg.org/">https://xhr.spec.whatwg.org/</a>
   <dt id="biblio-xslt">[XSLT]
   <dd>James Clark. <a href="https://www.w3.org/TR/xslt/">XSL Transformations (XSLT) Version 1.0</a>. 16 November 1999. REC. URL: <a href="https://www.w3.org/TR/xslt/">https://www.w3.org/TR/xslt/</a>
  </dl>
  <h2 class="no-num no-ref heading settled" id="idl-index"><span class="content">IDL Index</span><a class="self-link" href="#idl-index"></a></h2>
<pre class="idl highlight def"><span class="kt">enum</span> <a class="nv" href="#enumdef-securitypolicyviolationeventdisposition"><code>SecurityPolicyViolationEventDisposition</code></a> {
  <a class="s" href="#dom-securitypolicyviolationeventdisposition-enforce"><code>"enforce"</code></a>, <a class="s" href="#dom-securitypolicyviolationeventdisposition-report"><code>"report"</code></a>
};

[<a class="nv" href="#dom-securitypolicyviolationevent-securitypolicyviolationevent"><code>Constructor</code></a>(<a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⑧"><span class="kt">DOMString</span></a> <a class="nv" href="#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-type"><code>type</code></a>, <span class="kt">optional</span> <a class="n" data-link-type="idl-name" href="#dictdef-securitypolicyviolationeventinit" id="ref-for-dictdef-securitypolicyviolationeventinit①">SecurityPolicyViolationEventInit</a> <a class="nv" href="#dom-securitypolicyviolationevent-securitypolicyviolationevent-type-eventinitdict-eventinitdict"><code>eventInitDict</code></a>)]
<span class="kt">interface</span> <a class="nv" href="#securitypolicyviolationevent"><code>SecurityPolicyViolationEvent</code></a> : <a class="n" data-link-type="idl-name" href="https://dom.spec.whatwg.org/#event" id="ref-for-event①">Event</a> {
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⑦"><span class="kt">DOMString</span></a>      <a class="nv" data-readonly="" data-type="DOMString" href="#dom-securitypolicyviolationevent-documenturi"><code>documentURI</code></a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString②①"><span class="kt">DOMString</span></a>      <a class="nv" data-readonly="" data-type="DOMString" href="#dom-securitypolicyviolationevent-referrer"><code>referrer</code></a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString③①"><span class="kt">DOMString</span></a>      <a class="nv" data-readonly="" data-type="DOMString" href="#dom-securitypolicyviolationevent-blockeduri"><code>blockedURI</code></a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString④①"><span class="kt">DOMString</span></a>      <a class="nv" data-readonly="" data-type="DOMString" href="#dom-securitypolicyviolationevent-violateddirective"><code>violatedDirective</code></a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑤①"><span class="kt">DOMString</span></a>      <a class="nv" data-readonly="" data-type="DOMString" href="#dom-securitypolicyviolationevent-effectivedirective"><code>effectiveDirective</code></a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑥①"><span class="kt">DOMString</span></a>      <a class="nv" data-readonly="" data-type="DOMString" href="#dom-securitypolicyviolationevent-originalpolicy"><code>originalPolicy</code></a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑦①"><span class="kt">DOMString</span></a>      <a class="nv" data-readonly="" data-type="DOMString" href="#dom-securitypolicyviolationevent-sourcefile"><code>sourceFile</code></a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑧①"><span class="kt">DOMString</span></a>      <a class="nv" data-readonly="" data-type="DOMString" href="#dom-securitypolicyviolationevent-sample"><code>sample</code></a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n" data-link-type="idl-name" href="#enumdef-securitypolicyviolationeventdisposition" id="ref-for-enumdef-securitypolicyviolationeventdisposition②">SecurityPolicyViolationEventDisposition</a>      <a class="nv" data-readonly="" data-type="SecurityPolicyViolationEventDisposition" href="#dom-securitypolicyviolationevent-disposition"><code>disposition</code></a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-short" id="ref-for-idl-unsigned-short②"><span class="kt">unsigned</span> <span class="kt">short</span></a> <a class="nv" data-readonly="" data-type="unsigned short" href="#dom-securitypolicyviolationevent-statuscode"><code>statusCode</code></a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long④"><span class="kt">long</span></a>           <a class="nv" data-readonly="" data-type="long" href="#dom-securitypolicyviolationevent-linenumber"><code>lineNumber</code></a>;
    <span class="kt">readonly</span>    <span class="kt">attribute</span> <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long①①"><span class="kt">long</span></a>           <a class="nv" data-readonly="" data-type="long" href="#dom-securitypolicyviolationevent-columnnumber"><code>columnNumber</code></a>;
};

<span class="kt">dictionary</span> <a class="nv" href="#dictdef-securitypolicyviolationeventinit"><code>SecurityPolicyViolationEventInit</code></a> : <a class="n" data-link-type="idl-name" href="https://dom.spec.whatwg.org/#dictdef-eventinit" id="ref-for-dictdef-eventinit①">EventInit</a> {
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString⑨①"><span class="kt">DOMString</span></a>      <a class="nv" data-type="DOMString      " href="#dom-securitypolicyviolationeventinit-documenturi"><code>documentURI</code></a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⓪①"><span class="kt">DOMString</span></a>      <a class="nv" data-type="DOMString      " href="#dom-securitypolicyviolationeventinit-referrer"><code>referrer</code></a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①①①"><span class="kt">DOMString</span></a>      <a class="nv" data-type="DOMString      " href="#dom-securitypolicyviolationeventinit-blockeduri"><code>blockedURI</code></a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①②①"><span class="kt">DOMString</span></a>      <a class="nv" data-type="DOMString      " href="#dom-securitypolicyviolationeventinit-violateddirective"><code>violatedDirective</code></a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①③①"><span class="kt">DOMString</span></a>      <a class="nv" data-type="DOMString      " href="#dom-securitypolicyviolationeventinit-effectivedirective"><code>effectiveDirective</code></a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①④①"><span class="kt">DOMString</span></a>      <a class="nv" data-type="DOMString      " href="#dom-securitypolicyviolationeventinit-originalpolicy"><code>originalPolicy</code></a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⑤①"><span class="kt">DOMString</span></a>      <a class="nv" data-type="DOMString      " href="#dom-securitypolicyviolationeventinit-sourcefile"><code>sourceFile</code></a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-DOMString" id="ref-for-idl-DOMString①⑥①"><span class="kt">DOMString</span></a>      <a class="nv" data-type="DOMString      " href="#dom-securitypolicyviolationeventinit-sample"><code>sample</code></a>;
    <a class="n" data-link-type="idl-name" href="#enumdef-securitypolicyviolationeventdisposition" id="ref-for-enumdef-securitypolicyviolationeventdisposition①①">SecurityPolicyViolationEventDisposition</a>      <a class="nv" data-type="SecurityPolicyViolationEventDisposition      " href="#dom-securitypolicyviolationeventinit-disposition"><code>disposition</code></a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-unsigned-short" id="ref-for-idl-unsigned-short①①"><span class="kt">unsigned</span> <span class="kt">short</span></a> <a class="nv" data-type="unsigned short " href="#dom-securitypolicyviolationeventinit-statuscode"><code>statusCode</code></a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long②①"><span class="kt">long</span></a>           <a class="nv" data-type="long           " href="#dom-securitypolicyviolationeventinit-linenumber"><code>lineNumber</code></a>;
    <a class="n idl-code" data-link-type="interface" href="https://heycam.github.io/webidl/#idl-long" id="ref-for-idl-long③①"><span class="kt">long</span></a>           <a class="nv" data-type="long           " href="#dom-securitypolicyviolationeventinit-columnnumber"><code>columnNumber</code></a>;
};

</pre>
  <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content">Issues Index</span><a class="self-link" href="#issues-index"></a></h2>
  <div style="counter-reset:issue">
   <div class="issue"> <code>unsafe-hashed-attributes</code> is a work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/13">&lt;https://github.com/w3c/webappsec-csp/issues/13></a><a href="#issue-2f321613"> ↵ </a></div>
   <div class="issue"> <code>disown-opener</code> is a work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/194">&lt;https://github.com/w3c/webappsec-csp/issues/194></a><a href="#issue-0915ad11"> ↵ </a></div>
   <div class="issue"> <code>navigation-to</code> is a work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/125">&lt;https://github.com/w3c/webappsec-csp/issues/125></a><a href="#issue-a305d3f5"> ↵ </a></div>
   <div class="issue"> Is this kind of thing specified anywhere? I didn’t see anything
  that looked useful in <a data-link-type="biblio" href="#biblio-ecma262">[ECMA262]</a>.<a href="#issue-c404edb5"> ↵ </a></div>
   <div class="issue"> How, exactly, do we get the status code? We don’t actually store it
  anywhere.<a href="#issue-99576800"> ↵ </a></div>
   <div class="issue"> This concept is missing from W3C’s Workers. <a href="https://github.com/w3c/html/issues/187">&lt;https://github.com/w3c/html/issues/187></a><a href="#issue-a794766b"> ↵ </a></div>
   <div class="issue"> Stylesheet loading is not yet integrated with
  Fetch in W3C’s HTML. <a href="https://github.com/whatwg/html/issues/198">&lt;https://github.com/whatwg/html/issues/198></a><a href="#issue-aa77c60b"> ↵ </a></div>
   <div class="issue"> Stylesheet loading is not yet integrated with
  Fetch in WHATWG’s HTML. <a href="https://github.com/whatwg/html/issues/968">&lt;https://github.com/whatwg/html/issues/968></a><a href="#issue-25da4fba"> ↵ </a></div>
   <div class="issue"> This hook is missing from W3C’s HTML. <a href="https://github.com/w3c/html/issues/547">&lt;https://github.com/w3c/html/issues/547></a><a href="#issue-5faf83e6"> ↵ </a></div>
   <div class="issue"> W3C’s HTML is not based on Fetch, and does not
  have a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#process-a-navigate-response">process a navigate response</a> algorithm into which to hook. <a href="https://github.com/w3c/html/issues/548">&lt;https://github.com/w3c/html/issues/548></a><a href="#issue-7b0f92da"> ↵ </a></div>
   <div class="issue"> <code class="idl"><a data-link-type="idl" href="https://tc39.github.io/ecma262#sec-hostensurecancompilestrings">HostEnsureCanCompileStrings()</a></code> does not include the string which is
  going to be compiled as a parameter. We’ll also need to update HTML to pipe that value through
  to CSP. <a href="https://github.com/tc39/ecma262/issues/938">&lt;https://github.com/tc39/ecma262/issues/938></a><a href="#issue-910d1dca"> ↵ </a></div>
   <div class="issue"> This needs to be better explained. <a href="https://github.com/w3c/webappsec-csp/issues/212">&lt;https://github.com/w3c/webappsec-csp/issues/212></a><a href="#issue-ba1a0a35"> ↵ </a></div>
   <div class="issue"> Do something interesting to the execution context in order to lock down
  interesting CSSOM algorithms. I don’t think CSSOM gives us any hooks here, so
  let’s work with them to put something reasonable together.<a href="#issue-eba1ebc1"> ↵ </a></div>
   <div class="issue"> Not sure this is the right model. We need to ensure that we take care
    of <a href="https://github.com/w3c/webappsec/issues/139">the inverse</a> as
    well, and there might be a cleverer syntax that could encompass both a
    document’s opener, and a document’s openees. <code>disown-openee</code> is weird.
    Maybe <code>disown 'opener' 'openee'</code>? Do we need origin restrictions on either/both?<a href="#issue-55f190c5"> ↵ </a></div>
   <div class="issue"> What should this do in an <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element">iframe</a></code>? Anything?<a href="#issue-466edd09"> ↵ </a></div>
   <div class="issue"> Spell this out in more detail as part of defining <code>X-Frame-Options</code> integration with the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#process-a-navigate-response">process a navigate response</a> algorithm. <a href="https://github.com/whatwg/html/issues/1230">&lt;https://github.com/whatwg/html/issues/1230></a><a href="#issue-db2876b7"> ↵ </a></div>
   <div class="issue"> Should we use <code>ancestor-source-list</code> (basically, origins as opposed to
    paths?) It doesn’t appear that blocking navigation targets is any worse than
    blocking any other request type with regard to leakage. Given the redirect
    behavior, this devolves to an origin check in the presence of a malicious
    party anyway...<a href="#issue-86f8d392"> ↵ </a></div>
   <div class="issue"> We need some sort of hook in HTML to record this error if we’re
  planning on using it here. <a href="https://github.com/whatwg/html/issues/3257">&lt;https://github.com/whatwg/html/issues/3257></a><a href="#issue-e2d81ee7"> ↵ </a></div>
   <div class="issue"> This processing is meant to mitigate the risk
  of dangling markup attacks that steal the nonce from an existing element
  in order to load injected script. It is fairly expensive, however, as it
  requires that we walk through all attributes and their values in order to
  determine whether the script should execute. Here, we try to minimize the
  impact by doing this check only for <code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/scripting.html#script">script</a></code> elements when a nonce is
  present, but we should probably consider this algorithm as "at risk" until
  we know its impact. <a href="https://github.com/w3c/webappsec-csp/issues/98">&lt;https://github.com/w3c/webappsec-csp/issues/98></a><a href="#issue-c41e2850"> ↵ </a></div>
   <div class="issue"> Work in progress. <a href="https://github.com/w3c/webappsec-csp/issues/13">&lt;https://github.com/w3c/webappsec-csp/issues/13></a><a href="#issue-0e25e974"> ↵ </a></div>
  </div>
  <aside class="dfn-panel" data-for="content-security-policy-object">
   <b><a href="#content-security-policy-object">#content-security-policy-object</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-content-security-policy-object">2.2. Policies</a> <a href="#ref-for-content-security-policy-object①">(2)</a> <a href="#ref-for-content-security-policy-object②">(3)</a>
    <li><a href="#ref-for-content-security-policy-object③">2.2.1. 
    Parse a serialized CSP </a> <a href="#ref-for-content-security-policy-object④">(2)</a>
    <li><a href="#ref-for-content-security-policy-object⑤">2.2.2. 
    Parse a serialized CSP list </a>
    <li><a href="#ref-for-content-security-policy-object⑥">2.3. Directives</a> <a href="#ref-for-content-security-policy-object⑦">(2)</a> <a href="#ref-for-content-security-policy-object⑧">(3)</a> <a href="#ref-for-content-security-policy-object⑨">(4)</a> <a href="#ref-for-content-security-policy-object①⓪">(5)</a>
    <li><a href="#ref-for-content-security-policy-object①①">2.4. Violations</a> <a href="#ref-for-content-security-policy-object①②">(2)</a> <a href="#ref-for-content-security-policy-object①③">(3)</a> <a href="#ref-for-content-security-policy-object①④">(4)</a>
    <li><a href="#ref-for-content-security-policy-object①⑤">2.4.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-content-security-policy-object①⑥">2.4.2. 
    Create a violation object for request, policy, and directive </a>
    <li><a href="#ref-for-content-security-policy-object①⑦">3. 
    Policy Delivery </a> <a href="#ref-for-content-security-policy-object①⑧">(2)</a>
    <li><a href="#ref-for-content-security-policy-object①⑨">4.1. 
    Integration with Fetch </a>
    <li><a href="#ref-for-content-security-policy-object②⓪">4.2. 
    Integration with HTML </a> <a href="#ref-for-content-security-policy-object②①">(2)</a> <a href="#ref-for-content-security-policy-object②②">(3)</a> <a href="#ref-for-content-security-policy-object②③">(4)</a>
    <li><a href="#ref-for-content-security-policy-object②④">4.2.1. 
    Initialize a Document's CSP list </a>
    <li><a href="#ref-for-content-security-policy-object②⑤">5. 
    Reporting </a> <a href="#ref-for-content-security-policy-object②⑥">(2)</a>
    <li><a href="#ref-for-content-security-policy-object②⑦">6.1.1.1. 
    child-src Pre-request check </a>
    <li><a href="#ref-for-content-security-policy-object②⑧">6.1.1.2. 
    child-src Post-request check </a>
    <li><a href="#ref-for-content-security-policy-object②⑨">6.1.2.1. 
    connect-src Pre-request check </a>
    <li><a href="#ref-for-content-security-policy-object③⓪">6.1.2.2. 
    connect-src Post-request check </a>
    <li><a href="#ref-for-content-security-policy-object③①">6.1.3.1. 
    default-src Pre-request check </a>
    <li><a href="#ref-for-content-security-policy-object③②">6.1.3.2. 
    default-src Post-request check </a>
    <li><a href="#ref-for-content-security-policy-object③③">6.1.4.1. 
    font-src Pre-request check </a>
    <li><a href="#ref-for-content-security-policy-object③④">6.1.4.2. 
    font-src Post-request check </a>
    <li><a href="#ref-for-content-security-policy-object③⑤">6.1.5.1. 
    frame-src Pre-request check </a>
    <li><a href="#ref-for-content-security-policy-object③⑥">6.1.5.2. 
    frame-src Post-request check </a>
    <li><a href="#ref-for-content-security-policy-object③⑦">6.1.6.1. 
    img-src Pre-request check </a>
    <li><a href="#ref-for-content-security-policy-object③⑧">6.1.6.2. 
    img-src Post-request check </a>
    <li><a href="#ref-for-content-security-policy-object③⑨">6.1.7.1. 
    manifest-src Pre-request check </a>
    <li><a href="#ref-for-content-security-policy-object④⓪">6.1.7.2. 
    manifest-src Post-request check </a>
    <li><a href="#ref-for-content-security-policy-object④①">6.1.8.1. 
    media-src Pre-request check </a>
    <li><a href="#ref-for-content-security-policy-object④②">6.1.8.2. 
    media-src Post-request check </a>
    <li><a href="#ref-for-content-security-policy-object④③">6.1.9. object-src</a>
    <li><a href="#ref-for-content-security-policy-object④④">6.1.9.1. 
    object-src Pre-request check </a>
    <li><a href="#ref-for-content-security-policy-object④⑤">6.1.9.2. 
    object-src Post-request check </a>
    <li><a href="#ref-for-content-security-policy-object④⑥">6.1.10.1. 
    script-src Pre-request check </a>
    <li><a href="#ref-for-content-security-policy-object④⑦">6.1.10.2. 
    script-src Post-request check </a>
    <li><a href="#ref-for-content-security-policy-object④⑧">6.1.11.1. 
    style-src Pre-request Check </a>
    <li><a href="#ref-for-content-security-policy-object④⑨">6.1.11.2. 
    style-src Post-request Check </a>
    <li><a href="#ref-for-content-security-policy-object⑤⓪">6.1.12.1. 
    worker-src Pre-request Check </a>
    <li><a href="#ref-for-content-security-policy-object⑤①">6.1.12.2. 
    worker-src Post-request Check </a>
    <li><a href="#ref-for-content-security-policy-object⑤②">6.2.2.1. 
    plugin-types Post-Request Check </a>
    <li><a href="#ref-for-content-security-policy-object⑤③">6.2.3.1. 
    sandbox Response Check </a>
    <li><a href="#ref-for-content-security-policy-object⑤④">6.2.3.2. 
    sandbox Initialization </a>
    <li><a href="#ref-for-content-security-policy-object⑤⑤">6.2.4.1. 
    disown-opener Initialization </a>
    <li><a href="#ref-for-content-security-policy-object⑤⑥">6.3.2.2. 
		Relation to X-Frame-Options </a>
    <li><a href="#ref-for-content-security-policy-object⑤⑦">6.6.1.1. 
    Does request violate policy? </a>
    <li><a href="#ref-for-content-security-policy-object⑤⑧">7.1. Nonce Reuse</a>
    <li><a href="#ref-for-content-security-policy-object⑤⑨">9.1. Vendor-specific Extensions and Addons</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="policy-directive-set">
   <b><a href="#policy-directive-set">#policy-directive-set</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-policy-directive-set">2.2.1. 
    Parse a serialized CSP </a> <a href="#ref-for-policy-directive-set①">(2)</a> <a href="#ref-for-policy-directive-set②">(3)</a> <a href="#ref-for-policy-directive-set③">(4)</a>
    <li><a href="#ref-for-policy-directive-set④">2.2.2. 
    Parse a serialized CSP list </a>
    <li><a href="#ref-for-policy-directive-set⑤">2.3. Directives</a>
    <li><a href="#ref-for-policy-directive-set⑥">4.2.4. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-policy-directive-set⑦">5.3. 
    Report a violation </a> <a href="#ref-for-policy-directive-set⑧">(2)</a> <a href="#ref-for-policy-directive-set⑨">(3)</a>
    <li><a href="#ref-for-policy-directive-set①⓪">6.2.1.1. 
    Is base allowed for document? </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="policy-disposition">
   <b><a href="#policy-disposition">#policy-disposition</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-policy-disposition">2.2.1. 
    Parse a serialized CSP </a> <a href="#ref-for-policy-disposition①">(2)</a>
    <li><a href="#ref-for-policy-disposition②">2.2.2. 
    Parse a serialized CSP list </a> <a href="#ref-for-policy-disposition③">(2)</a>
    <li><a href="#ref-for-policy-disposition④">2.4. Violations</a>
    <li><a href="#ref-for-policy-disposition⑤">4.1.1. 
    Set response’s CSP list </a> <a href="#ref-for-policy-disposition⑥">(2)</a>
    <li><a href="#ref-for-policy-disposition⑦">4.1.2. 
    Report Content Security Policy violations for request </a>
    <li><a href="#ref-for-policy-disposition⑧">4.1.3. 
    Should request be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-policy-disposition⑨">4.1.4. 
    Should response to request be blocked by Content
    Security Policy? </a> <a href="#ref-for-policy-disposition①⓪">(2)</a>
    <li><a href="#ref-for-policy-disposition①①">4.2.4. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-policy-disposition①②">4.2.5. 
    Should navigation request of type from source in target be blocked
    by Content Security Policy? </a> <a href="#ref-for-policy-disposition①③">(2)</a>
    <li><a href="#ref-for-policy-disposition①④">4.2.6. 
    Should navigation response to navigation request of type from source
    in target be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-policy-disposition①⑤">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source) </a>
    <li><a href="#ref-for-policy-disposition①⑥">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-policy-disposition①⑦">6.2.1.1. 
    Is base allowed for document? </a>
    <li><a href="#ref-for-policy-disposition①⑧">6.2.3.1. 
    sandbox Response Check </a>
    <li><a href="#ref-for-policy-disposition①⑨">6.2.3.2. 
    sandbox Initialization </a>
    <li><a href="#ref-for-policy-disposition②⓪">6.3.2.2. 
		Relation to X-Frame-Options </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="policy-source">
   <b><a href="#policy-source">#policy-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-policy-source">2.2. Policies</a>
    <li><a href="#ref-for-policy-source①">2.2.1. 
    Parse a serialized CSP </a> <a href="#ref-for-policy-source②">(2)</a>
    <li><a href="#ref-for-policy-source③">2.2.2. 
    Parse a serialized CSP list </a> <a href="#ref-for-policy-source④">(2)</a>
    <li><a href="#ref-for-policy-source⑤">4.1.1. 
    Set response’s CSP list </a> <a href="#ref-for-policy-source⑥">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="csp-list">
   <b><a href="#csp-list">#csp-list</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-csp-list">2.2. Policies</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="serialized-csp">
   <b><a href="#serialized-csp">#serialized-csp</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-serialized-csp">2.2. Policies</a>
    <li><a href="#ref-for-serialized-csp①">2.2.1. 
    Parse a serialized CSP </a>
    <li><a href="#ref-for-serialized-csp②">2.3.1. Source Lists</a>
    <li><a href="#ref-for-serialized-csp③">3. 
    Policy Delivery </a>
    <li><a href="#ref-for-serialized-csp④">3.1. 
    The Content-Security-Policy HTTP Response Header Field </a>
    <li><a href="#ref-for-serialized-csp⑤">3.2. 
    The Content-Security-Policy-Report-Only HTTP Response Header Field </a>
    <li><a href="#ref-for-serialized-csp⑥">4.1.1. 
    Set response’s CSP list </a>
    <li><a href="#ref-for-serialized-csp⑦">5.2. 
    Obtain the deprecated serialization of violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-serialized-policy">
   <b><a href="#grammardef-serialized-policy">#grammardef-serialized-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-serialized-policy">2.2. Policies</a>
    <li><a href="#ref-for-grammardef-serialized-policy①">3.1. 
    The Content-Security-Policy HTTP Response Header Field </a>
    <li><a href="#ref-for-grammardef-serialized-policy②">3.2. 
    The Content-Security-Policy-Report-Only HTTP Response Header Field </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="serialized-csp-list">
   <b><a href="#serialized-csp-list">#serialized-csp-list</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-serialized-csp-list">2.2.2. 
    Parse a serialized CSP list </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="abstract-opdef-parse-a-serialized-csp">
   <b><a href="#abstract-opdef-parse-a-serialized-csp">#abstract-opdef-parse-a-serialized-csp</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-abstract-opdef-parse-a-serialized-csp">2.2.2. 
    Parse a serialized CSP list </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="abstract-opdef-parse-a-serialized-csp-list">
   <b><a href="#abstract-opdef-parse-a-serialized-csp-list">#abstract-opdef-parse-a-serialized-csp-list</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-abstract-opdef-parse-a-serialized-csp-list">4.1.1. 
    Set response’s CSP list </a> <a href="#ref-for-abstract-opdef-parse-a-serialized-csp-list①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directives">
   <b><a href="#directives">#directives</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directives">2.2. Policies</a>
    <li><a href="#ref-for-directives①">2.2.1. 
    Parse a serialized CSP </a> <a href="#ref-for-directives②">(2)</a>
    <li><a href="#ref-for-directives③">2.3. Directives</a> <a href="#ref-for-directives④">(2)</a>
    <li><a href="#ref-for-directives⑤">2.3.1. Source Lists</a>
    <li><a href="#ref-for-directives⑥">2.4. Violations</a>
    <li><a href="#ref-for-directives⑦">4.1. 
    Integration with Fetch </a>
    <li><a href="#ref-for-directives⑧">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source) </a> <a href="#ref-for-directives⑨">(2)</a> <a href="#ref-for-directives①⓪">(3)</a>
    <li><a href="#ref-for-directives①①">5.3. 
    Report a violation </a> <a href="#ref-for-directives①②">(2)</a> <a href="#ref-for-directives①③">(3)</a>
    <li><a href="#ref-for-directives①④">6. 
    Content Security Policy Directives </a>
    <li><a href="#ref-for-directives①⑤">6.1.1.1. 
    child-src Pre-request check </a>
    <li><a href="#ref-for-directives①⑥">6.1.1.2. 
    child-src Post-request check </a>
    <li><a href="#ref-for-directives①⑦">6.1.3.1. 
    default-src Pre-request check </a> <a href="#ref-for-directives①⑧">(2)</a> <a href="#ref-for-directives①⑨">(3)</a> <a href="#ref-for-directives②⓪">(4)</a>
    <li><a href="#ref-for-directives②①">6.1.3.2. 
    default-src Post-request check </a> <a href="#ref-for-directives②②">(2)</a> <a href="#ref-for-directives②③">(3)</a> <a href="#ref-for-directives②④">(4)</a>
    <li><a href="#ref-for-directives②⑤">6.1.10.1. 
    script-src Pre-request check </a>
    <li><a href="#ref-for-directives②⑥">6.1.10.2. 
    script-src Post-request check </a>
    <li><a href="#ref-for-directives②⑦">6.2.1.1. 
    Is base allowed for document? </a> <a href="#ref-for-directives②⑧">(2)</a>
    <li><a href="#ref-for-directives②⑨">6.2.2.2. 
    Should plugin element be blocked a priori by Content
    Security Policy?: </a>
    <li><a href="#ref-for-directives③⓪">6.3.2.2. 
		Relation to X-Frame-Options </a>
    <li><a href="#ref-for-directives③①">6.6.1.1. 
    Does request violate policy? </a>
    <li><a href="#ref-for-directives③②">6.6.1.3. 
    Does request match source list? </a>
    <li><a href="#ref-for-directives③③">6.6.1.4. 
    Does response to request match source list? </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-name">
   <b><a href="#directive-name">#directive-name</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-name">2.2.1. 
    Parse a serialized CSP </a> <a href="#ref-for-directive-name①">(2)</a>
    <li><a href="#ref-for-directive-name②">2.3. Directives</a>
    <li><a href="#ref-for-directive-name③">4.2.5. 
    Should navigation request of type from source in target be blocked
    by Content Security Policy? </a> <a href="#ref-for-directive-name④">(2)</a>
    <li><a href="#ref-for-directive-name⑤">4.2.6. 
    Should navigation response to navigation request of type from source
    in target be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-directive-name⑥">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source) </a> <a href="#ref-for-directive-name⑦">(2)</a>
    <li><a href="#ref-for-directive-name⑧">6.1.1.1. 
    child-src Pre-request check </a> <a href="#ref-for-directive-name⑨">(2)</a>
    <li><a href="#ref-for-directive-name①⓪">6.1.1.2. 
    child-src Post-request check </a> <a href="#ref-for-directive-name①①">(2)</a>
    <li><a href="#ref-for-directive-name①②">6.1.3.1. 
    default-src Pre-request check </a> <a href="#ref-for-directive-name①③">(2)</a> <a href="#ref-for-directive-name①④">(3)</a> <a href="#ref-for-directive-name①⑤">(4)</a>
    <li><a href="#ref-for-directive-name①⑥">6.1.3.2. 
    default-src Post-request check </a> <a href="#ref-for-directive-name①⑦">(2)</a> <a href="#ref-for-directive-name①⑧">(3)</a> <a href="#ref-for-directive-name①⑨">(4)</a>
    <li><a href="#ref-for-directive-name②⓪">6.1.10.1. 
    script-src Pre-request check </a>
    <li><a href="#ref-for-directive-name②①">6.1.10.2. 
    script-src Post-request check </a>
    <li><a href="#ref-for-directive-name②②">6.2.1.1. 
    Is base allowed for document? </a>
    <li><a href="#ref-for-directive-name②③">6.6.1.11. 
    Get the effective directive for request </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-value">
   <b><a href="#directive-value">#directive-value</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-value">2.2.1. 
    Parse a serialized CSP </a>
    <li><a href="#ref-for-directive-value①">2.3. Directives</a> <a href="#ref-for-directive-value②">(2)</a>
    <li><a href="#ref-for-directive-value③">2.3.1. Source Lists</a>
    <li><a href="#ref-for-directive-value④">4.2.4. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-directive-value⑤">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source) </a> <a href="#ref-for-directive-value⑥">(2)</a>
    <li><a href="#ref-for-directive-value⑦">5.3. 
    Report a violation </a> <a href="#ref-for-directive-value⑧">(2)</a>
    <li><a href="#ref-for-directive-value⑨">6.1.1.1. 
    child-src Pre-request check </a>
    <li><a href="#ref-for-directive-value①⓪">6.1.1.2. 
    child-src Post-request check </a>
    <li><a href="#ref-for-directive-value①①">6.1.2.1. 
    connect-src Pre-request check </a>
    <li><a href="#ref-for-directive-value①②">6.1.2.2. 
    connect-src Post-request check </a>
    <li><a href="#ref-for-directive-value①③">6.1.3.1. 
    default-src Pre-request check </a>
    <li><a href="#ref-for-directive-value①④">6.1.3.2. 
    default-src Post-request check </a>
    <li><a href="#ref-for-directive-value①⑤">6.1.4.1. 
    font-src Pre-request check </a>
    <li><a href="#ref-for-directive-value①⑥">6.1.4.2. 
    font-src Post-request check </a>
    <li><a href="#ref-for-directive-value①⑦">6.1.5.1. 
    frame-src Pre-request check </a>
    <li><a href="#ref-for-directive-value①⑧">6.1.5.2. 
    frame-src Post-request check </a>
    <li><a href="#ref-for-directive-value①⑨">6.1.6.1. 
    img-src Pre-request check </a>
    <li><a href="#ref-for-directive-value②⓪">6.1.6.2. 
    img-src Post-request check </a>
    <li><a href="#ref-for-directive-value②①">6.1.7.1. 
    manifest-src Pre-request check </a>
    <li><a href="#ref-for-directive-value②②">6.1.7.2. 
    manifest-src Post-request check </a>
    <li><a href="#ref-for-directive-value②③">6.1.8.1. 
    media-src Pre-request check </a>
    <li><a href="#ref-for-directive-value②④">6.1.8.2. 
    media-src Post-request check </a>
    <li><a href="#ref-for-directive-value②⑤">6.1.9.1. 
    object-src Pre-request check </a>
    <li><a href="#ref-for-directive-value②⑥">6.1.9.2. 
    object-src Post-request check </a>
    <li><a href="#ref-for-directive-value②⑦">6.1.10.1. 
    script-src Pre-request check </a> <a href="#ref-for-directive-value②⑧">(2)</a> <a href="#ref-for-directive-value②⑨">(3)</a> <a href="#ref-for-directive-value③⓪">(4)</a> <a href="#ref-for-directive-value③①">(5)</a>
    <li><a href="#ref-for-directive-value③②">6.1.10.2. 
    script-src Post-request check </a> <a href="#ref-for-directive-value③③">(2)</a> <a href="#ref-for-directive-value③④">(3)</a>
    <li><a href="#ref-for-directive-value③⑤">6.1.10.3. 
    script-src Inline Check </a> <a href="#ref-for-directive-value③⑥">(2)</a>
    <li><a href="#ref-for-directive-value③⑦">6.1.11.1. 
    style-src Pre-request Check </a> <a href="#ref-for-directive-value③⑧">(2)</a>
    <li><a href="#ref-for-directive-value③⑨">6.1.11.2. 
    style-src Post-request Check </a> <a href="#ref-for-directive-value④⓪">(2)</a>
    <li><a href="#ref-for-directive-value④①">6.1.11.3. 
    style-src Inline Check </a>
    <li><a href="#ref-for-directive-value④②">6.1.12.1. 
    worker-src Pre-request Check </a>
    <li><a href="#ref-for-directive-value④③">6.1.12.2. 
    worker-src Post-request Check </a>
    <li><a href="#ref-for-directive-value④④">6.2.1.1. 
    Is base allowed for document? </a>
    <li><a href="#ref-for-directive-value④⑤">6.2.2.1. 
    plugin-types Post-Request Check </a>
    <li><a href="#ref-for-directive-value④⑥">6.2.2.2. 
    Should plugin element be blocked a priori by Content
    Security Policy?: </a>
    <li><a href="#ref-for-directive-value④⑦">6.2.3.1. 
    sandbox Response Check </a>
    <li><a href="#ref-for-directive-value④⑧">6.2.3.2. 
    sandbox Initialization </a>
    <li><a href="#ref-for-directive-value④⑨">6.3.1.1. 
    form-action Pre-Navigation Check </a>
    <li><a href="#ref-for-directive-value⑤⓪">6.3.2.1. 
    frame-ancestors Navigation Response Check </a>
    <li><a href="#ref-for-directive-value⑤①">6.3.3.1. 
      navigation-to Pre-Navigation Check </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="serialized-directive">
   <b><a href="#serialized-directive">#serialized-directive</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-serialized-directive">2.2. Policies</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-serialized-directive">
   <b><a href="#grammardef-serialized-directive">#grammardef-serialized-directive</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-serialized-directive">2.2. Policies</a> <a href="#ref-for-grammardef-serialized-directive①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-directive-name">
   <b><a href="#grammardef-directive-name">#grammardef-directive-name</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-directive-name">2.3. Directives</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-directive-value">
   <b><a href="#grammardef-directive-value">#grammardef-directive-value</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-directive-value">2.3. Directives</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-pre-request-check">
   <b><a href="#directive-pre-request-check">#directive-pre-request-check</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-pre-request-check">4.1. 
    Integration with Fetch </a>
    <li><a href="#ref-for-directive-pre-request-check①">6.1.1.1. 
    child-src Pre-request check </a> <a href="#ref-for-directive-pre-request-check②">(2)</a>
    <li><a href="#ref-for-directive-pre-request-check③">6.1.2.1. 
    connect-src Pre-request check </a>
    <li><a href="#ref-for-directive-pre-request-check④">6.1.3.1. 
    default-src Pre-request check </a> <a href="#ref-for-directive-pre-request-check⑤">(2)</a>
    <li><a href="#ref-for-directive-pre-request-check⑥">6.1.4.1. 
    font-src Pre-request check </a>
    <li><a href="#ref-for-directive-pre-request-check⑦">6.1.5.1. 
    frame-src Pre-request check </a>
    <li><a href="#ref-for-directive-pre-request-check⑧">6.1.6.1. 
    img-src Pre-request check </a>
    <li><a href="#ref-for-directive-pre-request-check⑨">6.1.7.1. 
    manifest-src Pre-request check </a>
    <li><a href="#ref-for-directive-pre-request-check①⓪">6.1.8.1. 
    media-src Pre-request check </a>
    <li><a href="#ref-for-directive-pre-request-check①①">6.1.9.1. 
    object-src Pre-request check </a>
    <li><a href="#ref-for-directive-pre-request-check①②">6.1.10.1. 
    script-src Pre-request check </a>
    <li><a href="#ref-for-directive-pre-request-check①③">6.1.11.1. 
    style-src Pre-request Check </a>
    <li><a href="#ref-for-directive-pre-request-check①④">6.1.12.1. 
    worker-src Pre-request Check </a>
    <li><a href="#ref-for-directive-pre-request-check①⑤">6.5. 
    Directives Defined in Other Documents </a>
    <li><a href="#ref-for-directive-pre-request-check①⑥">6.6.1.1. 
    Does request violate policy? </a>
    <li><a href="#ref-for-directive-pre-request-check①⑦">6.6.1.3. 
    Does request match source list? </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-post-request-check">
   <b><a href="#directive-post-request-check">#directive-post-request-check</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-post-request-check">4.1. 
    Integration with Fetch </a>
    <li><a href="#ref-for-directive-post-request-check①">4.1.4. 
    Should response to request be blocked by Content
    Security Policy? </a>
    <li><a href="#ref-for-directive-post-request-check②">6.1.1.2. 
    child-src Post-request check </a> <a href="#ref-for-directive-post-request-check③">(2)</a>
    <li><a href="#ref-for-directive-post-request-check④">6.1.2.2. 
    connect-src Post-request check </a>
    <li><a href="#ref-for-directive-post-request-check⑤">6.1.3.2. 
    default-src Post-request check </a> <a href="#ref-for-directive-post-request-check⑥">(2)</a>
    <li><a href="#ref-for-directive-post-request-check⑦">6.1.4.2. 
    font-src Post-request check </a>
    <li><a href="#ref-for-directive-post-request-check⑧">6.1.5.2. 
    frame-src Post-request check </a>
    <li><a href="#ref-for-directive-post-request-check⑨">6.1.6.2. 
    img-src Post-request check </a>
    <li><a href="#ref-for-directive-post-request-check①⓪">6.1.7.2. 
    manifest-src Post-request check </a>
    <li><a href="#ref-for-directive-post-request-check①①">6.1.8.2. 
    media-src Post-request check </a>
    <li><a href="#ref-for-directive-post-request-check①②">6.1.9.2. 
    object-src Post-request check </a>
    <li><a href="#ref-for-directive-post-request-check①③">6.1.10.2. 
    script-src Post-request check </a>
    <li><a href="#ref-for-directive-post-request-check①④">6.1.11.2. 
    style-src Post-request Check </a>
    <li><a href="#ref-for-directive-post-request-check①⑤">6.1.12.2. 
    worker-src Post-request Check </a>
    <li><a href="#ref-for-directive-post-request-check①⑥">6.2.2.1. 
    plugin-types Post-Request Check </a>
    <li><a href="#ref-for-directive-post-request-check①⑦">6.5. 
    Directives Defined in Other Documents </a>
    <li><a href="#ref-for-directive-post-request-check①⑧">6.6.1.4. 
    Does response to request match source list? </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-response-check">
   <b><a href="#directive-response-check">#directive-response-check</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-response-check">4.1. 
    Integration with Fetch </a>
    <li><a href="#ref-for-directive-response-check①">4.1.4. 
    Should response to request be blocked by Content
    Security Policy? </a>
    <li><a href="#ref-for-directive-response-check②">6.2.3.1. 
    sandbox Response Check </a>
    <li><a href="#ref-for-directive-response-check③">6.5. 
    Directives Defined in Other Documents </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-inline-check">
   <b><a href="#directive-inline-check">#directive-inline-check</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-inline-check">4.2.4. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-directive-inline-check①">4.2.5. 
    Should navigation request of type from source in target be blocked
    by Content Security Policy? </a>
    <li><a href="#ref-for-directive-inline-check②">6.1.10.3. 
    script-src Inline Check </a>
    <li><a href="#ref-for-directive-inline-check③">6.1.11.3. 
    style-src Inline Check </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-initialization">
   <b><a href="#directive-initialization">#directive-initialization</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-initialization">4.2.1. 
    Initialize a Document's CSP list </a>
    <li><a href="#ref-for-directive-initialization①">6.1.11.3. 
    style-src Inline Check </a>
    <li><a href="#ref-for-directive-initialization②">6.2.3.2. 
    sandbox Initialization </a>
    <li><a href="#ref-for-directive-initialization③">6.2.4.1. 
    disown-opener Initialization </a>
    <li><a href="#ref-for-directive-initialization④">6.5. 
    Directives Defined in Other Documents </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-pre-navigation-check">
   <b><a href="#directive-pre-navigation-check">#directive-pre-navigation-check</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-pre-navigation-check">4.2.5. 
    Should navigation request of type from source in target be blocked
    by Content Security Policy? </a>
    <li><a href="#ref-for-directive-pre-navigation-check①">6.3.1.1. 
    form-action Pre-Navigation Check </a>
    <li><a href="#ref-for-directive-pre-navigation-check②">6.3.3.1. 
      navigation-to Pre-Navigation Check </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="directive-navigation-response-check">
   <b><a href="#directive-navigation-response-check">#directive-navigation-response-check</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-directive-navigation-response-check">4.2.6. 
    Should navigation response to navigation request of type from source
    in target be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-directive-navigation-response-check①">6.3.2.1. 
    frame-ancestors Navigation Response Check </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="source-lists">
   <b><a href="#source-lists">#source-lists</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-source-lists">6.1.1. child-src</a>
    <li><a href="#ref-for-source-lists①">6.1.2. connect-src</a>
    <li><a href="#ref-for-source-lists②">6.1.3. default-src</a>
    <li><a href="#ref-for-source-lists③">6.1.4. font-src</a>
    <li><a href="#ref-for-source-lists④">6.1.5. frame-src</a>
    <li><a href="#ref-for-source-lists⑤">6.1.6. img-src</a>
    <li><a href="#ref-for-source-lists⑥">6.1.7. manifest-src</a>
    <li><a href="#ref-for-source-lists⑦">6.1.8. media-src</a>
    <li><a href="#ref-for-source-lists⑧">6.1.9. object-src</a>
    <li><a href="#ref-for-source-lists⑨">6.1.12. worker-src</a>
    <li><a href="#ref-for-source-lists①⓪">6.3.2. frame-ancestors</a>
    <li><a href="#ref-for-source-lists①①">6.6.1.2. 
    Does nonce match source list? </a>
    <li><a href="#ref-for-source-lists①②">6.6.1.3. 
    Does request match source list? </a>
    <li><a href="#ref-for-source-lists①③">6.6.1.4. 
    Does response to request match source list? </a>
    <li><a href="#ref-for-source-lists①④">6.6.1.5. 
    Does url match source list in origin with redirect count? </a>
    <li><a href="#ref-for-source-lists①⑤">6.6.2.2. 
    Does a source list allow all inline behavior for type? </a> <a href="#ref-for-source-lists①⑥">(2)</a> <a href="#ref-for-source-lists①⑦">(3)</a> <a href="#ref-for-source-lists①⑧">(4)</a> <a href="#ref-for-source-lists①⑨">(5)</a>
    <li><a href="#ref-for-source-lists②⓪">6.6.2.3. 
    Does element match source list for type and source? </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="source-expression">
   <b><a href="#source-expression">#source-expression</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-source-expression">1.3. Changes from Level 2</a>
    <li><a href="#ref-for-source-expression①">2.3.1. Source Lists</a>
    <li><a href="#ref-for-source-expression②">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source) </a>
    <li><a href="#ref-for-source-expression③">6.1.10.1. 
    script-src Pre-request check </a> <a href="#ref-for-source-expression④">(2)</a> <a href="#ref-for-source-expression⑤">(3)</a> <a href="#ref-for-source-expression⑥">(4)</a>
    <li><a href="#ref-for-source-expression⑦">6.6.1.6. 
    Does url match expression in origin with redirect count? </a>
    <li><a href="#ref-for-source-expression⑧">8.4. 
      Allowing external JavaScript via hashes </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-serialized-source-list">
   <b><a href="#grammardef-serialized-source-list">#grammardef-serialized-source-list</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-serialized-source-list">6.1.1. child-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list①">6.1.2. connect-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list②">6.1.3. default-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list③">6.1.4. font-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list④">6.1.5. frame-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list⑤">6.1.6. img-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list⑥">6.1.7. manifest-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list⑦">6.1.8. media-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list⑧">6.1.9. object-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list⑨">6.1.10. script-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list①⓪">6.1.11. style-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list①①">6.1.12. worker-src</a>
    <li><a href="#ref-for-grammardef-serialized-source-list①②">6.2.1. base-uri</a>
    <li><a href="#ref-for-grammardef-serialized-source-list①③">6.3.1. form-action</a>
    <li><a href="#ref-for-grammardef-serialized-source-list①④">6.3.3. navigation-to</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-none">
   <b><a href="#grammardef-none">#grammardef-none</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-none">2.3.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-none①">6.3.2. frame-ancestors</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-source-expression">
   <b><a href="#grammardef-source-expression">#grammardef-source-expression</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-source-expression">2.3.1. Source Lists</a> <a href="#ref-for-grammardef-source-expression①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-scheme-source">
   <b><a href="#grammardef-scheme-source">#grammardef-scheme-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-scheme-source">2.3.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-scheme-source①">6.3.2. frame-ancestors</a>
    <li><a href="#ref-for-grammardef-scheme-source②">6.6.1.6. 
    Does url match expression in origin with redirect count? </a> <a href="#ref-for-grammardef-scheme-source③">(2)</a>
    <li><a href="#ref-for-grammardef-scheme-source④">8.2. 
    Usage of "'strict-dynamic'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-host-source">
   <b><a href="#grammardef-host-source">#grammardef-host-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-host-source">2.3.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-host-source①">6.3.2. frame-ancestors</a>
    <li><a href="#ref-for-grammardef-host-source②">6.6.1.6. 
    Does url match expression in origin with redirect count? </a> <a href="#ref-for-grammardef-host-source③">(2)</a> <a href="#ref-for-grammardef-host-source④">(3)</a>
    <li><a href="#ref-for-grammardef-host-source⑤">7.3. Nonce Retargeting</a>
    <li><a href="#ref-for-grammardef-host-source⑥">8.2. 
    Usage of "'strict-dynamic'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-scheme-part">
   <b><a href="#grammardef-scheme-part">#grammardef-scheme-part</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-scheme-part">2.3.1. Source Lists</a> <a href="#ref-for-grammardef-scheme-part①">(2)</a>
    <li><a href="#ref-for-grammardef-scheme-part②">6.6.1.6. 
    Does url match expression in origin with redirect count? </a> <a href="#ref-for-grammardef-scheme-part③">(2)</a> <a href="#ref-for-grammardef-scheme-part④">(3)</a> <a href="#ref-for-grammardef-scheme-part⑤">(4)</a>
    <li><a href="#ref-for-grammardef-scheme-part⑥">6.6.1.7. 
    scheme-part matching </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-host-part">
   <b><a href="#grammardef-host-part">#grammardef-host-part</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-host-part">2.3.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-host-part①">6.6.1.6. 
    Does url match expression in origin with redirect count? </a>
    <li><a href="#ref-for-grammardef-host-part②">6.6.1.8. 
    host-part matching </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-host-char">
   <b><a href="#grammardef-host-char">#grammardef-host-char</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-host-char">2.3.1. Source Lists</a> <a href="#ref-for-grammardef-host-char①">(2)</a> <a href="#ref-for-grammardef-host-char②">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-port-part">
   <b><a href="#grammardef-port-part">#grammardef-port-part</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-port-part">2.3.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-port-part①">6.6.1.6. 
    Does url match expression in origin with redirect count? </a>
    <li><a href="#ref-for-grammardef-port-part②">6.6.1.9. 
    port-part matching </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-path-part">
   <b><a href="#grammardef-path-part">#grammardef-path-part</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-path-part">2.3.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-path-part①">6.6.1.6. 
    Does url match expression in origin with redirect count? </a> <a href="#ref-for-grammardef-path-part②">(2)</a>
    <li><a href="#ref-for-grammardef-path-part③">6.6.1.10. 
    path-part matching </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-keyword-source">
   <b><a href="#grammardef-keyword-source">#grammardef-keyword-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-keyword-source">2.3.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-keyword-source①">6.1.10.1. 
    script-src Pre-request check </a>
    <li><a href="#ref-for-grammardef-keyword-source②">6.1.10.3. 
    script-src Inline Check </a> <a href="#ref-for-grammardef-keyword-source③">(2)</a>
    <li><a href="#ref-for-grammardef-keyword-source④">6.6.2.2. 
    Does a source list allow all inline behavior for type? </a> <a href="#ref-for-grammardef-keyword-source⑤">(2)</a> <a href="#ref-for-grammardef-keyword-source⑥">(3)</a>
    <li><a href="#ref-for-grammardef-keyword-source⑦">6.6.2.3. 
    Does element match source list for type and source? </a>
    <li><a href="#ref-for-grammardef-keyword-source⑧">8.2. 
    Usage of "'strict-dynamic'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-self">
   <b><a href="#grammardef-self">#grammardef-self</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-self">2.3.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-self①">6.1.3. default-src</a> <a href="#ref-for-grammardef-self②">(2)</a> <a href="#ref-for-grammardef-self③">(3)</a> <a href="#ref-for-grammardef-self④">(4)</a> <a href="#ref-for-grammardef-self⑤">(5)</a> <a href="#ref-for-grammardef-self⑥">(6)</a> <a href="#ref-for-grammardef-self⑦">(7)</a> <a href="#ref-for-grammardef-self⑧">(8)</a> <a href="#ref-for-grammardef-self⑨">(9)</a> <a href="#ref-for-grammardef-self①⓪">(10)</a> <a href="#ref-for-grammardef-self①①">(11)</a> <a href="#ref-for-grammardef-self①②">(12)</a> <a href="#ref-for-grammardef-self①③">(13)</a> <a href="#ref-for-grammardef-self①④">(14)</a> <a href="#ref-for-grammardef-self①⑤">(15)</a> <a href="#ref-for-grammardef-self①⑥">(16)</a> <a href="#ref-for-grammardef-self①⑦">(17)</a> <a href="#ref-for-grammardef-self①⑧">(18)</a> <a href="#ref-for-grammardef-self①⑨">(19)</a> <a href="#ref-for-grammardef-self②⓪">(20)</a> <a href="#ref-for-grammardef-self②①">(21)</a>
    <li><a href="#ref-for-grammardef-self②②">6.3.2. frame-ancestors</a>
    <li><a href="#ref-for-grammardef-self②③">8.2. 
    Usage of "'strict-dynamic'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-unsafe-inline">
   <b><a href="#grammardef-unsafe-inline">#grammardef-unsafe-inline</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-unsafe-inline">6. 
    Content Security Policy Directives </a>
    <li><a href="#ref-for-grammardef-unsafe-inline①">6.1.10.3. 
    script-src Inline Check </a> <a href="#ref-for-grammardef-unsafe-inline②">(2)</a>
    <li><a href="#ref-for-grammardef-unsafe-inline③">6.6.2.2. 
    Does a source list allow all inline behavior for type? </a> <a href="#ref-for-grammardef-unsafe-inline④">(2)</a>
    <li><a href="#ref-for-grammardef-unsafe-inline⑤">7.1. Nonce Reuse</a> <a href="#ref-for-grammardef-unsafe-inline⑥">(2)</a>
    <li><a href="#ref-for-grammardef-unsafe-inline⑦">8.2. 
    Usage of "'strict-dynamic'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-unsafe-eval">
   <b><a href="#grammardef-unsafe-eval">#grammardef-unsafe-eval</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-unsafe-eval">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source) </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-strict-dynamic">
   <b><a href="#grammardef-strict-dynamic">#grammardef-strict-dynamic</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-strict-dynamic">6.1.10.1. 
    script-src Pre-request check </a> <a href="#ref-for-grammardef-strict-dynamic①">(2)</a>
    <li><a href="#ref-for-grammardef-strict-dynamic②">6.1.10.2. 
    script-src Post-request check </a>
    <li><a href="#ref-for-grammardef-strict-dynamic③">6.1.10.3. 
    script-src Inline Check </a> <a href="#ref-for-grammardef-strict-dynamic④">(2)</a>
    <li><a href="#ref-for-grammardef-strict-dynamic⑤">6.6.2.2. 
    Does a source list allow all inline behavior for type? </a>
    <li><a href="#ref-for-grammardef-strict-dynamic⑥">8.2. 
    Usage of "'strict-dynamic'" </a> <a href="#ref-for-grammardef-strict-dynamic⑦">(2)</a> <a href="#ref-for-grammardef-strict-dynamic⑧">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-unsafe-hashed-attributes">
   <b><a href="#grammardef-unsafe-hashed-attributes">#grammardef-unsafe-hashed-attributes</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-unsafe-hashed-attributes">6.6.2.3. 
    Does element match source list for type and source? </a> <a href="#ref-for-grammardef-unsafe-hashed-attributes①">(2)</a>
    <li><a href="#ref-for-grammardef-unsafe-hashed-attributes②">8.3. 
      Usage of "'unsafe-hashed-attributes'" </a> <a href="#ref-for-grammardef-unsafe-hashed-attributes③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-report-sample">
   <b><a href="#grammardef-report-sample">#grammardef-report-sample</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-report-sample">1.3. Changes from Level 2</a>
    <li><a href="#ref-for-grammardef-report-sample①">4.2.4. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-grammardef-report-sample②">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source) </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-nonce-source">
   <b><a href="#grammardef-nonce-source">#grammardef-nonce-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-nonce-source">2.3.1. Source Lists</a> <a href="#ref-for-grammardef-nonce-source①">(2)</a>
    <li><a href="#ref-for-grammardef-nonce-source②">6.1.10. script-src</a>
    <li><a href="#ref-for-grammardef-nonce-source③">6.1.10.3. 
    script-src Inline Check </a>
    <li><a href="#ref-for-grammardef-nonce-source④">6.1.11. style-src</a>
    <li><a href="#ref-for-grammardef-nonce-source⑤">6.6.1.2. 
    Does nonce match source list? </a>
    <li><a href="#ref-for-grammardef-nonce-source⑥">6.6.2.1. 
    Is element nonceable? </a>
    <li><a href="#ref-for-grammardef-nonce-source⑦">6.6.2.2. 
    Does a source list allow all inline behavior for type? </a>
    <li><a href="#ref-for-grammardef-nonce-source⑧">6.6.2.3. 
    Does element match source list for type and source? </a>
    <li><a href="#ref-for-grammardef-nonce-source⑨">7.1. Nonce Reuse</a>
    <li><a href="#ref-for-grammardef-nonce-source①⓪">8.2. 
    Usage of "'strict-dynamic'" </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-base64-value">
   <b><a href="#grammardef-base64-value">#grammardef-base64-value</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-base64-value">2.3.1. Source Lists</a> <a href="#ref-for-grammardef-base64-value①">(2)</a> <a href="#ref-for-grammardef-base64-value②">(3)</a> <a href="#ref-for-grammardef-base64-value③">(4)</a>
    <li><a href="#ref-for-grammardef-base64-value④">6.1.10.1. 
    script-src Pre-request check </a>
    <li><a href="#ref-for-grammardef-base64-value⑤">6.6.1.2. 
    Does nonce match source list? </a>
    <li><a href="#ref-for-grammardef-base64-value⑥">6.6.2.3. 
    Does element match source list for type and source? </a> <a href="#ref-for-grammardef-base64-value⑦">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-hash-source">
   <b><a href="#grammardef-hash-source">#grammardef-hash-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-hash-source">2.3.1. Source Lists</a> <a href="#ref-for-grammardef-hash-source①">(2)</a>
    <li><a href="#ref-for-grammardef-hash-source②">6.1.10. script-src</a>
    <li><a href="#ref-for-grammardef-hash-source③">6.1.10.1. 
    script-src Pre-request check </a> <a href="#ref-for-grammardef-hash-source④">(2)</a>
    <li><a href="#ref-for-grammardef-hash-source⑤">6.1.10.3. 
    script-src Inline Check </a>
    <li><a href="#ref-for-grammardef-hash-source⑥">6.1.11. style-src</a>
    <li><a href="#ref-for-grammardef-hash-source⑦">6.6.2.2. 
    Does a source list allow all inline behavior for type? </a>
    <li><a href="#ref-for-grammardef-hash-source⑧">6.6.2.3. 
    Does element match source list for type and source? </a>
    <li><a href="#ref-for-grammardef-hash-source⑨">8.2. 
    Usage of "'strict-dynamic'" </a>
    <li><a href="#ref-for-grammardef-hash-source①⓪">8.4. 
      Allowing external JavaScript via hashes </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-hash-algorithm">
   <b><a href="#grammardef-hash-algorithm">#grammardef-hash-algorithm</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-hash-algorithm">2.3.1. Source Lists</a>
    <li><a href="#ref-for-grammardef-hash-algorithm①">6.1.10.1. 
    script-src Pre-request check </a>
    <li><a href="#ref-for-grammardef-hash-algorithm②">6.6.2.3. 
    Does element match source list for type and source? </a> <a href="#ref-for-grammardef-hash-algorithm③">(2)</a> <a href="#ref-for-grammardef-hash-algorithm④">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation">
   <b><a href="#violation">#violation</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation">2.4. Violations</a> <a href="#ref-for-violation①">(2)</a> <a href="#ref-for-violation②">(3)</a> <a href="#ref-for-violation③">(4)</a> <a href="#ref-for-violation④">(5)</a> <a href="#ref-for-violation⑤">(6)</a> <a href="#ref-for-violation⑥">(7)</a> <a href="#ref-for-violation⑦">(8)</a> <a href="#ref-for-violation⑧">(9)</a> <a href="#ref-for-violation⑨">(10)</a> <a href="#ref-for-violation①⓪">(11)</a> <a href="#ref-for-violation①①">(12)</a> <a href="#ref-for-violation①②">(13)</a> <a href="#ref-for-violation①③">(14)</a>
    <li><a href="#ref-for-violation①④">2.4.1. 
    Create a violation object for global, policy, and directive </a> <a href="#ref-for-violation①⑤">(2)</a>
    <li><a href="#ref-for-violation①⑥">2.4.2. 
    Create a violation object for request, policy, and directive </a>
    <li><a href="#ref-for-violation①⑦">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation①⑧">5.3. 
    Report a violation </a>
    <li><a href="#ref-for-violation①⑨">6.4. 
    Reporting Directives </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-global-object">
   <b><a href="#violation-global-object">#violation-global-object</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-global-object">2.4. Violations</a>
    <li><a href="#ref-for-violation-global-object①">2.4.1. 
    Create a violation object for global, policy, and directive </a> <a href="#ref-for-violation-global-object②">(2)</a>
    <li><a href="#ref-for-violation-global-object③">5.3. 
    Report a violation </a> <a href="#ref-for-violation-global-object④">(2)</a> <a href="#ref-for-violation-global-object⑤">(3)</a> <a href="#ref-for-violation-global-object⑥">(4)</a> <a href="#ref-for-violation-global-object⑦">(5)</a> <a href="#ref-for-violation-global-object⑧">(6)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-url">
   <b><a href="#violation-url">#violation-url</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-url">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-url①">5.3. 
    Report a violation </a> <a href="#ref-for-violation-url②">(2)</a> <a href="#ref-for-violation-url③">(3)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-status">
   <b><a href="#violation-status">#violation-status</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-status">2.4.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-status①">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-status②">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-resource">
   <b><a href="#violation-resource">#violation-resource</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-resource">2.4.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-resource①">2.4.2. 
    Create a violation object for request, policy, and directive </a>
    <li><a href="#ref-for-violation-resource②">4.2.4. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-violation-resource③">4.2.5. 
    Should navigation request of type from source in target be blocked
    by Content Security Policy? </a> <a href="#ref-for-violation-resource④">(2)</a>
    <li><a href="#ref-for-violation-resource⑤">4.2.6. 
    Should navigation response to navigation request of type from source
    in target be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-violation-resource⑥">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source) </a>
    <li><a href="#ref-for-violation-resource⑦">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-resource⑧">5.3. 
    Report a violation </a>
    <li><a href="#ref-for-violation-resource⑨">6.2.1.1. 
    Is base allowed for document? </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-referrer">
   <b><a href="#violation-referrer">#violation-referrer</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-referrer">2.4.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-referrer①">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-referrer②">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-policy">
   <b><a href="#violation-policy">#violation-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-policy">2.4.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-policy①">5.2. 
    Obtain the deprecated serialization of violation </a> <a href="#ref-for-violation-policy②">(2)</a>
    <li><a href="#ref-for-violation-policy③">5.3. 
    Report a violation </a> <a href="#ref-for-violation-policy④">(2)</a> <a href="#ref-for-violation-policy⑤">(3)</a> <a href="#ref-for-violation-policy⑥">(4)</a> <a href="#ref-for-violation-policy⑦">(5)</a> <a href="#ref-for-violation-policy⑧">(6)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-disposition">
   <b><a href="#violation-disposition">#violation-disposition</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-disposition">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-effective-directive">
   <b><a href="#violation-effective-directive">#violation-effective-directive</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-effective-directive">2.4.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-effective-directive①">5.2. 
    Obtain the deprecated serialization of violation </a> <a href="#ref-for-violation-effective-directive②">(2)</a>
    <li><a href="#ref-for-violation-effective-directive③">5.3. 
    Report a violation </a> <a href="#ref-for-violation-effective-directive④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-source-file">
   <b><a href="#violation-source-file">#violation-source-file</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-source-file">2.4.1. 
    Create a violation object for global, policy, and directive </a> <a href="#ref-for-violation-source-file①">(2)</a>
    <li><a href="#ref-for-violation-source-file②">5.2. 
    Obtain the deprecated serialization of violation </a> <a href="#ref-for-violation-source-file③">(2)</a>
    <li><a href="#ref-for-violation-source-file④">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-line-number">
   <b><a href="#violation-line-number">#violation-line-number</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-line-number">2.4.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-line-number①">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-line-number②">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-column-number">
   <b><a href="#violation-column-number">#violation-column-number</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-column-number">2.4.1. 
    Create a violation object for global, policy, and directive </a>
    <li><a href="#ref-for-violation-column-number①">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-column-number②">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-element">
   <b><a href="#violation-element">#violation-element</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-element">4.2.4. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-violation-element①">5.3. 
    Report a violation </a> <a href="#ref-for-violation-element②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-sample">
   <b><a href="#violation-sample">#violation-sample</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-sample">1.3. Changes from Level 2</a>
    <li><a href="#ref-for-violation-sample①">2.4. Violations</a>
    <li><a href="#ref-for-violation-sample②">4.2.4. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-violation-sample③">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source) </a>
    <li><a href="#ref-for-violation-sample④">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-violation-sample⑤">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="header-content-security-policy">
   <b><a href="#header-content-security-policy">#header-content-security-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-header-content-security-policy">3.1. 
    The Content-Security-Policy HTTP Response Header Field </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="header-content-security-policy-report-only">
   <b><a href="#header-content-security-policy-report-only">#header-content-security-policy-report-only</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-header-content-security-policy-report-only">3.2. 
    The Content-Security-Policy-Report-Only HTTP Response Header Field </a> <a href="#ref-for-header-content-security-policy-report-only①">(2)</a>
    <li><a href="#ref-for-header-content-security-policy-report-only②">3.3. 
    The &lt;meta> element </a>
    <li><a href="#ref-for-header-content-security-policy-report-only③">6.2.3. sandbox</a>
    <li><a href="#ref-for-header-content-security-policy-report-only④">6.2.4. disown-opener</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="global-object-csp-list">
   <b><a href="#global-object-csp-list">#global-object-csp-list</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-global-object-csp-list">4.1.2. 
    Report Content Security Policy violations for request </a>
    <li><a href="#ref-for-global-object-csp-list①">4.1.3. 
    Should request be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-global-object-csp-list②">4.1.4. 
    Should response to request be blocked by Content
    Security Policy? </a>
    <li><a href="#ref-for-global-object-csp-list③">4.2. 
    Integration with HTML </a>
    <li><a href="#ref-for-global-object-csp-list④">4.2.2. 
    Initialize a global object’s CSP list </a> <a href="#ref-for-global-object-csp-list⑤">(2)</a> <a href="#ref-for-global-object-csp-list⑥">(3)</a> <a href="#ref-for-global-object-csp-list⑦">(4)</a> <a href="#ref-for-global-object-csp-list⑧">(5)</a> <a href="#ref-for-global-object-csp-list⑨">(6)</a>
    <li><a href="#ref-for-global-object-csp-list①⓪">4.2.3. 
    Retrieve the CSP list of an object </a> <a href="#ref-for-global-object-csp-list①①">(2)</a> <a href="#ref-for-global-object-csp-list①②">(3)</a> <a href="#ref-for-global-object-csp-list①③">(4)</a>
    <li><a href="#ref-for-global-object-csp-list①④">4.2.4. 
    Should element’s inline type behavior be blocked by Content Security Policy? </a>
    <li><a href="#ref-for-global-object-csp-list①⑤">4.3. Integration with ECMAScript</a>
    <li><a href="#ref-for-global-object-csp-list①⑥">4.3.1. 
    EnsureCSPDoesNotBlockStringCompilation(callerRealm, calleeRealm, source) </a>
    <li><a href="#ref-for-global-object-csp-list①⑦">6.2.1.1. 
    Is base allowed for document? </a>
    <li><a href="#ref-for-global-object-csp-list①⑧">7.8. 
    CSP Inheriting to avoid bypasses </a> <a href="#ref-for-global-object-csp-list①⑨">(2)</a> <a href="#ref-for-global-object-csp-list②⓪">(3)</a> <a href="#ref-for-global-object-csp-list②①">(4)</a> <a href="#ref-for-global-object-csp-list②②">(5)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enforced">
   <b><a href="#enforced">#enforced</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enforced">3.1. 
    The Content-Security-Policy HTTP Response Header Field </a>
    <li><a href="#ref-for-enforced①">4.2. 
    Integration with HTML </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="monitored">
   <b><a href="#monitored">#monitored</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-monitored">3.2. 
    The Content-Security-Policy-Report-Only HTTP Response Header Field </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="embedding-document">
   <b><a href="#embedding-document">#embedding-document</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-embedding-document">4.2.1. 
    Initialize a Document's CSP list </a> <a href="#ref-for-embedding-document①">(2)</a>
    <li><a href="#ref-for-embedding-document②">4.2.2. 
    Initialize a global object’s CSP list </a>
    <li><a href="#ref-for-embedding-document③">7.8. 
    CSP Inheriting to avoid bypasses </a> <a href="#ref-for-embedding-document④">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="violation-report">
   <b><a href="#violation-report">#violation-report</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-violation-report">6.4.1. report-uri</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="enumdef-securitypolicyviolationeventdisposition">
   <b><a href="#enumdef-securitypolicyviolationeventdisposition">#enumdef-securitypolicyviolationeventdisposition</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-enumdef-securitypolicyviolationeventdisposition">5.1. 
    Violation DOM Events </a> <a href="#ref-for-enumdef-securitypolicyviolationeventdisposition①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="securitypolicyviolationevent">
   <b><a href="#securitypolicyviolationevent">#securitypolicyviolationevent</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-securitypolicyviolationevent">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-securitypolicyviolationevent①">5.3. 
    Report a violation </a> <a href="#ref-for-securitypolicyviolationevent②">(2)</a>
    <li><a href="#ref-for-securitypolicyviolationevent③">7.5. Violation Reports</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-documenturi">
   <b><a href="#dom-securitypolicyviolationevent-documenturi">#dom-securitypolicyviolationevent-documenturi</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-documenturi">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-referrer">
   <b><a href="#dom-securitypolicyviolationevent-referrer">#dom-securitypolicyviolationevent-referrer</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-referrer">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-blockeduri">
   <b><a href="#dom-securitypolicyviolationevent-blockeduri">#dom-securitypolicyviolationevent-blockeduri</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-blockeduri">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-violateddirective">
   <b><a href="#dom-securitypolicyviolationevent-violateddirective">#dom-securitypolicyviolationevent-violateddirective</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-violateddirective">5.3. 
    Report a violation </a> <a href="#ref-for-dom-securitypolicyviolationevent-violateddirective①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-effectivedirective">
   <b><a href="#dom-securitypolicyviolationevent-effectivedirective">#dom-securitypolicyviolationevent-effectivedirective</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-effectivedirective">5.3. 
    Report a violation </a> <a href="#ref-for-dom-securitypolicyviolationevent-effectivedirective①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-originalpolicy">
   <b><a href="#dom-securitypolicyviolationevent-originalpolicy">#dom-securitypolicyviolationevent-originalpolicy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-originalpolicy">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-sourcefile">
   <b><a href="#dom-securitypolicyviolationevent-sourcefile">#dom-securitypolicyviolationevent-sourcefile</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-sourcefile">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-sample">
   <b><a href="#dom-securitypolicyviolationevent-sample">#dom-securitypolicyviolationevent-sample</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-sample">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-sample①">5.3. 
    Report a violation </a>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-sample②">7.5. Violation Reports</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-disposition">
   <b><a href="#dom-securitypolicyviolationevent-disposition">#dom-securitypolicyviolationevent-disposition</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-disposition">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-statuscode">
   <b><a href="#dom-securitypolicyviolationevent-statuscode">#dom-securitypolicyviolationevent-statuscode</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-statuscode">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-linenumber">
   <b><a href="#dom-securitypolicyviolationevent-linenumber">#dom-securitypolicyviolationevent-linenumber</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-linenumber">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dom-securitypolicyviolationevent-columnnumber">
   <b><a href="#dom-securitypolicyviolationevent-columnnumber">#dom-securitypolicyviolationevent-columnnumber</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dom-securitypolicyviolationevent-columnnumber">5.3. 
    Report a violation </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="dictdef-securitypolicyviolationeventinit">
   <b><a href="#dictdef-securitypolicyviolationeventinit">#dictdef-securitypolicyviolationeventinit</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-dictdef-securitypolicyviolationeventinit">5.1. 
    Violation DOM Events </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="fetch-directives">
   <b><a href="#fetch-directives">#fetch-directives</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-fetch-directives">6.1.3. default-src</a> <a href="#ref-for-fetch-directives①">(2)</a>
    <li><a href="#ref-for-fetch-directives②">6.6.1.11. 
    Get the effective directive for request </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="child-src">
   <b><a href="#child-src">#child-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-child-src">6.1.1. child-src</a> <a href="#ref-for-child-src①">(2)</a>
    <li><a href="#ref-for-child-src②">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="connect-src">
   <b><a href="#connect-src">#connect-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-connect-src">6.1.2. connect-src</a>
    <li><a href="#ref-for-connect-src①">6.1.3. default-src</a> <a href="#ref-for-connect-src②">(2)</a>
    <li><a href="#ref-for-connect-src③">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="default-src">
   <b><a href="#default-src">#default-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-default-src">6. 
    Content Security Policy Directives </a>
    <li><a href="#ref-for-default-src①">6.1.3. default-src</a> <a href="#ref-for-default-src②">(2)</a> <a href="#ref-for-default-src③">(3)</a>
    <li><a href="#ref-for-default-src④">8.2. 
    Usage of "'strict-dynamic'" </a>
    <li><a href="#ref-for-default-src⑤">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="font-src">
   <b><a href="#font-src">#font-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-font-src">6.1. 
    Fetch Directives </a>
    <li><a href="#ref-for-font-src①">6.1.3. default-src</a> <a href="#ref-for-font-src②">(2)</a>
    <li><a href="#ref-for-font-src③">6.1.4. font-src</a>
    <li><a href="#ref-for-font-src④">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="frame-src">
   <b><a href="#frame-src">#frame-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-frame-src">6.1.1. child-src</a>
    <li><a href="#ref-for-frame-src①">6.1.3. default-src</a> <a href="#ref-for-frame-src②">(2)</a>
    <li><a href="#ref-for-frame-src③">6.1.5. frame-src</a>
    <li><a href="#ref-for-frame-src④">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="img-src">
   <b><a href="#img-src">#img-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-img-src">6.1.3. default-src</a> <a href="#ref-for-img-src①">(2)</a>
    <li><a href="#ref-for-img-src②">6.1.6. img-src</a>
    <li><a href="#ref-for-img-src③">7.6. Paths and Redirects</a>
    <li><a href="#ref-for-img-src④">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="manifest-src">
   <b><a href="#manifest-src">#manifest-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-manifest-src">6.1.3. default-src</a> <a href="#ref-for-manifest-src①">(2)</a>
    <li><a href="#ref-for-manifest-src②">6.1.7. manifest-src</a>
    <li><a href="#ref-for-manifest-src③">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="media-src">
   <b><a href="#media-src">#media-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-media-src">6.1.3. default-src</a> <a href="#ref-for-media-src①">(2)</a>
    <li><a href="#ref-for-media-src②">6.1.8. media-src</a>
    <li><a href="#ref-for-media-src③">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="object-src">
   <b><a href="#object-src">#object-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-object-src">6. 
    Content Security Policy Directives </a>
    <li><a href="#ref-for-object-src①">6.1.3. default-src</a> <a href="#ref-for-object-src②">(2)</a>
    <li><a href="#ref-for-object-src③">6.1.9. object-src</a>
    <li><a href="#ref-for-object-src④">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="script-src">
   <b><a href="#script-src">#script-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-script-src">6. 
    Content Security Policy Directives </a>
    <li><a href="#ref-for-script-src①">6.1. 
    Fetch Directives </a>
    <li><a href="#ref-for-script-src②">6.1.3. default-src</a> <a href="#ref-for-script-src③">(2)</a> <a href="#ref-for-script-src④">(3)</a>
    <li><a href="#ref-for-script-src⑤">8.2. 
    Usage of "'strict-dynamic'" </a> <a href="#ref-for-script-src⑥">(2)</a>
    <li><a href="#ref-for-script-src⑦">8.3. 
      Usage of "'unsafe-hashed-attributes'" </a>
    <li><a href="#ref-for-script-src⑧">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="style-src">
   <b><a href="#style-src">#style-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-style-src">6.1.3. default-src</a> <a href="#ref-for-style-src①">(2)</a>
    <li><a href="#ref-for-style-src②">7.4. CSS Parsing</a>
    <li><a href="#ref-for-style-src③">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="worker-src">
   <b><a href="#worker-src">#worker-src</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-worker-src">6.1.1. child-src</a>
    <li><a href="#ref-for-worker-src①">6.1.3. default-src</a> <a href="#ref-for-worker-src②">(2)</a>
    <li><a href="#ref-for-worker-src③">6.1.12. worker-src</a>
    <li><a href="#ref-for-worker-src④">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="base-uri">
   <b><a href="#base-uri">#base-uri</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-base-uri">6.2.1.1. 
    Is base allowed for document? </a>
    <li><a href="#ref-for-base-uri①">7.3. Nonce Retargeting</a>
    <li><a href="#ref-for-base-uri②">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="plugin-types">
   <b><a href="#plugin-types">#plugin-types</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-plugin-types">6.2.2. plugin-types</a> <a href="#ref-for-plugin-types①">(2)</a>
    <li><a href="#ref-for-plugin-types②">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-media-type-list">
   <b><a href="#grammardef-media-type-list">#grammardef-media-type-list</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-media-type-list">6.2.2. plugin-types</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-media-type">
   <b><a href="#grammardef-media-type">#grammardef-media-type</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-media-type">6.2.2. plugin-types</a> <a href="#ref-for-grammardef-media-type①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="should-plugin-element-be-blocked-a-priori-by-content-security-policy">
   <b><a href="#should-plugin-element-be-blocked-a-priori-by-content-security-policy">#should-plugin-element-be-blocked-a-priori-by-content-security-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-should-plugin-element-be-blocked-a-priori-by-content-security-policy">4.2. 
    Integration with HTML </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="sandbox">
   <b><a href="#sandbox">#sandbox</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-sandbox">6.2.3.2. 
    sandbox Initialization </a>
    <li><a href="#ref-for-sandbox①">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="disown-opener">
   <b><a href="#disown-opener">#disown-opener</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-disown-opener">1.3. Changes from Level 2</a>
    <li><a href="#ref-for-disown-opener①">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="form-action">
   <b><a href="#form-action">#form-action</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-form-action">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="frame-ancestors">
   <b><a href="#frame-ancestors">#frame-ancestors</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-frame-ancestors">6.3.2.2. 
		Relation to X-Frame-Options </a> <a href="#ref-for-frame-ancestors①">(2)</a> <a href="#ref-for-frame-ancestors②">(3)</a>
    <li><a href="#ref-for-frame-ancestors③">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-ancestor-source-list">
   <b><a href="#grammardef-ancestor-source-list">#grammardef-ancestor-source-list</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-ancestor-source-list">6.3.2. frame-ancestors</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="grammardef-ancestor-source">
   <b><a href="#grammardef-ancestor-source">#grammardef-ancestor-source</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-grammardef-ancestor-source">6.3.2. frame-ancestors</a> <a href="#ref-for-grammardef-ancestor-source①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="navigation-to">
   <b><a href="#navigation-to">#navigation-to</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-navigation-to">1.3. Changes from Level 2</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="report-uri">
   <b><a href="#report-uri">#report-uri</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-report-uri">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-report-uri①">5.3. 
    Report a violation </a>
    <li><a href="#ref-for-report-uri②">6.4.1. report-uri</a> <a href="#ref-for-report-uri③">(2)</a>
    <li><a href="#ref-for-report-uri④">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="report-to">
   <b><a href="#report-to">#report-to</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-report-to">5.2. 
    Obtain the deprecated serialization of violation </a>
    <li><a href="#ref-for-report-to①">5.3. 
    Report a violation </a> <a href="#ref-for-report-to②">(2)</a>
    <li><a href="#ref-for-report-to③">6.4.1. report-uri</a> <a href="#ref-for-report-to④">(2)</a>
    <li><a href="#ref-for-report-to⑤">10.1. 
    Directive Registry </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="scheme-part-match">
   <b><a href="#scheme-part-match">#scheme-part-match</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-scheme-part-match">6.6.1.6. 
    Does url match expression in origin with redirect count? </a> <a href="#ref-for-scheme-part-match①">(2)</a>
    <li><a href="#ref-for-scheme-part-match②">6.6.1.7. 
    scheme-part matching </a> <a href="#ref-for-scheme-part-match③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="host-part-match">
   <b><a href="#host-part-match">#host-part-match</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-host-part-match">6.6.1.6. 
    Does url match expression in origin with redirect count? </a>
    <li><a href="#ref-for-host-part-match①">6.6.1.8. 
    host-part matching </a> <a href="#ref-for-host-part-match②">(2)</a> <a href="#ref-for-host-part-match③">(3)</a> <a href="#ref-for-host-part-match④">(4)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="port-part-matches">
   <b><a href="#port-part-matches">#port-part-matches</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-port-part-matches">6.6.1.6. 
    Does url match expression in origin with redirect count? </a>
    <li><a href="#ref-for-port-part-matches①">6.6.1.9. 
    port-part matching </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="path-part-match">
   <b><a href="#path-part-match">#path-part-match</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-path-part-match">6.6.1.6. 
    Does url match expression in origin with redirect count? </a>
    <li><a href="#ref-for-path-part-match①">6.6.1.10. 
    path-part matching </a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="source-list-allows-all-inline-behavior">
   <b><a href="#source-list-allows-all-inline-behavior">#source-list-allows-all-inline-behavior</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-source-list-allows-all-inline-behavior">6.6.2.2. 
    Does a source list allow all inline behavior for type? </a> <a href="#ref-for-source-list-allows-all-inline-behavior①">(2)</a> <a href="#ref-for-source-list-allows-all-inline-behavior②">(3)</a> <a href="#ref-for-source-list-allows-all-inline-behavior③">(4)</a>
   </ul>
  </aside>
<script>/* script-dfn-panel */

        document.body.addEventListener("click", function(e) {
            var queryAll = function(sel) { return [].slice.call(document.querySelectorAll(sel)); }
            // Find the dfn element or panel, if any, that was clicked on.
            var el = e.target;
            var target;
            var hitALink = false;
            while(el.parentElement) {
                if(el.tagName == "A") {
                    // Clicking on a link in a <dfn> shouldn't summon the panel
                    hitALink = true;
                }
                if(el.classList.contains("dfn-paneled")) {
                    target = "dfn";
                    break;
                }
                if(el.classList.contains("dfn-panel")) {
                    target = "dfn-panel";
                    break;
                }
                el = el.parentElement;
            }
            if(target != "dfn-panel") {
                // Turn off any currently "on" or "activated" panels.
                queryAll(".dfn-panel.on, .dfn-panel.activated").forEach(function(el){
                    el.classList.remove("on");
                    el.classList.remove("activated");
                });
            }
            if(target == "dfn" && !hitALink) {
                // open the panel
                var dfnPanel = document.querySelector(".dfn-panel[data-for='" + el.id + "']");
                if(dfnPanel) {
                    console.log(dfnPanel);
                    dfnPanel.classList.add("on");
                    var rect = el.getBoundingClientRect();
                    dfnPanel.style.left = window.scrollX + rect.right + 5 + "px";
                    dfnPanel.style.top = window.scrollY + rect.top + "px";
                    var panelRect = dfnPanel.getBoundingClientRect();
                    var panelWidth = panelRect.right - panelRect.left;
                    if(panelRect.right > document.body.scrollWidth && (rect.left - (panelWidth + 5)) > 0) {
                        // Reposition, because the panel is overflowing
                        dfnPanel.style.left = window.scrollX + rect.left - (panelWidth + 5) + "px";
                    }
                } else {
                    console.log("Couldn't find .dfn-panel[data-for='" + el.id + "']");
                }
            } else if(target == "dfn-panel") {
                // Switch it to "activated" state, which pins it.
                el.classList.add("activated");
                el.style.left = null;
                el.style.top = null;
            }

        });
        </script>