Skip to content

Cancel navigation on invalid required CSP attribute #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
antosart wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Cancel navigation on invalid required CSP attribute #11

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 14 additions & 10 deletions index.src.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,11 +219,9 @@ <h1>Content Security Policy: Embedded Enforcement</h1>
<a>element</a> (|element|)'s <{iframe/csp}> <a>content attribute</a> if all of the
following statements are true:

1. |value| is not the empty string.
1. |value| matches the <a grammar>serialized-policy</a> ABNF grammar defined in [[!CSP]].

2. |value| matches the <a grammar>serialized-policy</a> ABNF grammar defined in [[!CSP]].

3. One of the following statements is true:
2. One of the following statements is true:

1. |element|'s [=node document=]'s [=Document/browsing context=]'s
[=browsing context/required CSP=] is `null`.
Expand All @@ -232,7 +230,7 @@ <h1>Content Security Policy: Embedded Enforcement</h1>
[=policy/subsumed by=] |element|'s [=node document=]'s [=Document/browsing context=]'s
[=browsing context/required CSP=].

4. The result of [=parse a serialized csp as disposition|parsing=] |value| as "`enforce`" has a
3. The result of [=parse a serialized csp as disposition|parsing=] |value| as "`enforce`" has a
[=policy/directive set=] that does not [=list/contain=] any of the following directives:

* [=report-uri=]
Expand Down Expand Up @@ -341,6 +339,9 @@ <h1>Content Security Policy: Embedded Enforcement</h1>
11. <a lt="set the required CSP" abstract-op>Set</a> `browsingContext`'s
<a for="browsing context">required CSP</a>.

12. If `browsingContext`'s <a for="browsing context">required CSP</a> is `invalid`, cancel the
navigation.

ISSUE: Upstream this to WHATWG's HTML.

ISSUE(w3c/html#584): W3C's HTML's navigation algorithm is wildly divergent from WHATWG's at
Expand Down Expand Up @@ -382,14 +383,17 @@ <h1>Content Security Policy: Embedded Enforcement</h1>

1. If |context| is a <a>nested browsing context</a>:

1. If |context|'s <a>browsing context container</a> has an <{iframe/csp}> <a>content
1. If |context|'s <a>browsing context container</a> has no <{iframe/csp}> <a>content
attribute</a>, or if it has an <{iframe/csp}> <a>content attribute</a> with an emtpy
value, set |context|'s <a for="browsing context">required CSP</a> to the value of
|context|'s
<a>parent browsing context</a>'s <a for="browsing context">required CSP</a> and return.

2. If |context|'s <a>browsing context container</a> has an <{iframe/csp}> <a>content
attribute</a> with a <a for="iframe/csp">valid attribute value</a> (|value|), set
|context|'s <a for="browsing context">required CSP</a> to |value| and return.

2. Set |context|'s <a for="browsing context">required CSP</a> to the value of |context|'s
<a>parent browsing context</a>'s <a for="browsing context">required CSP</a>.

3. Return.
3. Set |context|'s <a for="browsing context">required CSP</a> to `invalid` and return.

2. Set |context|'s <a for="browsing context">required CSP</a> to `null`.
</div>
Expand Down