Apply `strict-dynamic` to inline scripts. (#787) · w3c/webappsec-csp@13c7d8e
mikewest
·
2025-10-29
·
via Recent Commits to webappsec-csp:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -4412,6 +4412,10 @@ Content-Type: application/reports+json
|
4412 | 4412 | |
4413 | 4413 | 2. <a for=set>For each</a> |expression| of |list|: |
4414 | 4414 | |
| 4415 | + 1. If |expression| is the "<a grammar>`'strict-dynamic'`</a>" <a grammar>keyword-source</a>: |
| 4416 | + |
| 4417 | + 1. If |type| is "`script`", and |element| is not [=parser-inserted=], return "`Matches`". |
| 4418 | + |
4415 | 4419 | 1. If |expression| matches the <a grammar>`hash-source`</a> grammar: |
4416 | 4420 | |
4417 | 4421 | 1. Let |algorithm| be null. |
@@ -4448,8 +4452,6 @@ Content-Type: application/reports+json
|
4448 | 4452 | they will also apply to event handlers, style attributes and `javascript:` |
4449 | 4453 | navigations. |
4450 | 4454 | |
4451 | | - ISSUE(w3c/webappsec-csp#426): This should handle `'strict-dynamic'` for dynamically inserted inline scripts. |
4452 | | - |
4453 | 4455 | 6. Return "`Does Not Match`". |
4454 | 4456 | |
4455 | 4457 | <h3 id="directive-algorithms">Directive Algorithms</h3> |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。