惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Check Point Blog
AI
AI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
U
Unit 42
Vercel News
Vercel News
Stack Overflow Blog
Stack Overflow Blog
P
Proofpoint News Feed
Microsoft Security Blog
Microsoft Security Blog
The GitHub Blog
The GitHub Blog
WordPress大学
WordPress大学
Martin Fowler
Martin Fowler
博客园 - 【当耐特】
B
Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Apple Machine Learning Research
Apple Machine Learning Research
博客园_首页
F
Full Disclosure
Google DeepMind News
Google DeepMind News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
H
Help Net Security
Recorded Future
Recorded Future
N
News and Events Feed by Topic
雷峰网
雷峰网
V
Vulnerabilities – Threatpost
Schneier on Security
Schneier on Security
aimingoo的专栏
aimingoo的专栏
S
Schneier on Security
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
O
OpenAI News
Project Zero
Project Zero
罗磊的独立博客
G
GRAHAM CLULEY
腾讯CDC
P
Privacy International News Feed
V
V2EX
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hugging Face - Blog
Hugging Face - Blog
爱范儿
爱范儿
H
Heimdal Security Blog
L
LINUX DO - 热门话题
Forbes - Security
Forbes - Security
美团技术团队
MongoDB | Blog
MongoDB | Blog
Security Latest
Security Latest
M
MIT News - Artificial intelligence
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
宝玉的分享
宝玉的分享
T
Threat Research - Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog

Recent Commits to webappsec-csp:main

[Editorial] Compare origins with 'same origin', not 'is'. · w3c/webappsec-csp@4e01ae7 Fixing 'policy' local link text. · w3c/webappsec-csp@0051d16 Fixing status. · w3c/webappsec-csp@b1de5f1 Export a dfn. · w3c/webappsec-csp@e156259 [Editorial] 'policy' is a local term, not global. (#812) · w3c/webappsec-csp@3e24aea Add "text" destination type, for JavaScript text imports · w3c/webappsec-csp@7845c09 Attach self-origin to CSP list (#805) · w3c/webappsec-csp@3a5e595 Fix algorithms called with missing parameters (#806) · w3c/webappsec-csp@a20d8fb [Editorial] Avoid nested parenthetical (#804) · w3c/webappsec-csp@8df1f5d Add missing closing tag for section (#800) · w3c/webappsec-csp@5bc6639 [Editorial] Fix broken references to Trusted Types spec (#790) · w3c/webappsec-csp@a131bcb Apply `strict-dynamic` to inline scripts. (#787) · w3c/webappsec-csp@13c7d8e [Editorial] Reference the algorithm instead of the section for parse-… · w3c/webappsec-csp@9dd7cf1 [Editorial] Fix reference to parse-metadata in SRI (#777) · w3c/webappsec-csp@1137e96 Fix path matching in match-url-to-source-expression (#773) · w3c/webappsec-csp@97e4a82 Change CSPViolationReportBody to dictionary (#737) · w3c/webappsec-csp@a441899 Further clarify post-request check (#730) · w3c/webappsec-csp@7690298 Fix URL in report-uri request (#731) · w3c/webappsec-csp@5c12cbb [Editorial] Fix missing input param of match-response-source-list (#732) · w3c/webappsec-csp@7092cef
Add 'unsafe-webtransport-hashes' keyword to connect-src (#791) · w3c/webappsec-csp@1b8a543
jan-ivar · 2026-02-11 · via Recent Commits to webappsec-csp:main

@@ -696,7 +696,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

696696

/ "<dfn>'report-sample'</dfn>" / "<dfn>'unsafe-allow-redirects'</dfn>"

697697

/ "<dfn>'wasm-unsafe-eval'</dfn>" / "<dfn>'trusted-types-eval'</dfn>"

698698

/ "<dfn>'report-sha256'</dfn>" / "<dfn>'report-sha384'</dfn>"

699-

/ "<dfn>'report-sha512'</dfn>"

699+

/ "<dfn>'report-sha512'</dfn>" / "<dfn>'unsafe-webtransport-hashes'</dfn>"

700700701701

ISSUE: Bikeshed `unsafe-allow-redirects`.

702702

@@ -2215,14 +2215,26 @@ Content-Type: application/reports+json

22152215

1. Let |name| be the result of executing

22162216

[[#effective-directive-for-a-request]] on |request|.

221722172218-

2. If the result of executing [[#should-directive-execute]] on |name|,

2218+

1. If the result of executing [[#should-directive-execute]] on |name|,

22192219

`connect-src` and |policy| is "`No`", return "`Allowed`".

222022202221-

3. If the result of executing [[#match-request-to-source-list]] on

2222-

|request|, this directive's <a for="directive">value</a>, and

2223-

|policy|, is "`Does Not Match`", return "`Blocked`".

2221+

1. Let |source list| be directive's <a for="directive">value</a>.

222422222225-

4. Return "`Allowed`".

2223+

1. If |request|'s [=request/mode=] is "`webtransport`" and |request|'s

2224+

<a for="request">WebTransport-hash list</a> [=list/is not empty=]:

2225+2226+

1. If |source list| [=list/contains=] a <a>source expression</a>

2227+

which is an <a>ASCII case-insensitive</a> match for the

2228+

<a grammar>`keyword-source`</a>

2229+

"<a grammar>`'unsafe-webtransport-hashes'`</a>", return "`Allowed`".

2230+2231+

1. Return "`Blocked`".

2232+2233+

1. If the result of executing [[#match-request-to-source-list]] on

2234+

|request|, |source list|, and |policy|, is "`Matches`", return

2235+

"`Allowed`".

2236+2237+

1. Return "`Blocked`".

2226223822272239

<h5 algorithm id="connect-src-post-request">

22282240

`connect-src` Post-request check

@@ -2236,14 +2248,26 @@ Content-Type: application/reports+json

22362248

1. Let |name| be the result of executing

22372249

[[#effective-directive-for-a-request]] on |request|.

223822502239-

2. If the result of executing [[#should-directive-execute]] on |name|,

2251+

1. If the result of executing [[#should-directive-execute]] on |name|,

22402252

`connect-src` and |policy| is "`No`", return "`Allowed`".

224122532242-

3. If the result of executing [[#match-response-to-source-list]] on

2243-

|response|, |request|, this directive's <a for="directive">value</a>,

2244-

and |policy|, is "`Does Not Match`", return "`Blocked`".

2254+

1. Let |source list| be directive's <a for="directive">value</a>.

224522552246-

4. Return "`Allowed`".

2256+

1. If |request|'s [=request/mode=] is "`webtransport`" and |request|'s

2257+

<a for="request">WebTransport-hash list</a> [=list/is not empty=]:

2258+2259+

1. If |source list| [=list/contains=] a <a>source expression</a>

2260+

which is an <a>ASCII case-insensitive</a> match for the

2261+

<a grammar>`keyword-source`</a>

2262+

"<a grammar>`'unsafe-webtransport-hashes'`</a>", return "`Allowed`".

2263+2264+

1. Return "`Blocked`".

2265+2266+

1. If the result of executing [[#match-response-to-source-list]] on

2267+

|response|, |request|, |source list|, and |policy|, is "`Matches`",

2268+

return "`Allowed`".

2269+2270+

1. Return "`Blocked`".

2247227122482272

<h4 id="directive-default-src">`default-src`</h4>

22492273