惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
C
CERT Recently Published Vulnerability Notes
C
Cisco Blogs
Cloudbric
Cloudbric
The Last Watchdog
The Last Watchdog
L
LINUX DO - 热门话题
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Application and Cybersecurity Blog
Application and Cybersecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Security Archives - TechRepublic
Security Archives - TechRepublic
TaoSecurity Blog
TaoSecurity Blog
V2EX - 技术
V2EX - 技术
H
Heimdal Security Blog
S
Security Affairs
L
Lohrmann on Cybersecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
Simon Willison's Weblog
Simon Willison's Weblog
WordPress大学
WordPress大学
小众软件
小众软件
Security Latest
Security Latest
AWS News Blog
AWS News Blog
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
Engineering at Meta
Engineering at Meta
阮一峰的网络日志
阮一峰的网络日志
罗磊的独立博客
F
Full Disclosure
S
Schneier on Security
L
LangChain Blog
MyScale Blog
MyScale Blog
Know Your Adversary
Know Your Adversary
P
Privacy International News Feed
Google Online Security Blog
Google Online Security Blog
Scott Helme
Scott Helme
Stack Overflow Blog
Stack Overflow Blog
爱范儿
爱范儿
A
Arctic Wolf
Martin Fowler
Martin Fowler
B
Blog RSS Feed
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
The Register - Security
The Register - Security
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园_首页
Latest news
Latest news
F
Fortinet All Blogs
G
GRAHAM CLULEY
T
The Exploit Database - CXSecurity.com
Hacker News: Ask HN
Hacker News: Ask HN

Recent Commits to webappsec-csp:main

[Editorial] Compare origins with 'same origin', not 'is'. · w3c/webappsec-csp@4e01ae7 Fixing 'policy' local link text. · w3c/webappsec-csp@0051d16 Fixing status. · w3c/webappsec-csp@b1de5f1 Export a dfn. · w3c/webappsec-csp@e156259 Add "text" destination type, for JavaScript text imports · w3c/webappsec-csp@7845c09 Attach self-origin to CSP list (#805) · w3c/webappsec-csp@3a5e595 Fix algorithms called with missing parameters (#806) · w3c/webappsec-csp@a20d8fb [Editorial] Avoid nested parenthetical (#804) · w3c/webappsec-csp@8df1f5d Add 'unsafe-webtransport-hashes' keyword to connect-src (#791) · w3c/webappsec-csp@1b8a543 Add missing closing tag for section (#800) · w3c/webappsec-csp@5bc6639 [Editorial] Fix broken references to Trusted Types spec (#790) · w3c/webappsec-csp@a131bcb Apply `strict-dynamic` to inline scripts. (#787) · w3c/webappsec-csp@13c7d8e [Editorial] Reference the algorithm instead of the section for parse-… · w3c/webappsec-csp@9dd7cf1 [Editorial] Fix reference to parse-metadata in SRI (#777) · w3c/webappsec-csp@1137e96 Fix path matching in match-url-to-source-expression (#773) · w3c/webappsec-csp@97e4a82 Change CSPViolationReportBody to dictionary (#737) · w3c/webappsec-csp@a441899 Further clarify post-request check (#730) · w3c/webappsec-csp@7690298 Fix URL in report-uri request (#731) · w3c/webappsec-csp@5c12cbb [Editorial] Fix missing input param of match-response-source-list (#732) · w3c/webappsec-csp@7092cef
[Editorial] 'policy' is a local term, not global. (#812) · w3c/webappsec-csp@3e24aea
mikewest · 2026-04-20 · via Recent Commits to webappsec-csp:main

@@ -436,13 +436,13 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

436436

and restricted behaviors, and may be applied to a {{Document}}, {{WorkerGlobalScope}}, or

437437

{{WorkletGlobalScope}}.

438438439-

Each policy has an associated <dfn for="policy" export>directive set</dfn>, which is an <a>ordered

439+

Each policy has an associated <dfn for="content security policy object" export>directive set</dfn>, which is an <a>ordered

440440

set</a> of <a>directives</a> that define the policy's implications when applied.

441441442-

Each policy has an associated <dfn for="policy" export>disposition</dfn>, which is either

442+

Each policy has an associated <dfn for="content security policy object" export>disposition</dfn>, which is either

443443

"`enforce`" or "`report`".

444444445-

Each policy has an associated <dfn for="policy" export>source</dfn>, which is either "`header`"

445+

Each policy has an associated <dfn for="content security policy object" export>source</dfn>, which is either "`header`"

446446

or "`meta`".

447447448448

Multiple [=/policies=] can be applied to a single resource. A <dfn export>CSP

@@ -458,7 +458,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

458458459459

A [=/CSP list=] <dfn export>contains a header-delivered Content Security

460460

Policy</dfn> if its [=CSP list/policies=] [=list/contain=] a [=/policy=] whose

461-

[=policy/source=] is "`header`".

461+

[=content security policy object/source=] is "`header`".

462462463463

A <dfn export>serialized CSP</dfn> is an <a>ASCII string</a> consisting of a semicolon-delimited

464464

series of <a>serialized directives</a>, adhering to the following ABNF grammar [[!RFC5234]]:

@@ -483,18 +483,18 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

483483

</h4>

484484485485

To <dfn abstract-op>parse a serialized CSP</dfn>, given a [=byte sequence=] or

486-

[=string=] |serialized|, a [=policy/source=] |source|, and a [=policy/disposition=]

486+

[=string=] |serialized|, a [=content security policy object/source=] |source|, and a [=content security policy object/disposition=]

487487

|disposition|, execute the following steps.

488488489489

This algorithm returns a [=Content Security Policy object=]. If |serialized| could not be

490-

parsed, the object's [=policy/directive set=] will be empty.

490+

parsed, the object's [=content security policy object/directive set=] will be empty.

491491492492

<ol class="algorithm">

493493

1. If |serialized| is a [=byte sequence=], then set |serialized| to be the result of

494494

[=isomorphic decoding=] |serialized|.

495495496-

2. Let |policy| be a new [=/policy=] with an empty [=policy/directive set=], a [=policy/source=]

497-

of |source|, and a [=policy/disposition=] of |disposition|.

496+

2. Let |policy| be a new [=/policy=] with an empty [=content security policy object/directive set=], a [=content security policy object/source=]

497+

of |source|, and a [=content security policy object/disposition=] of |disposition|.

498498499499

3. <a for=list>For each</a> |token| returned by [=strictly split a string|strictly splitting=] |serialized| on

500500

the U+003B SEMICOLON character (`;`):

@@ -512,7 +512,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

512512

Note: Directive names are case-insensitive, that is: `script-SRC 'none'` and

513513

`ScRiPt-sRc 'none'` are equivalent.

514514515-

5. If |policy|'s [=policy/directive set=] contains a [=directive=] whose [=directive/name=]

515+

5. If |policy|'s [=content security policy object/directive set=] contains a [=directive=] whose [=directive/name=]

516516

is |directive name|, [=iteration/continue=].

517517518518

Note: In this case, the user agent SHOULD notify developers that a duplicate

@@ -525,7 +525,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

525525

7. Let |directive| be a new [=directive=] whose [=directive/name=] is |directive name|, and

526526

[=directive/value=] is |directive value|.

527527528-

8. [=set/append|Append=] |directive| to |policy|'s [=policy/directive set=].

528+

8. [=set/append|Append=] |directive| to |policy|'s [=content security policy object/directive set=].

529529530530

4. Return |policy|.

531531

</ol>

@@ -548,18 +548,18 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

548548549549

1. Let |policy| be the result of

550550

<a abstract-op lt="parse a serialized CSP">parsing</a> |token|, with a

551-

[=policy/source=] of "`header`", and a [=policy/disposition=] of "`enforce`".

551+

[=content security policy object/source=] of "`header`", and a [=content security policy object/disposition=] of "`enforce`".

552552553-

2. If |policy|'s [=policy/directive set=] is not empty, append |policy| to |policies|.

553+

2. If |policy|'s [=content security policy object/directive set=] is not empty, append |policy| to |policies|.

554554555555

3. <a for=list>For each</a> |token| returned by [=extracting header list values=] given

556556

`Content-Security-Policy-Report-Only` and |response|'s [=response/header list=]:

557557558558

1. Let |policy| be the result of

559559

<a abstract-op lt="parse a serialized CSP">parsing</a> |token|, with a

560-

[=policy/source=] of "`header`", and a [=policy/disposition=] of "`report`".

560+

[=content security policy object/source=] of "`header`", and a [=content security policy object/disposition=] of "`report`".

561561562-

2. If |policy|'s [=policy/directive set=] is not empty, append |policy| to |policies|.

562+

2. If |policy|'s [=content security policy object/directive set=] is not empty, append |policy| to |policies|.

563563564564

4. Return a [=/CSP list=] whose [=CSP list/policies=] is |policies| and

565565

[=CSP list/self-origin=] is |response|'s [=response/url=]'s [=url/origin=].

@@ -1573,7 +1573,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

1573157315741574

4. Execute [[#report-violation]] on |violation|.

157515751576-

5. If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to

1576+

5. If |policy|'s [=content security policy object/disposition=] is "`enforce`", then set |result| to

15771577

"`Blocked`".

1578157815791579

4. If |result| is "`Blocked`", throw an `EvalError` exception.

@@ -1622,7 +1622,7 @@ this algorithm returns normally if compilation is allowed, and throws a

1622162216231623

3. Execute [[#report-violation]] on |violation|.

162416241625-

4. If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to

1625+

4. If |policy|'s [=content security policy object/disposition=] is "`enforce`", then set |result| to

16261626

"`Blocked`".

1627162716281628

4. If |result| is "`Blocked`", throw a {{WebAssembly.CompileError}} exception.