惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

大猫的无限游戏
大猫的无限游戏
K
Kaspersky official blog
Apple Machine Learning Research
Apple Machine Learning Research
B
Blog
aimingoo的专栏
aimingoo的专栏
M
MIT News - Artificial intelligence
小众软件
小众软件
云风的 BLOG
云风的 BLOG
腾讯CDC
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Hugging Face - Blog
Hugging Face - Blog
S
SegmentFault 最新的问题
Stack Overflow Blog
Stack Overflow Blog
量子位
S
Secure Thoughts
G
GRAHAM CLULEY
C
CXSECURITY Database RSS Feed - CXSecurity.com
人人都是产品经理
人人都是产品经理
雷峰网
雷峰网
T
Threat Research - Cisco Blogs
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cisco Talos Blog
Cisco Talos Blog
G
Google Developers Blog
爱范儿
爱范儿
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
有赞技术团队
有赞技术团队
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Martin Fowler
Martin Fowler
The GitHub Blog
The GitHub Blog
Google DeepMind News
Google DeepMind News
C
Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
博客园 - 聂微东
宝玉的分享
宝玉的分享
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
Netflix TechBlog - Medium
Forbes - Security
Forbes - Security
Engineering at Meta
Engineering at Meta
S
Security Affairs
Help Net Security
Help Net Security
博客园 - 三生石上(FineUI控件)
AWS News Blog
AWS News Blog
博客园 - 叶小钗
Recent Commits to openclaw:main
Recent Commits to openclaw:main
V2EX - 技术
V2EX - 技术
Hacker News: Ask HN
Hacker News: Ask HN
Project Zero
Project Zero
H
Heimdal Security Blog
W
WeLiveSecurity
C
Check Point Blog

Recent Commits to webappsec-csp:main

[Editorial] Compare origins with 'same origin', not 'is'. · w3c/webappsec-csp@4e01ae7 Fixing status. · w3c/webappsec-csp@b1de5f1 Export a dfn. · w3c/webappsec-csp@e156259 [Editorial] 'policy' is a local term, not global. (#812) · w3c/webappsec-csp@3e24aea Add "text" destination type, for JavaScript text imports · w3c/webappsec-csp@7845c09 Attach self-origin to CSP list (#805) · w3c/webappsec-csp@3a5e595 Fix algorithms called with missing parameters (#806) · w3c/webappsec-csp@a20d8fb [Editorial] Avoid nested parenthetical (#804) · w3c/webappsec-csp@8df1f5d Add 'unsafe-webtransport-hashes' keyword to connect-src (#791) · w3c/webappsec-csp@1b8a543 Add missing closing tag for section (#800) · w3c/webappsec-csp@5bc6639 [Editorial] Fix broken references to Trusted Types spec (#790) · w3c/webappsec-csp@a131bcb Apply `strict-dynamic` to inline scripts. (#787) · w3c/webappsec-csp@13c7d8e [Editorial] Reference the algorithm instead of the section for parse-… · w3c/webappsec-csp@9dd7cf1 [Editorial] Fix reference to parse-metadata in SRI (#777) · w3c/webappsec-csp@1137e96 Fix path matching in match-url-to-source-expression (#773) · w3c/webappsec-csp@97e4a82 Change CSPViolationReportBody to dictionary (#737) · w3c/webappsec-csp@a441899 Further clarify post-request check (#730) · w3c/webappsec-csp@7690298 Fix URL in report-uri request (#731) · w3c/webappsec-csp@5c12cbb [Editorial] Fix missing input param of match-response-source-list (#732) · w3c/webappsec-csp@7092cef
Fixing 'policy' local link text. · w3c/webappsec-csp@0051d16
mikewest · 2026-04-21 · via Recent Commits to webappsec-csp:main

@@ -573,7 +573,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

573573

<h3 id="framework-directives">Directives</h3>

574574575575

Each <a for="/">policy</a> contains an <a>ordered set</a> of <dfn export>directives</dfn> (its

576-

<a for="policy">directive set</a>), each of which controls a specific behavior. The directives

576+

<a for="content security policy object">directive set</a>), each of which controls a specific behavior. The directives

577577

defined in this document are described in detail in [[#csp-directives]].

578578579579

Each <a>directive</a> is a <dfn for="directive" export>name</dfn> /

@@ -770,7 +770,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

770770771771

Each <a>violation</a> has a

772772

<dfn for="violation" id="violation-disposition" export>disposition</dfn>, which is the

773-

<a for="policy">disposition</a> of the <a for="/">policy</a> that has been violated.

773+

<a for="content security policy object">disposition</a> of the <a for="/">policy</a> that has been violated.

774774775775

Each <a>violation</a> has an

776776

<dfn for="violation" id="violation-effective-directive" export>effective directive</dfn>

@@ -1031,7 +1031,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

1031103110321032

2. <a for=list>For each</a> |policy| of |CSP list|'s [=CSP list/policies=]:

103310331034-

1. If |policy|'s <a for="policy">disposition</a> is "`enforce`",

1034+

1. If |policy|'s <a for="content security policy object">disposition</a> is "`enforce`",

10351035

then skip to the next |policy|.

1036103610371037

2. Let |violates| be the result of executing

@@ -1056,7 +1056,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

1056105610571057

3. <a for=list>For each</a> |policy| of |CSP list|'s [=CSP list/policies=]:

105810581059-

1. If |policy|'s <a for="policy">disposition</a> is "`report`",

1059+

1. If |policy|'s <a for="content security policy object">disposition</a> is "`report`",

10601060

then skip to the next |policy|.

1061106110621062

2. Let |violates| be the result of executing

@@ -1096,7 +1096,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

10961096

1. Execute [[#report-violation]] on the result of executing

10971097

[[#create-violation-for-request]] on |request|, and |policy|.

109810981099-

2. If |policy|'s <a for="policy">disposition</a> is "`enforce`",

1099+

2. If |policy|'s <a for="content security policy object">disposition</a> is "`enforce`",

11001100

then set |result| to "`Blocked`".

1101110111021102

Note: This portion of the check verifies that the page can load the

@@ -1249,7 +1249,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

12491249

3. <a for=list>For each</a> |policy| of |element|'s {{Document}}'s <a for="/">global object</a>'s

12501250

<a for="global object">CSP list</a>'s [=CSP list/policies=]:

125112511252-

1. <a for=set>For each</a> |directive| of |policy|'s <a for="policy">directive set</a>:

1252+

1. <a for=set>For each</a> |directive| of |policy|'s <a for="content security policy object">directive set</a>:

1253125312541254

1. If |directive|'s <a for="directive">inline check</a> returns

12551255

"`Allowed`" when executed upon |element|, |type|, |policy| and |source|,

@@ -1274,7 +1274,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

1274127412751275

7. Execute [[#report-violation]] on |violation|.

127612761277-

8. If |policy|'s <a for="policy">disposition</a> is "`enforce`", then

1277+

8. If |policy|'s <a for="content security policy object">disposition</a> is "`enforce`", then

12781278

set |result| to "`Blocked`".

1279127912801280

4. Return |result|.

@@ -1315,7 +1315,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

1315131513161316

4. Execute [[#report-violation]] on |violation|.

131713171318-

5. If |policy|'s <a for="policy">disposition</a> is "`enforce`", then

1318+

5. If |policy|'s <a for="content security policy object">disposition</a> is "`enforce`", then

13191319

set |result| to "`Blocked`".

1320132013211321

3. If |result| is "`Allowed`", and if |navigation request|'s

@@ -1344,7 +1344,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

1344134413451345

5. Execute [[#report-violation]] on |violation|.

134613461347-

6. If |policy|'s <a for="policy">disposition</a> is "`enforce`", then

1347+

6. If |policy|'s <a for="content security policy object">disposition</a> is "`enforce`", then

13481348

set |result| to "`Blocked`".

1349134913501350

4. Return |result|.

@@ -1389,7 +1389,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

1389138913901390

4. Execute [[#report-violation]] on |violation|.

139113911392-

5. If |policy|'s <a for="policy">disposition</a> is "`enforce`", then

1392+

5. If |policy|'s <a for="content security policy object">disposition</a> is "`enforce`", then

13931393

set |result| to "`Blocked`".

1394139413951395

3. <a for=list>For each</a> |policy| of |navigation request|'s <a for="request">policy container</a>'s

@@ -1416,7 +1416,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

1416141614171417

4. Execute [[#report-violation]] on |violation|.

141814181419-

5. If |policy|'s <a for="policy">disposition</a> is "`enforce`", then

1419+

5. If |policy|'s <a for="content security policy object">disposition</a> is "`enforce`", then

14201420

set |result| to "`Blocked`".

1421142114221422

4. Return |result|.

@@ -1474,7 +1474,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

1474147414751475

4. Execute [[#report-violation]] on |violation|.

147614761477-

5. If |policy|'s <a for="policy">disposition</a> is "`enforce`", then

1477+

5. If |policy|'s <a for="content security policy object">disposition</a> is "`enforce`", then

14781478

set |result| to "`Blocked`".

1479147914801480

3. Return |result|.

@@ -1789,7 +1789,7 @@ Content-Type: application/reports+json

17891789

:: The <a lt="serialized CSP">serialization</a> of |violation|'s

17901790

<a for="violation">policy</a>

17911791

: "`disposition`"

1792-

:: The <a for="policy">disposition</a> of |violation|'s

1792+

:: The <a for="content security policy object">disposition</a> of |violation|'s

17931793

<a for="violation">policy</a>

17941794

: "`status-code`"

17951795

:: |violation|'s <a for="violation">status</a>

@@ -1920,12 +1920,12 @@ Content-Type: application/reports+json

19201920

{{SecurityPolicyViolationEvent/violatedDirective}} are the same value.

19211921

This is intentional to maintain backwards compatibility.

192219221923-

4. If |violation|'s <a for="violation">policy</a>'s <a for="policy">directive

1923+

4. If |violation|'s <a for="violation">policy</a>'s <a for="content security policy object">directive

19241924

set</a> contains a <a>directive</a> named "<a>`report-uri`</a>"

19251925

|directive|:

1926192619271927

1. If |violation|'s <a for="violation">policy</a>'s

1928-

<a for="policy">directive set</a> contains a <a>directive</a> named

1928+

<a for="content security policy object">directive set</a> contains a <a>directive</a> named

19291929

"<a>`report-to`</a>", skip the remaining substeps.

1930193019311931

2. <a for=set>For each</a> |token| of |directive|'s

@@ -1980,7 +1980,7 @@ Content-Type: application/reports+json

19801980

is, the latter overrides the former, allowing for backwards compatibility

19811981

with browsers that don't support the new mechanism.

198219821983-

5. If |violation|'s <a for="violation">policy</a>'s <a for="policy">directive

1983+

5. If |violation|'s <a for="violation">policy</a>'s <a for="content security policy object">directive

19841984

set</a> contains a <a>directive</a> named "<a>`report-to`</a>"

19851985

|directive|:

19861986

@@ -3531,7 +3531,7 @@ Content-Type: application/reports+json

35313531

1. Let |source list| be null.

3532353235333533

2. If a <a>directive</a> whose <a for="directive">name</a> is

3534-

"`base-uri`" is present in |policy|'s <a for="policy">directive

3534+

"`base-uri`" is present in |policy|'s <a for="content security policy object">directive

35353535

set</a>, set |source list| to that <a>directive</a>'s

35363536

<a for="directive">value</a>.

35373537

@@ -3549,7 +3549,7 @@ Content-Type: application/reports+json

3549354935503550

3. Execute [[#report-violation]] on |violation|.

355135513552-

4. If |policy|'s <a for="policy">disposition</a> is "`enforce`",

3552+

4. If |policy|'s <a for="content security policy object">disposition</a> is "`enforce`",

35533553

return "`Blocked`".

3554355435553555

Note: We compare against the fallback base URL in order to deal correctly with things like

@@ -3592,7 +3592,7 @@ Content-Type: application/reports+json

35923592

Given a {{Document}} or <a for="/">global object</a> |context| and a <a for="/">policy</a>

35933593

|policy|:

359435943595-

1. If |policy|'s <a for="policy">disposition</a> is not "`enforce`", or

3595+

1. If |policy|'s <a for="content security policy object">disposition</a> is not "`enforce`", or

35963596

|context| is not a {{WorkerGlobalScope}}, then abort this algorithm.

3597359735983598

2. Let |sandboxing flag set| be a new [=/sandboxing flag set=].

@@ -3731,7 +3731,7 @@ Content-Type: application/reports+json

37313731

<a>`frame-ancestors`</a> directive <em>overrides</em> the

37323732

\`<code>[:X-Frame-Options:]</code>\` header. If a resource is delivered with

37333733

a <a for="/">policy</a> that includes a <a>directive</a> named

3734-

<a>`frame-ancestors`</a> and whose <a for="policy">disposition</a> is

3734+

<a>`frame-ancestors`</a> and whose <a for="content security policy object">disposition</a> is

37353735

"`enforce`", then the \`<code>[:X-Frame-Options:]</code>\` header will be

37363736

ignored, per <cite>HTML</cite>'s processing model.

37373737