惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
博客园_首页
Vercel News
Vercel News
WordPress大学
WordPress大学
美团技术团队
G
Google Developers Blog
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
Y
Y Combinator Blog
博客园 - 【当耐特】
量子位
酷 壳 – CoolShell
酷 壳 – CoolShell
The Cloudflare Blog
T
The Blog of Author Tim Ferriss
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Google DeepMind News
Google DeepMind News
云风的 BLOG
云风的 BLOG
腾讯CDC
M
MIT News - Artificial intelligence
爱范儿
爱范儿
Recent Announcements
Recent Announcements
雷峰网
雷峰网
Last Week in AI
Last Week in AI
宝玉的分享
宝玉的分享
The Register - Security
The Register - Security
Jina AI
Jina AI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Hugging Face - Blog
Hugging Face - Blog
P
Privacy & Cybersecurity Law Blog
Recorded Future
Recorded Future
Help Net Security
Help Net Security
N
News and Events Feed by Topic
博客园 - Franky
P
Proofpoint News Feed
L
LINUX DO - 热门话题
S
SegmentFault 最新的问题
The GitHub Blog
The GitHub Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
月光博客
月光博客
D
Docker
Google DeepMind News
Google DeepMind News
有赞技术团队
有赞技术团队
IT之家
IT之家
Security Latest
Security Latest
L
LangChain Blog
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
J
Java Code Geeks

Recent Commits to webappsec-csp:main

[Editorial] Compare origins with 'same origin', not 'is'. · w3c/webappsec-csp@4e01ae7 Fixing 'policy' local link text. · w3c/webappsec-csp@0051d16 Fixing status. · w3c/webappsec-csp@b1de5f1 Export a dfn. · w3c/webappsec-csp@e156259 [Editorial] 'policy' is a local term, not global. (#812) · w3c/webappsec-csp@3e24aea Add "text" destination type, for JavaScript text imports · w3c/webappsec-csp@7845c09 Attach self-origin to CSP list (#805) · w3c/webappsec-csp@3a5e595 Fix algorithms called with missing parameters (#806) · w3c/webappsec-csp@a20d8fb [Editorial] Avoid nested parenthetical (#804) · w3c/webappsec-csp@8df1f5d Add 'unsafe-webtransport-hashes' keyword to connect-src (#791) · w3c/webappsec-csp@1b8a543 Add missing closing tag for section (#800) · w3c/webappsec-csp@5bc6639 [Editorial] Fix broken references to Trusted Types spec (#790) · w3c/webappsec-csp@a131bcb Apply `strict-dynamic` to inline scripts. (#787) · w3c/webappsec-csp@13c7d8e [Editorial] Reference the algorithm instead of the section for parse-… · w3c/webappsec-csp@9dd7cf1 [Editorial] Fix reference to parse-metadata in SRI (#777) · w3c/webappsec-csp@1137e96 Fix path matching in match-url-to-source-expression (#773) · w3c/webappsec-csp@97e4a82 Change CSPViolationReportBody to dictionary (#737) · w3c/webappsec-csp@a441899 Fix URL in report-uri request (#731) · w3c/webappsec-csp@5c12cbb [Editorial] Fix missing input param of match-response-source-list (#732) · w3c/webappsec-csp@7092cef
Further clarify post-request check (#730) · w3c/webappsec-csp@7690298
TimvdLippe · 2025-06-06 · via Recent Commits to webappsec-csp:main

@@ -3800,6 +3800,11 @@ Content-Type: application/reports+json

38003800

Given a <a for="/">request</a> |request|, a <a>response</a> |response|,

38013801

a <a>directive</a> |directive|, and a <a for="/">policy</a> |policy|:

380238023803+

Note: This check needs both |request| and |response| as input

3804+

parameters since if |request|'s <a for="request">cryptographic nonce metadata</a>

3805+

or <a for="request">integrity metadata</a> matches, then the script is allowed to load

3806+

and the check of whether |response|'s url matches the source list is skipped.

3807+38033808

1. If |request|'s <a for="request">destination</a> is <a for="request/destination">script-like</a>:

3804380938053810

1. Call [=potentially report hash=] with |response|, |request|, |directive| and |policy|.

@@ -3814,13 +3819,17 @@ Content-Type: application/reports+json

38143819

for="request">integrity metadata</a> and this directive's <a

38153820

for="directive">value</a> is "`Matches`", return "`Allowed`".

381638213817-

1. If |directive|'s <a for="directive">value</a> contains

3818-

"<a grammar>`'strict-dynamic'`</a>":

3822+

1. If |directive|'s <a for="directive">value</a> contains a <a>source

3823+

expression</a> that is an <a>ASCII case-insensitive</a> match for

3824+

the "<a grammar>`'strict-dynamic'`</a>" <a grammar>keyword-source</a>:

381938253820-

1. If |request|'s <a for="request">parser metadata</a> is not

3821-

<a>"parser-inserted"</a>, return "`Allowed`".

3826+

1. If the |request|'s <a for="request">parser metadata</a> is

3827+

<a>"parser-inserted"</a>, return "`Blocked`".

382238283823-

Otherwise, return "`Blocked`".

3829+

Otherwise, return "`Allowed`".

3830+3831+

Note: "<a grammar>`'strict-dynamic'`</a>" is explained in more detail

3832+

in [[#strict-dynamic-usage]].

3824383338253834

1. If the result of executing [[#match-response-to-source-list]] on

38263835

|response|, |request|, |directive|'s <a for="directive">value</a>,