惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

U
Unit 42
P
Proofpoint News Feed
The Last Watchdog
The Last Watchdog
S
Secure Thoughts
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
N
News | PayPal Newsroom
Application and Cybersecurity Blog
Application and Cybersecurity Blog
O
OpenAI News
S
Security @ Cisco Blogs
宝玉的分享
宝玉的分享
Hacker News: Ask HN
Hacker News: Ask HN
T
Troy Hunt's Blog
Google Online Security Blog
Google Online Security Blog
WordPress大学
WordPress大学
有赞技术团队
有赞技术团队
TaoSecurity Blog
TaoSecurity Blog
Help Net Security
Help Net Security
Latest news
Latest news
NISL@THU
NISL@THU
S
Security Affairs
博客园_首页
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 聂微东
AI
AI
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Recent Announcements
Recent Announcements
P
Privacy & Cybersecurity Law Blog
小众软件
小众软件
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Hugging Face - Blog
Hugging Face - Blog
博客园 - 司徒正美
AWS News Blog
AWS News Blog
W
WeLiveSecurity
Google DeepMind News
Google DeepMind News
I
InfoQ
Schneier on Security
Schneier on Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
The Exploit Database - CXSecurity.com
IT之家
IT之家
T
Threatpost
Scott Helme
Scott Helme
L
LINUX DO - 热门话题
腾讯CDC
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
N
News and Events Feed by Topic
L
LINUX DO - 最新话题
F
Full Disclosure
大猫的无限游戏
大猫的无限游戏
H
Heimdal Security Blog
S
SegmentFault 最新的问题

Recent Commits to webappsec-csp:main

[Editorial] Compare origins with 'same origin', not 'is'. · w3c/webappsec-csp@4e01ae7 Fixing 'policy' local link text. · w3c/webappsec-csp@0051d16 Fixing status. · w3c/webappsec-csp@b1de5f1 Export a dfn. · w3c/webappsec-csp@e156259 Add "text" destination type, for JavaScript text imports · w3c/webappsec-csp@7845c09 Attach self-origin to CSP list (#805) · w3c/webappsec-csp@3a5e595 Fix algorithms called with missing parameters (#806) · w3c/webappsec-csp@a20d8fb [Editorial] Avoid nested parenthetical (#804) · w3c/webappsec-csp@8df1f5d Add 'unsafe-webtransport-hashes' keyword to connect-src (#791) · w3c/webappsec-csp@1b8a543 Add missing closing tag for section (#800) · w3c/webappsec-csp@5bc6639 [Editorial] Fix broken references to Trusted Types spec (#790) · w3c/webappsec-csp@a131bcb Apply `strict-dynamic` to inline scripts. (#787) · w3c/webappsec-csp@13c7d8e [Editorial] Reference the algorithm instead of the section for parse-… · w3c/webappsec-csp@9dd7cf1 [Editorial] Fix reference to parse-metadata in SRI (#777) · w3c/webappsec-csp@1137e96 Fix path matching in match-url-to-source-expression (#773) · w3c/webappsec-csp@97e4a82 Change CSPViolationReportBody to dictionary (#737) · w3c/webappsec-csp@a441899 Further clarify post-request check (#730) · w3c/webappsec-csp@7690298 Fix URL in report-uri request (#731) · w3c/webappsec-csp@5c12cbb [Editorial] Fix missing input param of match-response-source-list (#732) · w3c/webappsec-csp@7092cef
[Editorial] 'policy' is a local term, not global. (#812) · w3c/webappsec-csp@3e24aea
mikewest · 2026-04-20 · via Recent Commits to webappsec-csp:main

@@ -436,13 +436,13 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

436436

and restricted behaviors, and may be applied to a {{Document}}, {{WorkerGlobalScope}}, or

437437

{{WorkletGlobalScope}}.

438438439-

Each policy has an associated <dfn for="policy" export>directive set</dfn>, which is an <a>ordered

439+

Each policy has an associated <dfn for="content security policy object" export>directive set</dfn>, which is an <a>ordered

440440

set</a> of <a>directives</a> that define the policy's implications when applied.

441441442-

Each policy has an associated <dfn for="policy" export>disposition</dfn>, which is either

442+

Each policy has an associated <dfn for="content security policy object" export>disposition</dfn>, which is either

443443

"`enforce`" or "`report`".

444444445-

Each policy has an associated <dfn for="policy" export>source</dfn>, which is either "`header`"

445+

Each policy has an associated <dfn for="content security policy object" export>source</dfn>, which is either "`header`"

446446

or "`meta`".

447447448448

Multiple [=/policies=] can be applied to a single resource. A <dfn export>CSP

@@ -458,7 +458,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

458458459459

A [=/CSP list=] <dfn export>contains a header-delivered Content Security

460460

Policy</dfn> if its [=CSP list/policies=] [=list/contain=] a [=/policy=] whose

461-

[=policy/source=] is "`header`".

461+

[=content security policy object/source=] is "`header`".

462462463463

A <dfn export>serialized CSP</dfn> is an <a>ASCII string</a> consisting of a semicolon-delimited

464464

series of <a>serialized directives</a>, adhering to the following ABNF grammar [[!RFC5234]]:

@@ -483,18 +483,18 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

483483

</h4>

484484485485

To <dfn abstract-op>parse a serialized CSP</dfn>, given a [=byte sequence=] or

486-

[=string=] |serialized|, a [=policy/source=] |source|, and a [=policy/disposition=]

486+

[=string=] |serialized|, a [=content security policy object/source=] |source|, and a [=content security policy object/disposition=]

487487

|disposition|, execute the following steps.

488488489489

This algorithm returns a [=Content Security Policy object=]. If |serialized| could not be

490-

parsed, the object's [=policy/directive set=] will be empty.

490+

parsed, the object's [=content security policy object/directive set=] will be empty.

491491492492

<ol class="algorithm">

493493

1. If |serialized| is a [=byte sequence=], then set |serialized| to be the result of

494494

[=isomorphic decoding=] |serialized|.

495495496-

2. Let |policy| be a new [=/policy=] with an empty [=policy/directive set=], a [=policy/source=]

497-

of |source|, and a [=policy/disposition=] of |disposition|.

496+

2. Let |policy| be a new [=/policy=] with an empty [=content security policy object/directive set=], a [=content security policy object/source=]

497+

of |source|, and a [=content security policy object/disposition=] of |disposition|.

498498499499

3. <a for=list>For each</a> |token| returned by [=strictly split a string|strictly splitting=] |serialized| on

500500

the U+003B SEMICOLON character (`;`):

@@ -512,7 +512,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

512512

Note: Directive names are case-insensitive, that is: `script-SRC 'none'` and

513513

`ScRiPt-sRc 'none'` are equivalent.

514514515-

5. If |policy|'s [=policy/directive set=] contains a [=directive=] whose [=directive/name=]

515+

5. If |policy|'s [=content security policy object/directive set=] contains a [=directive=] whose [=directive/name=]

516516

is |directive name|, [=iteration/continue=].

517517518518

Note: In this case, the user agent SHOULD notify developers that a duplicate

@@ -525,7 +525,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

525525

7. Let |directive| be a new [=directive=] whose [=directive/name=] is |directive name|, and

526526

[=directive/value=] is |directive value|.

527527528-

8. [=set/append|Append=] |directive| to |policy|'s [=policy/directive set=].

528+

8. [=set/append|Append=] |directive| to |policy|'s [=content security policy object/directive set=].

529529530530

4. Return |policy|.

531531

</ol>

@@ -548,18 +548,18 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

548548549549

1. Let |policy| be the result of

550550

<a abstract-op lt="parse a serialized CSP">parsing</a> |token|, with a

551-

[=policy/source=] of "`header`", and a [=policy/disposition=] of "`enforce`".

551+

[=content security policy object/source=] of "`header`", and a [=content security policy object/disposition=] of "`enforce`".

552552553-

2. If |policy|'s [=policy/directive set=] is not empty, append |policy| to |policies|.

553+

2. If |policy|'s [=content security policy object/directive set=] is not empty, append |policy| to |policies|.

554554555555

3. <a for=list>For each</a> |token| returned by [=extracting header list values=] given

556556

`Content-Security-Policy-Report-Only` and |response|'s [=response/header list=]:

557557558558

1. Let |policy| be the result of

559559

<a abstract-op lt="parse a serialized CSP">parsing</a> |token|, with a

560-

[=policy/source=] of "`header`", and a [=policy/disposition=] of "`report`".

560+

[=content security policy object/source=] of "`header`", and a [=content security policy object/disposition=] of "`report`".

561561562-

2. If |policy|'s [=policy/directive set=] is not empty, append |policy| to |policies|.

562+

2. If |policy|'s [=content security policy object/directive set=] is not empty, append |policy| to |policies|.

563563564564

4. Return a [=/CSP list=] whose [=CSP list/policies=] is |policies| and

565565

[=CSP list/self-origin=] is |response|'s [=response/url=]'s [=url/origin=].

@@ -1573,7 +1573,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity

1573157315741574

4. Execute [[#report-violation]] on |violation|.

157515751576-

5. If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to

1576+

5. If |policy|'s [=content security policy object/disposition=] is "`enforce`", then set |result| to

15771577

"`Blocked`".

1578157815791579

4. If |result| is "`Blocked`", throw an `EvalError` exception.

@@ -1622,7 +1622,7 @@ this algorithm returns normally if compilation is allowed, and throws a

1622162216231623

3. Execute [[#report-violation]] on |violation|.

162416241625-

4. If |policy|'s [=policy/disposition=] is "`enforce`", then set |result| to

1625+

4. If |policy|'s [=content security policy object/disposition=] is "`enforce`", then set |result| to

16261626

"`Blocked`".

1627162716281628

4. If |result| is "`Blocked`", throw a {{WebAssembly.CompileError}} exception.