diff --git a/index.bs b/index.bs index 8877e9eea5..2a37a7b2c4 100644 --- a/index.bs +++ b/index.bs @@ -40,6 +40,7 @@ spec:html text: style type: element-attr text: ping + text: type type:interface text:SharedWorker spec:fetch @@ -1239,7 +1240,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity application, event handlers, etc.), and "`Blocked`" otherwise: Note: The valid values for |type| are "`script`", "`script attribute`", - "`style`", and "`style attribute`". + "`script speculationrules`", "`style`", and "`style attribute`".
    1. Assert: |element| is not null. @@ -2330,6 +2331,7 @@ Content-Type: application/reports+json object-src 'self'; script-src-elem 'self'; script-src-attr 'self'; + speculation-rules-src 'self'; style-src-elem 'self'; style-src-attr 'self'; worker-src 'self' @@ -2359,6 +2361,7 @@ Content-Type: application/reports+json object-src 'self'; script-src-elem https://example.com; script-src-attr 'self'; + speculation-rules-src 'self'; style-src-elem 'self'; style-src-attr 'self'; worker-src 'self' @@ -3117,6 +3120,99 @@ Content-Type: application/reports+json 5. Return "`Allowed`". +

    `speculation-rules-src`

    + + The syntax for the directive's name and value is described by the following ABNF: + + 
    +    directive-name  = "speculation-rules-src"
+    directive-value = serialized-source-list
+
    + + The speculation-rules-src directive restricts the sources + from which speculation rules may be loaded, whether via + <{script}> elements or the `Speculation-Rules` HTTP response header. + + If `speculation-rules-src` is not present, the user agent will fall back to + `script-src-elem`, then `script-src`, then `default-src` when evaluating + whether a given speculation rules resource should be allowed. + +
    + Given a page with the following Content Security Policy: + + 
    +      Content-Security-Policy: speculation-rules-src https://cdn.example.com/
+
    + + Only speculation rules from `https://cdn.example.com/` will be allowed, + regardless of the values set in `script-src-elem`, `script-src`, or + `default-src`. +
    + +
    + `speculation-rules-src` Pre-request check +
    + + This directive's pre-request check is as follows: + + Given a request |request| and a policy |policy|: + + 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] + on |request|. + + 2. If the result of executing [[#should-directive-execute]] on |name|, + `speculation-rules-src` and |policy| is "`No`", return "`Allowed`". + + 3. If the result of executing [[#match-request-to-source-list]] on + |request|, this directive's value, and |policy|, + is "`Does Not Match`", return "`Blocked`". + + 4. Return "`Allowed`". + +
    + `speculation-rules-src` Post-request check +
    + + This directive's post-request check is as follows: + + Given a request |request|, a response |response|, and a + policy |policy|: + + 1. Let |name| be the result of executing [[#effective-directive-for-a-request]] + on |request|. + + 2. If the result of executing [[#should-directive-execute]] on |name|, + `speculation-rules-src` and |policy| is "`No`", return "`Allowed`". + + 3. If the result of executing [[#match-response-to-source-list]] on + |response|, |request|, this directive's value, + and |policy|, is "`Does Not Match`", return "`Blocked`". + + 4. Return "`Allowed`". + +
    + `speculation-rules-src` Inline Check +
    + + This directive's inline check algorithm is as follows: + + Given an {{Element}} |element|, a string |type|, a policy + |policy| and a string |source|: + + 1. Assert: |element| is not null. + + 2. Let |name| be the result of executing [[#effective-directive-for-inline-check]] + on |type|. + + 3. If the result of executing [[#should-directive-execute]] on |name|, + `speculation-rules-src`, and |policy| is "`No`", return "`Allowed`". + + 4. If the result of executing [[#match-element-to-source-list]] on + |element|, this directive's value, |type|, + and |source| is "`Does Not Match`", return "`Blocked`". + + 5. Return "`Allowed`". +

    `style-src`

    The style-src directive restricts the locations from which style @@ -3948,6 +4044,7 @@ Content-Type: application/reports+json * `object-src` * `script-src` * `script-src-elem` + * `speculation-rules-src` * `style-src` * `style-src-elem` * `worker-src` @@ -4069,7 +4166,7 @@ Content-Type: application/reports+json Note: An empty source list (that is, a directive without a value: `script-src`, as opposed to `script-src host1`) is equivalent to a source list containing `'none'`, and will not match any URL. - + Note: The `'none'` keyword has no effect when other source expressions are present. That is, the list « `'none'` » does not match any URL. A list consisting of « `'none'`, `https://example.com` », on the other hand, would match @@ -4220,7 +4317,7 @@ Content-Type: application/reports+json Note: The matching relation is asymmetric. That is, |pattern| matching |host| does not mean that |host| will match |pattern|. For example, `*.example.com` `host-part` matches `www.example.com`, but `www.example.com` does not `host-part` match `*.example.com`. - + Note: A future version of this specification may allow literal IPv6 and IPv4 addresses, depending on usage and demand. Given the weak security properties of IP addresses in relation to named hosts, however, authors are encouraged to prefer the latter whenever possible. @@ -4261,7 +4358,7 @@ Content-Type: application/reports+json 3. Let |normalizedInput| be null if |input| null; otherwise |input| interpreted as decimal number. - + 4. If |normalizedInput| equals |url|'s [=url/port=], return "`Matches`". 5. If |url|'s [=url/port=] is null: @@ -4444,8 +4541,9 @@ Content-Type: application/reports+json 1. If [[#allow-all-inline]] returns "`Allows`" given |list| and |type|, return "`Matches`". - 2. If |type| is "`script`" or "`style`", and [[#is-element-nonceable]] - returns "`Nonceable`" when executed upon |element|: + 2. If |type| is "`script`", "`script speculationrules`", or "`style`", and + [[#is-element-nonceable]] returns "`Nonceable`" when executed upon + |element|: 1. For each |expression| of |list|: @@ -4466,8 +4564,8 @@ Content-Type: application/reports+json "`'unsafe-hashes'`", set |unsafe-hashes flag| to `true`. Break out of the loop. - 5. If |type| is "`script`" or "`style`", or |unsafe-hashes flag| is - `true`: + 5. If |type| is "`script`", "`script speculationrules`", or "`style`", or + |unsafe-hashes flag| is `true`: 1. Set |source| to the result of executing UTF-8 encode on the result of executing JavaScript string converting @@ -4587,6 +4685,10 @@ Content-Type: application/reports+json :: 1. Return `connect-src`. + : "`speculationrules`" + :: + 1. Return `speculation-rules-src`. + : "`report`" :: 1. Return null. @@ -4614,6 +4716,9 @@ Content-Type: application/reports+json : "`navigation`" :: 1. Return `script-src-elem`. + : "`script speculationrules`" + :: + 1. Return `speculation-rules-src`. : "`script attribute`" :: 1. Return `script-src-attr`. @@ -4637,6 +4742,10 @@ Content-Type: application/reports+json 1. Switch on |directive name|: + : "`speculation-rules-src`" + :: + 1. Return `<< "speculation-rules-src", "script-src-elem", "script-src", "default-src" >>`. + : "`script-src-elem`" :: 1. Return `<< "script-src-elem", "script-src", "default-src" >>`. @@ -5245,7 +5354,7 @@ Content-Type: application/reports+json 
             Content-Security-Policy: img-src 'none'; script-src 'none'; font-src 'none'
    - + Supplementing this policy with `default-src 'none'` would improve the page's robustness against this kind of attack. @@ -5331,6 +5440,8 @@ Content-Type: application/reports+json :: This document (see [[#directive-script-src-attr]]) : `script-src-elem` :: This document (see [[#directive-script-src-elem]]) + : `speculation-rules-src` + :: This document (see [[#directive-speculation-rules-src]]) : `style-src` :: This document (see [[#directive-style-src]]) : `style-src-attr`