Skip to content

Commit d8953ae

Browse files
jan-ivarjan-ivar
committed
Add 'unsafe-webtransport-hashes' keyword to connect-src
1 parent a131bcb commit d8953ae

File tree

1 file changed

+30
-3
lines changed

1 file changed

+30
-3
lines changed

index.bs

Lines changed: 30 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -696,7 +696,7 @@ spec:SRI; urlPrefix: https://w3c.github.io/webappsec-subresource-integrity
696696
/ "<dfn>'report-sample'</dfn>" / "<dfn>'unsafe-allow-redirects'</dfn>"
697697
/ "<dfn>'wasm-unsafe-eval'</dfn>" / "<dfn>'trusted-types-eval'</dfn>"
698698
/ "<dfn>'report-sha256'</dfn>" / "<dfn>'report-sha384'</dfn>"
699-
/ "<dfn>'report-sha512'</dfn>"
699+
/ "<dfn>'report-sha512'</dfn>" / "<dfn>'unsafe-webtransport-hashes'</dfn>"
700700

701701
ISSUE: Bikeshed `unsafe-allow-redirects`.
702702

@@ -2220,9 +2220,15 @@ Content-Type: application/reports+json
22202220

22212221
3. If the result of executing [[#match-request-to-source-list]] on
22222222
|request|, this directive's <a for="directive">value</a>, and
2223-
|policy|, is "`Does Not Match`", return "`Blocked`".
2223+
|policy|, is "`Matches`", return "`Allowed`".
22242224

2225-
4. Return "`Allowed`".
2225+
4. If |request|'s [=request/mode=] is "`webtransport`", |request|'s
2226+
<a for="request">unsafe-webtransport-hashes flag</a> is set, and
2227+
the result of executing [[#allow-unsafe-webtransport-hashes]]
2228+
on this directive's <a for="directive">value</a>, is "`Matches`",
2229+
return "`Allowed`".
2230+
2231+
6. Return "`Blocked`".
22262232

22272233
<h5 algorithm id="connect-src-post-request">
22282234
`connect-src` Post-request check
@@ -4262,6 +4268,27 @@ Content-Type: application/reports+json
42624268
9. Return "`Matches`".
42634269
</ol>
42644270

4271+
<h5 id="allow-unsafe-webtransport-hashes" algorithm>
4272+
Does a source list allow unsafe WebTransport hashes?
4273+
</h5>
4274+
4275+
A <a>source list</a>
4276+
<dfn export for="source list" local-lt="allow unsafe WebTransport hashes">allows unsafe WebTransport hashes</dfn>
4277+
if it contains the <a grammar>`keyword-source`</a>
4278+
expression <a grammar>`'unsafe-webtransport-hashes'`</a>, as described in the following
4279+
algorithm:
4280+
4281+
Given a <a>source list</a> |list|, the following
4282+
algorithm returns "`Allows`" if allowed and "`Does Not Allow`" otherwise.
4283+
4284+
1. <a for=set>For each</a> |expression| of |list|:
4285+
4286+
1. If |expression| is an <a>ASCII case-insensitive</a> match for the
4287+
<a grammar>`keyword-source`</a> "<a grammar>`'unsafe-webtransport-hashes'`</a>",
4288+
return "`Allows`".
4289+
4290+
2. Return "`Does Not Allow`".
4291+
42654292
<h4 id="matching-elements">Element Matching Algorithms</h4>
42664293

42674294
<h5 id="is-element-nonceable" algorithm>

0 commit comments

Comments
 (0)