From aa0d4f60067b7ec158be445b56e6d1bf1cef4079 Mon Sep 17 00:00:00 2001 From: Tim van der Lippe Date: Fri, 30 May 2025 12:02:52 +0200 Subject: [PATCH 1/4] Further clarify post-request check It was inconsistent with the pre-request check with regards to the handling of `strict-dynamic` in both case-sensitivity and parser metadata. Additionally, add a clarifying comment about why the post-request check also checks the request, to avoid confusion for implementers. Fixes #727 Part of #728 --- index.bs | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/index.bs b/index.bs index 9349d0aa2c..1b7bb25ecb 100644 --- a/index.bs +++ b/index.bs @@ -3800,6 +3800,12 @@ Content-Type: application/reports+json Given a request |request|, a response |response|, a directive |directive|, and a policy |policy|: + Note: the check uses a |request| to determine whether it should match + the response |response| to the source-list. If the |request|'s + cryptographic nonce metadata or + integrity metadata matches the source list, then + the |response| is allowed and matching to the source list is skipped. + 1. If |request|'s destination is script-like: 1. Call [=potentially report hash=] with |response|, |request|, |directive| and |policy|. @@ -3814,13 +3820,17 @@ Content-Type: application/reports+json for="request">integrity metadata and this directive's value is "`Matches`", return "`Allowed`". - 1. If |directive|'s value contains - "`'strict-dynamic'`": + 1. If |directive|'s value contains a source + expression that is an ASCII case-insensitive match for + the "`'strict-dynamic'`" keyword-source: - 1. If |request|'s parser metadata is not - "parser-inserted", return "`Allowed`". + 1. If the |request|'s parser metadata is + "parser-inserted", return "`Blocked`". - Otherwise, return "`Blocked`". + Otherwise, return "`Allowed`". + + Note: "`'strict-dynamic'`" is explained in more detail + in [[#strict-dynamic-usage]]. 1. If the result of executing [[#match-response-to-source-list]] on |response|, |request|, |directive|'s value, From 89dd529d3c73ad20ebfa9c4c61524f8ba064aa5c Mon Sep 17 00:00:00 2001 From: Tim van der Lippe Date: Fri, 30 May 2025 12:06:55 +0200 Subject: [PATCH 2/4] Remove double link --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 1b7bb25ecb..0c4d5807fa 100644 --- a/index.bs +++ b/index.bs @@ -3801,7 +3801,7 @@ Content-Type: application/reports+json a directive |directive|, and a policy |policy|: Note: the check uses a |request| to determine whether it should match - the response |response| to the source-list. If the |request|'s + the |response| to the source-list. If the |request|'s cryptographic nonce metadata or integrity metadata matches the source list, then the |response| is allowed and matching to the source list is skipped. From 4eea8f692fe03b97dccd6499e567c28548c1369d Mon Sep 17 00:00:00 2001 From: Tim van der Lippe Date: Tue, 3 Jun 2025 19:15:13 +0200 Subject: [PATCH 3/4] Apply suggestion --- index.bs | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/index.bs b/index.bs index 0c4d5807fa..a6c1dad4fa 100644 --- a/index.bs +++ b/index.bs @@ -3800,11 +3800,10 @@ Content-Type: application/reports+json Given a request |request|, a response |response|, a directive |directive|, and a policy |policy|: - Note: the check uses a |request| to determine whether it should match - the |response| to the source-list. If the |request|'s - cryptographic nonce metadata or - integrity metadata matches the source list, then - the |response| is allowed and matching to the source list is skipped. + Note: Note: This check needs both |request| and |response| as input + parameters since if |request|'s cryptographic nonce metadata + or integrity metadata matches, then the check passes and + the check of whether |response|'s url matches the source list is skipped. 1. If |request|'s destination is script-like: From faaa2d2bb0270b3b8499dc255c922d2bf0cbf66c Mon Sep 17 00:00:00 2001 From: Antonio Sartori Date: Thu, 5 Jun 2025 15:39:15 +0200 Subject: [PATCH 4/4] Update index.bs --- index.bs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index a6c1dad4fa..d7ba126a56 100644 --- a/index.bs +++ b/index.bs @@ -3800,10 +3800,10 @@ Content-Type: application/reports+json Given a request |request|, a response |response|, a directive |directive|, and a policy |policy|: - Note: Note: This check needs both |request| and |response| as input + Note: This check needs both |request| and |response| as input parameters since if |request|'s cryptographic nonce metadata - or integrity metadata matches, then the check passes and - the check of whether |response|'s url matches the source list is skipped. + or integrity metadata matches, then the script is allowed to load + and the check of whether |response|'s url matches the source list is skipped. 1. If |request|'s destination is script-like: