Skip to content

immutable Specification #793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

immutable Specification #793

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3555,6 +3555,62 @@ Content-Type: application/reports+json

5. Return "`Allowed`".

<h4 id="directive-immutable">`immutable`</h4>

The immutable directive prevents any subsequently declared policies from being applied.
Once a policy containing immutable is processed, all further policy declarations
(via HTTP headers or `<meta>` elements) are ignored.

<pre dfn-type="grammar" link-type="grammar" class="abnf">
directive-name = "immutable"
directive-value = ""
</pre>

The directive takes no value.

<h5>
`immutable` processing model
</h5>

A policy is immutable if its directive set contains a directive whose name is immutable.
When parsing policies:

* Policies are processed in order
* If a policy contains `immutable`, all subsequent policies are discarded
* User agents SHOULD issue console warnings when policies are ignored

<div class="example">
<pre>
Content-Security-Policy: default-src 'self' example.com; immutable
Content-Security-Policy: script-src 'none'
</pre>

Only the first policy applies. The second is ignored.
</div>

<div class="example">
<pre>
&lt;meta http-equiv="Content-Security-Policy" content="default-src 'self' example.com;">
&lt;meta http-equiv="Content-Security-Policy" content="default-src 'self'; immutable">
&lt;meta http-equiv="Content-Security-Policy" content="script-src 'none'">
</pre>

The first and second policies are applied. The result of enforcing multiple
policies is described in [[#multiple-policies]].
</div>

<div class="example">
<pre>
Content-Security-Policy: default-src 'self' example.com; immutable
</pre>
<pre>
&lt;meta http-equiv="Content-Security-Policy" content="script-src 'none'">
</pre>

Only the first policy applies. The second is ignored. This is an example of
disabling policies set in `<meta>` tags.
</div>

<h3 id="directives-navigation">
Navigation Directives
</h3>
Expand Down