This document is licensed under a Creative Commons Attribution 4.0 License.
This specification defines a [CSP11] extension to the [appmanifest] specification.
This document is draft of a potential specification. It has no official standing of any kind and does not represent the support or consensus of any standards organization.
Implementors need to be aware that this specification is extremely unstable. Implementors who are not taking part in the discussions will find the specification changing out from under them in incompatible ways. Vendors interested in implementing this specification before it eventually reaches the Candidate Recommendation phase should join the aforementioned mailing lists, or subscribe to the repository on GitHub, and take part in the discussions.
This section shows how developers can make use of the various features of this specification.
The following policy allows fetching images, scripts, and CSS from the same origin. It blocks everything else.
{
"name": "Super Racer 2000",
"csp": "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'",
"start_url": "/start.html",
"display": "fullscreen",
"orientation": "landscape"
}
The [[GetOwnProperty]] operation, and the Type(x) notation are defined in [ECMASCRIPT]. Processing also relies on various algorithms defined in [HTML], [FETCH], and [URL].
When instructed to Trim(x), a user agent MUST behave as if [ECMASCRIPT]'s String.prototype.trim() function had been called on the string x.
As the manifest uses the JSON format, this specification relies on the
types defined in [ECMA-404] specification: namely object, array,
number, string, true, false, and
null. Strict type checking is not enforced by this
specification. Instead, each member's definition specifies the steps
required to process a particular member and what to do when a type does
not match what is expected.
The concepts manifest, associated with a manifest, and issue a developer warning are defined in [appmanifest].
At the extension point:
csp member.
undefined, then
skip this substep:
Content-Security-Policy" with value set of
directives to its response headers.
csp member
The csp member is a string that represents a supplemental
security policy. The string is a valid supplemental
security policy if it matches the
policy-token production defined in [CSP11].
The csp member supplements the
policy delivery mechanisms defined in [CSP11], and allows the
author to indicate that the user agent is to enforce a
supplemental security policy (according to the rules of
enforcing multiple policies [CSP11]) for a resource
associated with a manifest.
The steps for processing the csp member is given by the
following algorithm. The algorithm takes a manifest
manifest as an argument, and returns a valid supplemental
security policy or undefined.
undefined, then issue a developer warning that the
type of the policy is invalid, and return undefined.
policy-token production [CSP11], return set
of directives, otherwise, issue a developer warning that
the policy is invalid and return undefined.
As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.
The key word MUST in this document is to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
There is only one class of product that can claim conformance to this specification: a user agent.
TBW...
This document reuses text from the [HTML] specification, edited by Ian Hickson, as permitted by the license of that specification.