Correct CSP source values

[wbamberg]

This PR fixes a few errors in the documentation of CSP directive syntax.

• the page at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources says that the sandbox directive uses the source expression syntax, but I don't think it does: I think this directive just uses keyword values.
• the page at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources also says that the base-uri, form-action, and frame-ancestors directives use the source expression syntax, which is half true: they can use a subset of it
• the documentation says that 'none' is one of the source expression values, which implies that you can combine 'none' and other source expression values, but you can't: if you have 'none', it stands alone: https://w3c.github.io/webappsec-csp/#grammardef-serialized-source-list.
• nonces are not only for inline scripts. There's a lot more we could/should update around nonces but I'm not going there yet.

The page for frame-ancestors does not point to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources, instead redefining the values. I have left this as it is for now, because the definition for this directive does use a different type (https://w3c.github.io/webappsec-csp/#directive-frame-ancestors) although it seems to be functionally identical. I think we should update this to point to the "sources" page, but before doing that I want to check there isn't some subtle reason why the syntax is redefined for this directive.

The changes are quite repetitive for the directives pages: I changed/corrected the syntax and removed the ### Sources heading, as it seemed easier to talk about 'none' without it.

In https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources I removed the list of fetch directives, since we already have that in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives, so that's just 2 places we have to maintain it.

[github-actions]

Preview URLs (22 pages)

• /en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src
• /en-US/docs/Web/HTTP/Headers/Content-Security-Policy

(comment last updated: 2024-09-18 23:52:31)