Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes a few errors in the documentation of CSP directive syntax.
sandbox
directive uses the source expression syntax, but I don't think it does: I think this directive just uses keyword values.base-uri
,form-action
, andframe-ancestors
directives use the source expression syntax, which is half true: they can use a subset of it'none'
is one of the source expression values, which implies that you can combine'none'
and other source expression values, but you can't: if you have'none'
, it stands alone: https://w3c.github.io/webappsec-csp/#grammardef-serialized-source-list.The page for
frame-ancestors
does not point to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources, instead redefining the values. I have left this as it is for now, because the definition for this directive does use a different type (https://w3c.github.io/webappsec-csp/#directive-frame-ancestors) although it seems to be functionally identical. I think we should update this to point to the "sources" page, but before doing that I want to check there isn't some subtle reason why the syntax is redefined for this directive.The changes are quite repetitive for the directives pages: I changed/corrected the syntax and removed the
### Sources
heading, as it seemed easier to talk about'none'
without it.In https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources I removed the list of fetch directives, since we already have that in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#fetch_directives, so that's just 2 places we have to maintain it.