Addressed comments

w3c · May 19, 2016 · 884f3f0 · 884f3f0
1 parent 5c05e06
commit 884f3f0
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 23 deletions.
diff --git a/index.bikeshed.bs b/index.bikeshed.bs
@@ -36,28 +36,42 @@ spec: ABNF; urlPrefix: https://tools.ietf.org/html/rfc5234
     text: VCHAR; url: appendix-B.1
     text: WSP; url: appendix-B.1
 
-spec: CSP; urlPrefix: https://www.w3.org/TR/CSP/
+spec: CSP; urlPrefix: https://w3c.github.io/webappsec-csp/
   type: dfn
     text: Content Security Policy; urlPrefix: #
+    text: policy; url: policy
+    text: directive; url: directives
+    text: directive value; url: directive-value
+    text: pre-request check; url: directive-pre-request-check
+    text: create a violation object for global; url: create-violation-for-global
+    text: report violation; url: report-violation
+    text: violation; url: violation
+    text: violation-resource; url: violation-resource
+    text: disposition; for: policy
 
 spec: Fetch; urlPrefix: https://fetch.spec.whatwg.org
   type: dfn
     text: fetch; url: concept-fetch
     text: request; url: concept-request
     text: response type; url: concept-response-type
+    text: destination; url: concept-request-destination
 
 spec: HTML5; urlPrefix: http://www.w3.org/TR/html5/
   type: dfn
+    text: global object; url: global-object
     urlPrefix: document-metadata.html
-      text: obtain a resource; url: #concept-link-obtain
+      text: obtain a resource; url: concept-link-obtain
     urlPrefix: infrastructure.html
       text: CORS settings attribute; url: #cors-settings-attributes
       text: reflect; url: #reflect
-      text: split on spaces; url: #split-a-string-on-spaces
+      text: split a string on spaces; url: #split-a-string-on-spaces
     urlPrefix: scripting-1.html
       text: prepare a script; url: #prepare-a-script
       text: splitting tokens on spaces; url: split-a-string-on-spaces
       text: ASCII case-insensitive match; url: ascii-case-insensitive
+  type: interface
+    urlPrefix: dom.html
+      text: Document
 
 spec: RFC7230; urlPrefix: https://tools.ietf.org/html/rfc7230
   type: grammar
@@ -356,9 +370,9 @@ only to simplify the algorithm description.
 
 ## Request verification algorithms ## {#request-verification-algorithms}
 
-### Opting-in {#opt-in-require-sri-for}
+### Opting-in  ### {#opt-in-require-sri-for}
 
-Authors may opt a Document to require SRI metadata be present for 
+Authors may opt a {{Document}} to require SRI metadata be present for 
 some resource types via a <dfn export>require-sri-for</dfn> <a>Content
 Security Policy</a> directive defined by the following ABNF grammar:
 
@@ -367,32 +381,50 @@ Security Policy</a> directive defined by the following ABNF grammar:
     directive-value = <a grammar>token</a> *( <a>RWS</a> <a>token</a> )
 </pre>
 
-The directive recognizes a number of potential token values:
+The following list contains the set of <dfn noexport>known tokens</dfn>:
 
   * `script` requires SRI for scripts
   * `style` requires SRI for style sheets
 
 ### Parsing `require-sri-for` ### {#parse-require-sri-for}
 
-To parse the |token| list, the user agent MUST use an algorithm equivalent to the following:
+Given a string (|token list|), this algorithm returns a list of resource
+types which will require integrity checks:
 
-1. Let the set of |protected resource types| that require SRI be the empty set.
+1.  Let the set of |protected resource types| that require SRI be the empty set.
 
-2. For each token returned by <a>splitting tokens on spaces</a>,
-  if token matches the grammar for <a>require-sri-for</a>,
-  add the token to the set of |protected resource types|. Otherwise, ignore the token.
+2.  For each |token| in the result of <a lt="split a string on spaces">
+    splitting |token list| on spaces</a> if token matches the grammar
+    for <a>require-sri-for</a>, add |token| to |protected resource types|
+    if |token| is a <a>known token</a>. Otherwise, ignore the token.
 
-3. Return the set of |protected resource types|.
+3.  Return the set of |protected resource types|.
 
 ### Apply |algorithm| to |request| ### {#apply-algorithm-to-request}
 
-1. Let |protected resource types| be the result of [[#parse-require-sri-for]].
+This directive’s <a>pre-request check</a> is as follows:
 
-2. If |request|'s type is a <a>ASCII case-insensitive match</a> for at least
-  one token in |protected resource types|, and |request|'s integrity metadata
-  is the empty string, return "Blocked":
+Given a <a>request</a> (|request|) and a <a>policy</a> (|policy|):
 
-3. Return "Allowed".
+1.  Let |protected resource types| be the result of executing
+    [[#parse-require-sri-for]] on this <a>directive</a>'s <a lt="directive value">value</a>.
+
+2.  If |request|'s <a>destination</a> is a <a>ASCII case-insensitive match</a> for at least
+    one token in |protected resource types|, and |request|'s integrity metadata
+    is the empty string:
+
+      1.  Let |violation| be the result of executing <a lt="create a violation object for global">
+          Create a violation object for global, policy, and directive</a> on |document|'s
+          <a>global object</a>, |policy|, and "<a>`require-sri-for`</a>".
+
+      2.  Set |violation|'s <a lt="violation-resource">resource</a> to "`inline`".
+
+      3.  Execute <a lt="report violation">Report a violation</a> on |violation|.
+
+      4.  If |policy|'s <a for="policy">disposition</a> is "`enforce`",
+          return "`Blocked`".
+
+3.  Return "Allowed".
 
 ## Response verification algorithms ## {#response-verification-algorithms}
 
@@ -459,7 +491,7 @@ the user agent.
 
 1.  Let |result| be the empty set.
 2.  Let |empty| be equal to `true`.
-3.  For each |token| returned by <a lt="split on space">splitting |metadata| on
+3.  For each |token| returned by <a lt="split a string on space">splitting |metadata| on
     spaces</a>:
     1.  Set |empty| to `false`.
     2.  If |token| is not a valid metadata, skip the remaining

diff --git a/index.bikeshed.html b/index.bikeshed.html
@@ -298,7 +298,7 @@ <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
       <li>
        <a href="#request-verification-algorithms"><span class="secno">3.3</span> <span class="content">Request verification algorithms</span></a>
        <ol class="toc">
-        <li><a href="#opt-in-require-sri-for"><span class="secno">3.3.1</span> <span class="content">Opting-in {#opt-in-require-sri-for}</span></a>
+        <li><a href="#opt-in-require-sri-for"><span class="secno">3.3.1</span> <span class="content">Opting-in</span></a>
         <li><a href="#parse-require-sri-for"><span class="secno">3.3.2</span> <span class="content">Parsing <code>require-sri-for</code></span></a>
         <li><a href="#apply-algorithm-to-request"><span class="secno">3.3.3</span> <span class="content">Apply <var>algorithm</var> to <var>request</var></span></a>
        </ol>
@@ -557,9 +557,9 @@ <h4 class="heading settled" data-level="3.2.2" id="priority"><span class="secno"
 provide to web applications. It is used in this document
 only to simplify the algorithm description.</p>
    <h3 class="heading settled" data-level="3.3" id="request-verification-algorithms"><span class="secno">3.3. </span><span class="content">Request verification algorithms</span><a class="self-link" href="#request-verification-algorithms"></a></h3>
-   <h4 class="heading settled" data-level="3.3.1" id="opt-in-require-sri-for"><span class="secno">3.3.1. </span><span class="content">Opting-in {#opt-in-require-sri-for}</span><a class="self-link" href="#opt-in-require-sri-for"></a></h4>
-   <p>Authors may opt a Document to require SRI metadata be present for
-some resource types via a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="require-sri-for" id="require-sri-for">require-sri-for<span class="dfn-panel" data-deco=""><b><a href="#require-sri-for">#require-sri-for</a></b><b>Referenced in:</b><span><a href="#ref-for-require-sri-for-1">3.3.2. Parsing require-sri-for</a></span></span></dfn> <a data-link-type="dfn" href="https://www.w3.org/TR/CSP/#content-security-policy">Content
+   <h4 class="heading settled" data-level="3.3.1" id="opt-in-require-sri-for"><span class="secno">3.3.1. </span><span class="content">Opting-in</span><a class="self-link" href="#opt-in-require-sri-for"></a></h4>
+   <p>Authors may opt a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code> to require SRI metadata be present for
+some resource types via a <dfn class="dfn-paneled" data-dfn-type="dfn" data-export="" data-lt="require-sri-for" id="require-sri-for">require-sri-for<span class="dfn-panel" data-deco=""><b><a href="#require-sri-for">#require-sri-for</a></b><b>Referenced in:</b><span><a href="#ref-for-require-sri-for-1">3.3.2. Parsing require-sri-for</a></span><span><a href="#ref-for-require-sri-for-2">3.3.3. Apply algorithm to request</a></span></span></dfn> <a data-link-type="dfn" href="https://www.w3.org/TR/CSP/#content-security-policy">Content
 Security Policy</a> directive defined by the following ABNF grammar:</p>
 <pre>directive-name  = "require-sri-for"
 directive-value = <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a> *( <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.3">RWS</a> <a data-link-type="grammar" href="https://tools.ietf.org/html/rfc7230#section-3.2.6">token</a> )
@@ -586,7 +586,7 @@ <h4 class="heading settled" data-level="3.3.2" id="parse-require-sri-for"><span
    <h4 class="heading settled" data-level="3.3.3" id="apply-algorithm-to-request"><span class="secno">3.3.3. </span><span class="content">Apply <var>algorithm</var> to <var>request</var></span><a class="self-link" href="#apply-algorithm-to-request"></a></h4>
    <ol>
     <li data-md="">
-     <p>Let <var>protected resource types</var> be the result of <a href="#parse-require-sri-for">§3.3.2 Parsing require-sri-for</a>.</p>
+     <p>Let <var>protected resource types</var> be the result of applying <a href="#parse-require-sri-for">§3.3.2 Parsing require-sri-for</a> to the value of the <a data-link-type="dfn" href="#require-sri-for" id="ref-for-require-sri-for-2">require-sri-for</a> directive.</p>
     <li data-md="">
      <p>If <var>request</var>’s type is a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/scripting-1.html#ascii-case-insensitive">ASCII case-insensitive match</a> for at least
 one token in <var>protected resource types</var>, and <var>request</var>’s integrity metadata
@@ -958,6 +958,7 @@ <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span cla
    <li>
     <a data-link-type="biblio">[HTML5]</a> defines the following terms:
     <ul>
+     <li><a href="http://www.w3.org/TR/html5/dom.html#document">Document</a>
      <li><a href="http://www.w3.org/TR/html5/scripting-1.html#ascii-case-insensitive">ascii case-insensitive match</a>
      <li><a href="http://www.w3.org/TR/html5/infrastructure.html#cors-settings-attributes">cors settings attribute</a>
      <li><a href="http://www.w3.org/TR/html5/document-metadata.html#concept-link-obtain">obtain a resource</a>