A user account is required in order to edit this wiki, but we've had to disable public user registrations due to spam.
To request an account, ask an autoconfirmed user on Chat (such as one of these permanent autoconfirmed members).
Contexts: Difference between revisions
Jump to navigation
Jump to search
(Add link to Fetch section) |
|||
(10 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
== How to use a context == | |||
# Identify context. | |||
# Determine whether to fetch resource based on CSP directives and type hint, if any. | |||
# Fetch resource. | |||
# Set no-sniff flag on resource (based on URL), if necessary. | |||
# Handle resource. | |||
# Sniff resource. | |||
# Process and display resource or prompt to download resource, as appropriate. | |||
== Context types == | == Context types == | ||
Line 27: | Line 35: | ||
| No? | | No? | ||
| Yes | | Yes | ||
| [https:// | | [https://w3c.github.io/webappsec/specs/content-security-policy/#frame-src <code>frame-src</code>] | ||
| | | | ||
|- | |- | ||
| connection | | connection | ||
| | | | ||
| Yes | | Yes | ||
| No? | | No? | ||
| Yes? | | Yes? | ||
| [https:// | | [https://w3c.github.io/webappsec/specs/content-security-policy/#connect-src <code>connect-src</code>] | ||
| | | | ||
| | | | ||
Line 44: | Line 52: | ||
| Yes | | Yes | ||
| No | | No | ||
| [https:// | | [https://w3c.github.io/webappsec/specs/content-security-policy/#img-src <code>img-src</code>] | ||
| | | | ||
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-images-specifically rules for sniffing images specifically] | | [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-images-specifically rules for sniffing images specifically] | ||
Line 53: | Line 61: | ||
| No? | | No? | ||
| No | | No | ||
| [https:// | | [https://w3c.github.io/webappsec/specs/content-security-policy/#media-src <code>media-src</code>] | ||
| | | | ||
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-audio-and-video-specifically rules for sniffing audio and video specifically] | | [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-audio-and-video-specifically rules for sniffing audio and video specifically] | ||
Line 61: | Line 69: | ||
| Yes | | Yes | ||
| No? | | No? | ||
| Yes | | Yes | ||
| [https:// | | [https://w3c.github.io/webappsec/specs/content-security-policy/#object-src <code>object-src</code>] | ||
| | | | ||
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-in-a-plugin-context rules for sniffing in a plugin context] | | [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-in-a-plugin-context rules for sniffing in a plugin context] | ||
Line 71: | Line 79: | ||
| Yes? | | Yes? | ||
| No | | No | ||
| [https:// | | [https://w3c.github.io/webappsec/specs/content-security-policy/#style-src <code>style-src</code>] | ||
| @<code>type</code> or "<code>text/css</code>" | | @<code>type</code> or "<code>text/css</code>" | ||
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-in-a-style-context rules for sniffing in a style context] | | [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-in-a-style-context rules for sniffing in a style context] | ||
Line 80: | Line 88: | ||
| No? | | No? | ||
| Yes? | | Yes? | ||
| [https:// | | [https://w3c.github.io/webappsec/specs/content-security-policy/#script-src <code>script-src</code>] | ||
| @<code>type</code> or "<code>text/javascript</code>" | | @<code>type</code> or "<code>text/javascript</code>" | ||
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-in-a-script-context rules for sniffing in a script context] | | [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-in-a-script-context rules for sniffing in a script context] | ||
Line 89: | Line 97: | ||
| Yes | | Yes | ||
| No | | No | ||
| [https:// | | [https://w3c.github.io/webappsec/specs/content-security-policy/#font-src <code>font-src</code>] | ||
| <code>format</code> | | <code>format()</code> | ||
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-fonts-specifically rules for sniffing fonts specifically] | | [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-fonts-specifically rules for sniffing fonts specifically] | ||
|- | |- | ||
Line 112: | Line 120: | ||
|} | |} | ||
== | == Context triggers == | ||
{| class="wikitable" | | |||
! Context | |||
! HTML Triggers | |||
! CSS Triggers | |||
! Other Triggers | |||
|- | |||
! browsing | |||
| | |||
| | |||
| | |||
|- | |||
! nested browsing | |||
| <code><iframe></code>, <code><object></code> (sometimes), <code><frame></code> | |||
| | |||
| | |||
|- | |||
! connection | |||
| | |||
| | |||
| EventSource, WebSocket, XMLHttpRequest | |||
|- | |||
! image | |||
| <code><img></code>, <code><link rel=icon></code>, <code><input type=image></code>, <code><object></code> (sometimes) | |||
| <code>background-image</code> | |||
| | |||
|- | |||
! audio/video | |||
| <code><audio></code>, <code><video></code> | |||
| | |||
| | |||
|- | |||
! plugin | |||
| <code><embed></code>, <code><object></code> (sometimes) | |||
| | |||
| | |||
|- | |||
! style | |||
| <code><link rel=stylesheet></code> | |||
| <code>@import</code>? | |||
| | |||
|- | |||
! script | |||
| <code><script src></code> | |||
| | |||
| | |||
|- | |||
! font | |||
| — | |||
| <code>@font-face</code> | |||
| FontFace#load(), FontFaceSet#load() | |||
|- | |||
! text track | |||
| <code><track></code> | |||
| — | |||
| | |||
|- | |||
! cache manifest | |||
| <code><html manifest></code> | |||
| — | |||
| | |||
|} | |||
== Issues == | |||
* What about SVG? | |||
* What about XSLT? | |||
* document.load()? (Seems similar enough to connect-src.) | |||
* What about CSS masks? | |||
* What about CSS shapes? | |||
== See also == | |||
* [https://fetch.spec.whatwg.org/#concept-request-context Fetch Standard: request context] | |||
# | |||
[[Category:Spec coordination]] | [[Category:Spec coordination]] |
Latest revision as of 12:30, 1 April 2015
How to use a context
- Identify context.
- Determine whether to fetch resource based on CSP directives and type hint, if any.
- Fetch resource.
- Set no-sniff flag on resource (based on URL), if necessary.
- Handle resource.
- Sniff resource.
- Process and display resource or prompt to download resource, as appropriate.
Context types
Context | Definition | Used in HTML? | Used in CSS? | Scriptable? | CSP Directive | Type Hint | Sniffing Algorithm |
---|---|---|---|---|---|---|---|
browsing (navigate) | HTML | Yes | No? | Yes | — | MIME type sniffing algorithm | |
nested browsing (navigate) | HTML | Yes | No? | Yes | frame-src
|
||
connection | Yes | No? | Yes? | connect-src
|
|||
image | Yes | Yes | No | img-src
|
rules for sniffing images specifically | ||
audio/video | Yes | No? | No | media-src
|
rules for sniffing audio and video specifically | ||
plugin | Yes | No? | Yes | object-src
|
rules for sniffing in a plugin context | ||
style | Yes | Yes? | No | style-src
|
@type or "text/css "
|
rules for sniffing in a style context | |
script | Yes | No? | Yes? | script-src
|
@type or "text/javascript "
|
rules for sniffing in a script context | |
font | No | Yes | No | font-src
|
format()
|
rules for sniffing fonts specifically | |
text track | Yes | No | No | "text/vtt "
|
|||
cache manifest | Yes | No | No | "text/cache-manifest "
|
Context triggers
Context | HTML Triggers | CSS Triggers | Other Triggers |
---|---|---|---|
browsing | |||
nested browsing | <iframe> , <object> (sometimes), <frame>
|
||
connection | EventSource, WebSocket, XMLHttpRequest | ||
image | <img> , <link rel=icon> , <input type=image> , <object> (sometimes)
|
background-image
|
|
audio/video | <audio> , <video>
|
||
plugin | <embed> , <object> (sometimes)
|
||
style | <link rel=stylesheet>
|
@import ?
|
|
script | <script src>
|
||
font | — | @font-face
|
FontFace#load(), FontFaceSet#load() |
text track | <track>
|
— | |
cache manifest | <html manifest>
|
— |
Issues
- What about SVG?
- What about XSLT?
- document.load()? (Seems similar enough to connect-src.)
- What about CSS masks?
- What about CSS shapes?