A user account is required in order to edit this wiki, but we've had to disable public user registrations due to spam.

To request an account, ask an autoconfirmed user on Chat (such as one of these permanent autoconfirmed members).

Contexts: Difference between revisions

From WHATWG Wiki
Jump to navigation Jump to search
(Add some triggers for various context types.)
(Add link to Fetch section)
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Issues ==
== How to use a context ==


* What about SVG?
# Identify context.
* What about XSLT?
# Determine whether to fetch resource based on CSP directives and type hint, if any.
* document.load()? (Seems similar enough to connect-src.)
# Fetch resource.
* What about CSS masks?
# Set no-sniff flag on resource (based on URL), if necessary.
* What about CSS shapes?
# Handle resource.
# Sniff resource.
# Process and display resource or prompt to download resource, as appropriate.


== Context types ==
== Context types ==
Line 33: Line 35:
| No?
| No?
| Yes
| Yes
| [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#frame-src <code>frame-src</code>]
| [https://w3c.github.io/webappsec/specs/content-security-policy/#frame-src <code>frame-src</code>]
|  
|  
|-
|-
Line 41: Line 43:
| No?
| No?
| Yes?
| Yes?
| [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#connect-src <code>connect-src</code>]
| [https://w3c.github.io/webappsec/specs/content-security-policy/#connect-src <code>connect-src</code>]
|  
|  
|  
|  
Line 50: Line 52:
| Yes
| Yes
| No
| No
| [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#img-src <code>img-src</code>]
| [https://w3c.github.io/webappsec/specs/content-security-policy/#img-src <code>img-src</code>]
|  
|  
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-images-specifically rules for sniffing images specifically]
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-images-specifically rules for sniffing images specifically]
Line 59: Line 61:
| No?
| No?
| No
| No
| [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#media-src <code>media-src</code>]
| [https://w3c.github.io/webappsec/specs/content-security-policy/#media-src <code>media-src</code>]
|  
|  
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-audio-and-video-specifically rules for sniffing audio and video specifically]
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-audio-and-video-specifically rules for sniffing audio and video specifically]
Line 67: Line 69:
| Yes
| Yes
| No?
| No?
| Yes?
| Yes
| [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#object-src <code>object-src</code>]
| [https://w3c.github.io/webappsec/specs/content-security-policy/#object-src <code>object-src</code>]
|  
|  
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-in-a-plugin-context rules for sniffing in a plugin context]
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-in-a-plugin-context rules for sniffing in a plugin context]
Line 77: Line 79:
| Yes?
| Yes?
| No
| No
| [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#style-src <code>style-src</code>]
| [https://w3c.github.io/webappsec/specs/content-security-policy/#style-src <code>style-src</code>]
| @<code>type</code> or "<code>text/css</code>"
| @<code>type</code> or "<code>text/css</code>"
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-in-a-style-context rules for sniffing in a style context]
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-in-a-style-context rules for sniffing in a style context]
Line 86: Line 88:
| No?
| No?
| Yes?
| Yes?
| [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-src <code>script-src</code>]
| [https://w3c.github.io/webappsec/specs/content-security-policy/#script-src <code>script-src</code>]
| @<code>type</code> or "<code>text/javascript</code>"
| @<code>type</code> or "<code>text/javascript</code>"
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-in-a-script-context rules for sniffing in a script context]
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-in-a-script-context rules for sniffing in a script context]
Line 95: Line 97:
| Yes
| Yes
| No
| No
| [https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#font-src <code>font-src</code>]
| [https://w3c.github.io/webappsec/specs/content-security-policy/#font-src <code>font-src</code>]
| <code>format()</code>
| <code>format()</code>
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-fonts-specifically rules for sniffing fonts specifically]
| [http://mimesniff.spec.whatwg.org/#rules-for-sniffing-fonts-specifically rules for sniffing fonts specifically]
Line 117: Line 119:
|  
|  
|}
|}
== How to use a context ==
# Identify context.
# Determine whether to fetch resource based on CSP directives and type hint, if any.
# Set no-sniff flag on resource, if necessary.
# Fetch resource.
# Handle resource.
# Sniff resource.
# Process and display resource or prompt to download resource, as appropriate.


== Context triggers ==
== Context triggers ==
Line 134: Line 126:
! HTML Triggers
! HTML Triggers
! CSS Triggers
! CSS Triggers
! Other
! Other Triggers
|-
|-
! browsing
! browsing
Line 142: Line 134:
|-
|-
! nested browsing
! nested browsing
| <code>&lt;iframe></code>, <code>&lt;object></code> (sometimes)
| <code>&lt;iframe></code>, <code>&lt;object></code> (sometimes), <code>&lt;frame></code>
|  
|  
|  
|  
Line 179: Line 171:
| —
| —
| <code>@font-face</code>
| <code>@font-face</code>
|  
| FontFace#load(), FontFaceSet#load()
|-
|-
! text track
! text track
| <code>&lt;track></code>
| <code>&lt;track></code>
|  
|
|  
|  
|-
|-
! cache manifest
! cache manifest
| <code>&lt;html manifest></code>
| <code>&lt;html manifest></code>
|  
|
|  
|  
|}
|}


== Issues ==
* What about SVG?
* What about XSLT?
* document.load()? (Seems similar enough to connect-src.)
* What about CSS masks?
* What about CSS shapes?
== See also ==
* [https://fetch.spec.whatwg.org/#concept-request-context Fetch Standard: request context]


[[Category:Spec coordination]]
[[Category:Spec coordination]]

Latest revision as of 12:30, 1 April 2015

How to use a context

  1. Identify context.
  2. Determine whether to fetch resource based on CSP directives and type hint, if any.
  3. Fetch resource.
  4. Set no-sniff flag on resource (based on URL), if necessary.
  5. Handle resource.
  6. Sniff resource.
  7. Process and display resource or prompt to download resource, as appropriate.

Context types

Context Definition Used in HTML? Used in CSS? Scriptable? CSP Directive Type Hint Sniffing Algorithm
browsing (navigate) HTML Yes No? Yes MIME type sniffing algorithm
nested browsing (navigate) HTML Yes No? Yes frame-src
connection Yes No? Yes? connect-src
image Yes Yes No img-src rules for sniffing images specifically
audio/video Yes No? No media-src rules for sniffing audio and video specifically
plugin Yes No? Yes object-src rules for sniffing in a plugin context
style Yes Yes? No style-src @type or "text/css" rules for sniffing in a style context
script Yes No? Yes? script-src @type or "text/javascript" rules for sniffing in a script context
font No Yes No font-src format() rules for sniffing fonts specifically
text track Yes No No "text/vtt"
cache manifest Yes No No "text/cache-manifest"

Context triggers

Context HTML Triggers CSS Triggers Other Triggers
browsing
nested browsing <iframe>, <object> (sometimes), <frame>
connection EventSource, WebSocket, XMLHttpRequest
image <img>, <link rel=icon>, <input type=image>, <object> (sometimes) background-image
audio/video <audio>, <video>
plugin <embed>, <object> (sometimes)
style <link rel=stylesheet> @import?
script <script src>
font @font-face FontFace#load(), FontFaceSet#load()
text track <track>
cache manifest <html manifest>

Issues

  • What about SVG?
  • What about XSLT?
  • document.load()? (Seems similar enough to connect-src.)
  • What about CSS masks?
  • What about CSS shapes?

See also