diff --git a/csp-specification.dev.html b/csp-specification.dev.html --- a/csp-specification.dev.html +++ b/csp-specification.dev.html @@ -1419,16 +1419,43 @@ directive-value = source-list

Whenever the user agent would load a plugin without an associated URI (e.g., because the object element lacked a data attribute), if the protected resource's URI does not match the allowed object sources, the user agent MUST NOT load the plugin.

+

policy-uri

+ +

The policy-uri directive specifies a URI from which + the user agent loads a CSP policy. The syntax for the name and value + of the directive are described by the following ABNF grammar:

+ +
+directive-name    = "policy-uri"
+directive-value   = uri-reference
+uri-reference     = <URI-reference from RFC 3986>
+
+ +

The value of the policy-uri directive is resolved + relative to the protected resource's URI and MUST resolve to the + same origin as the protected resource. The user agent MUST NOT + follow redirects when + fetching a CSP policy. If the policy is not served with a + Content-Type header of application/content-security-policy + the user agent MUST ignore it and report an error.

+ +

The fetched policy is treated as if it were the value of an + additional header of the same type (that is, enforced or monitored) + as that which included the policy-uri directive.

+ +
+

report-uri

The report-uri directive specifies a URI to which the user agent sends reports about policy violation. The syntax for the name and value of the directive are described by the following ABNF grammar: