diff --git a/csp-specification.dev.html b/csp-specification.dev.html --- a/csp-specification.dev.html +++ b/csp-specification.dev.html @@ -1419,16 +1419,43 @@ directive-value = source-list
Whenever the user agent would load a plugin without an associated
URI (e.g., because the object
element lacked a
data
attribute), if the protected resource's URI does not
match the
allowed object sources, the
user agent MUST NOT load the plugin.
policy-uri
The policy-uri
directive specifies a URI from which
+ the user agent loads a CSP policy. The syntax for the name and value
+ of the directive are described by the following ABNF grammar:
+directive-name = "policy-uri" +directive-value = uri-reference +uri-reference = <URI-reference from RFC 3986> ++ +
The value of the policy-uri
directive is resolved
+ relative to the protected resource's URI and MUST resolve to the
+ same origin as the protected resource. The user agent MUST NOT
+ follow redirects when
+ fetching a CSP policy. If the policy is not served with a
+ Content-Type
header of application/content-security-policy
+ the user agent MUST ignore it and report an error.
The fetched policy is treated as if it were the value of an
+ additional header of the same type (that is, enforced or monitored)
+ as that which included the policy-uri
directive.
report-uri
The report-uri
directive specifies a URI to which the
user agent sends reports about policy violation. The syntax for the
name and value of the directive are described by the following ABNF
grammar: