* Purely Restrictive Directives
* Consistent properties of Purely Restrictive Directives
* Always safe to add to a document because combining rules
work similarly?
* Subresource Directives
* Consistent properties of Subresource Directives
* Apply to subresources within the document,
not to the document itself.
* works intuitively
* Reporting works intuitively
(though nonces in reports may be problematic)
* Subresource Source List directives
* Consistent properties of Subresource Source List Directives
* defaulted with default-src
* child-src
* connect-src
* default-src
* font-src
* frame-src
* img-src
* media-src
* object-src
* script-src
* style-src
* Other Subresource Directives
* base-uri
* form-action
* plugin-types
* Document Directives
* Consistent properties of Document Directives
* Apply to the document, not subresources
* Ignored within meta
* sandbox
* Unique reporting rules? (unclear)
* frame-ancestors
* Unique reporting rules, with unique security
considerations for reporting (unclear)
* Things that are not purely restrictive and may be dangerous
* Consistent properties of these things
* Keep security researchers employed indefinitely
* Kill kittens
* Make babies cry
* referrer
* Applies to subresources AND (uniquely) navigation
* Allowed in
* Custom (and suboptimal) combining rule
* Reporting is not applicable
* reflected-xss
* Ignored in
* Unspecified combining rule
* Reporting is unspecified
* Semantics unspecified
* report-uri
* Ignored in
* Custom combining rule
* Reporting is not applicable