* Purely Restrictive Directives
  * Consistent  properties of Purely Restrictive Directives
    * Always safe to add to a document because combining rules
      work similarly?

  * Subresource Directives
    * Consistent properties of Subresource Directives
      * Apply to subresources within the document,
        not to the document itself.
      * <meta> works intuitively
      * Reporting works intuitively
        (though nonces in reports may be problematic)

    * Subresource Source List directives
      * Consistent properties of Subresource Source List Directives
        * defaulted with default-src
      * child-src
      * connect-src
      * default-src
      * font-src
      * frame-src
      * img-src
      * media-src
      * object-src
      * script-src
      * style-src
      
    * Other Subresource Directives
      * base-uri
      * form-action
      * plugin-types

  * Document Directives
    * Consistent properties of Document Directives
      * Apply to the document, not subresources
      * Ignored within meta
    * sandbox
      * Unique reporting rules? (unclear)
    * frame-ancestors
      * Unique reporting rules, with unique security
        considerations for reporting (unclear)

* Things that are not purely restrictive and may be dangerous
  * Consistent properties of these things
    * Keep security researchers employed indefinitely
    * Kill kittens
    * Make babies cry
  * referrer
    * Applies to subresources AND (uniquely) navigation
    * Allowed in <meta>
    * Custom (and suboptimal) combining rule
    * Reporting is not applicable
  * reflected-xss
    * Ignored in <meta>
    * Unspecified combining rule
    * Reporting is unspecified
    * Semantics unspecified
  * report-uri
    * Ignored in <meta>
    * Custom combining rule
    * Reporting is not applicable