From b612683c66ef53ef0c7e07f648b8691e802e0e6f Mon Sep 17 00:00:00 2001 From: Antonio Sartori Date: Wed, 6 Sep 2023 09:14:17 +0000 Subject: [PATCH] [editorial] Turn algorithms into prose and make them clickable --- index.bs | 1207 +++++++++++++++++++++++++++++------------------------- 1 file changed, 642 insertions(+), 565 deletions(-) diff --git a/index.bs b/index.bs index c87b4f39a2..a9e06791d4 100644 --- a/index.bs +++ b/index.bs @@ -19,7 +19,7 @@ Boilerplate: feedback-header off !Participate: File an issue (open issues) !Tests: web-platform-tests content-security-policy/ (ongoing work) Markup Shorthands: css off, markdown on -At Risk: The [[#is-element-nonceable]] algorithm. +At Risk: The [=determine whether element is nonceable=] algorithm. The following injected string will use a duplicate attribute to attempt to - bypass the [[#is-element-nonceable]] algorithm check: + bypass the [=determine whether element is nonceable=] algorithm check:
     Hello, <script src='https://evil.com/evil.js' x="" x=
@@ -5010,7 +5087,7 @@ this algorithm returns normally if compilation is allowed, and throws a
       
         Content-Security-Policy: img-src 'none'; script-src 'none'; font-src 'none'
       
- + Supplementing this policy with `default-src 'none'` would improve the page's robustness against this kind of attack.