whatwg/fetch

Update Note on Request Destination / CSP directive

Open

#1,466 opened on Jul 6, 2022

View on GitHub
 (6 comments) (0 reactions) (0 assignees)HTML (2,051 stars) (394 forks)batch import
clarificationgood first issue

Description

https://fetch.spec.whatwg.org/#concept-request-destination shows the CSP directive for a specific destination. I think that list needs to be updated to Content Security Policy Level 3. For example the destination "script" should now be "script-src-elem". (ref https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request)

Contributor guide

Tech stack
htmljavascript
Domain
frontendsecuritydocumentation
Issue type
documentation
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic understanding of Fetch StandardFamiliarity with CSP Level 3
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
The issue requests updating the table of request destination to CSP directive mappings in the Fetch Standard to align with CSP Level 3. Specifically, the destination "script" should map to "script src elem" instead of "script src". Refer to the CSP specification at https://w3c.github.io/webappsec csp/#effective directive for a request for the updated mappings. The change is localized to the relevant section in the Fetch Standard source file (likely in the HTML spec). The issue has been open since July 2022 with 6 comments, indicating some discussion but no resolution yet.