mdn
Allowing Inline Speculation Rules with CSP
Description
Inline Speculation rules can be allowed by specifying one of 'inline-speculation-rules', a hash-source, or a nonce-source on the script-src directive.
Motivation
The current documentation states that script-src 'inline-speculation-rules' also requires either a hash or nonce source, but the Speculation Rules changes to Does a source list allow all inline behavior for type? will cause the CSP algorithm 6.7.3.3. Does element match source list for type and source? to return Matches on the first step, without needing to check a nonce or hash (steps 2 and 5).
Additional details
Related issues and pull requests
Preview URLs
-
/en-US/docs/Web/API/Speculation_Rules_API -
/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
Flaws (3)
Note! 1 document with no flaws that don't need to be listed. 🎉
URL: /en-US/docs/Web/API/Speculation_Rules_API
Title: Speculation Rules API
Flaw count: 3
-
macros:
-
/en-US/docs/Web/API/Fetch redirects to /en-US/docs/Web/API/Window/fetch -
/en-US/docs/Web/API/Fetch redirects to /en-US/docs/Web/API/Window/fetch -
/en-US/docs/Web/API/Fetch redirects to /en-US/docs/Web/API/Window/fetch
-
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
LGTM
This looks like something just got a little confused during copy editing; indeed any of those three source types works (and I've confirmed that this matches what Chrome implements).
