From 3137f11e048e95bc14ce4bbc74fe7386fca43e00 Mon Sep 17 00:00:00 2001 From: Takashi Toyoshima Date: Sat, 10 Dec 2022 00:00:44 +0900 Subject: [PATCH 1/2] script-src-elem also accept 'inline-speculation-rules' This CL updates triggers.md explainer to clarify that script-src-elem also can accept 'inline-speculation-rules' to permit inline speculation rules. --- triggers.md | 1 + 1 file changed, 1 insertion(+) diff --git a/triggers.md b/triggers.md index ef98bc6..e6d1b7d 100644 --- a/triggers.md +++ b/triggers.md @@ -346,6 +346,7 @@ Another envisioned speculative action is `"prefetch_with_subresources"`, which p Speculation rules can be embedded inline within a `script` tag with `type="speculationrules"`, and restricted by the `script-src` CSP directive. To allow inline speculation rules, use either the `'inline-speculation-rules'` or `'unsafe-inline'` keyword. Using `script-src 'inline-speculation-rules'` helps developers to permit inline speculation rules but still disallow unsafe inline JavaScript. +Also `script-src-elem` can accept `'inline-speculation-rules'` to permit inline speculation rules as well. The `prefetch-src` directive can be used to restrict which URLs can be prefetched or prerendered. ## Proposed processing model From 99a217e76e52c0d181955f4c9b23cfd7400cf1cc Mon Sep 17 00:00:00 2001 From: Takashi Toyoshima Date: Mon, 12 Dec 2022 14:09:31 +0900 Subject: [PATCH 2/2] Rephrase --- triggers.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/triggers.md b/triggers.md index e6d1b7d..ac018e5 100644 --- a/triggers.md +++ b/triggers.md @@ -343,10 +343,9 @@ Another envisioned speculative action is `"prefetch_with_subresources"`, which p ### Content-Security-Policy -Speculation rules can be embedded inline within a `script` tag with `type="speculationrules"`, and restricted by the `script-src` CSP directive. +Speculation rules can be embedded inline within a `script` tag with `type="speculationrules"`, and restricted by the `script-src` and `script-src-elem` CSP directive. To allow inline speculation rules, use either the `'inline-speculation-rules'` or `'unsafe-inline'` keyword. -Using `script-src 'inline-speculation-rules'` helps developers to permit inline speculation rules but still disallow unsafe inline JavaScript. -Also `script-src-elem` can accept `'inline-speculation-rules'` to permit inline speculation rules as well. +Using `script-src 'inline-speculation-rules'` or `script-src-elem 'inline-speculation-rules'` helps developers to permit inline speculation rules but still disallow unsafe inline JavaScript. The `prefetch-src` directive can be used to restrict which URLs can be prefetched or prerendered. ## Proposed processing model