Add a source argument to CSP's inline behavior algorithm

mikewest · annevk · commit e0863d93ec8c · 2016-04-14T15:55:19.000+02:00
To support hash-based whitelisting of inline event handlers, CSP has added a _source_ argument to the "Should _element_'s inline behavior be blocked by Content Security Policy?" (in w3c/webappsec#13). This patch adds the same argument to the four callsites in HTML.
diff --git a/source b/source
@@ -11343,9 +11343,9 @@ Transport Protocol">HTTP&lt;/abbr> today.&lt;/p></pre> <!-- DO NOT REWRAP THIS L
 
   <p>However, if the <span>Should element's inline behavior be blocked by Content Security
   Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
-  attribute's <span>element</span> and "<code data-x="">style attribute</code>", then the style
-  rules defined in the attribute's value must not be applied to the <span>element</span>. <ref
-  spec="CSP"></p>
+  attribute's <span>element</span>, "<code data-x="">style attribute</code>", and the attribute's
+  value, then the style rules defined in the attribute's value must not be applied to the
+  <span>element</span>. <ref spec="CSP"></p>
 
   </div>
 
@@ -13861,8 +13861,8 @@ own thing rather than part of the extended sentence -->
 
    <li><p>If the <span>Should element's inline behavior be blocked by Content Security
    Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
-   <code>style</code> element and "<code data-x="">style</code>", then abort these steps.
-   <ref spec="CSP"></p></li>
+   <code>style</code> element, "<code data-x="">style</code>", and the <code>style</code>
+   element's <code>style data</code>, then abort these steps. <ref spec="CSP"></p></li>
 
    <!-- note that the browsing context isn't needed: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2739 -->
 
@@ -58629,9 +58629,9 @@ o............A....e
    <li id="script-processing-csp"><p>If the <code>script</code> element does not have a <code
    data-x="attr-script-src">src</code> content attribute, and the <span>Should element's inline
    behavior be blocked by Content Security Policy?</span> algorithm returns "<code
-   data-x="">Blocked</code>" when executed upon the <code>script</code> element and "<code
-   data-x="">script</code>", then abort these steps. The script is not executed. <ref
-   spec="CSP"></p></li>
+   data-x="">Blocked</code>" when executed upon the <code>script</code> element, "<code
+   data-x="">script</code>", and the <code>script</code> element's <code>child text content</code>,
+   then abort these steps. The script is not executed. <ref spec="CSP"></p></li>
 
    <li id="script-processing-for">
 
@@ -88425,8 +88425,8 @@ dictionary <dfn>PromiseRejectionEventInit</dfn> : <span>EventInit</span> {
   <ol>
    <li><p>If the <span>Should element's inline behavior be blocked by Content Security
    Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
-   attribute's <span>element</span> and "<code data-x="">script attribute</code>", then abort these
-   steps. <ref spec="CSP"></p></li>
+   attribute's <span>element</span>, "<code data-x="">script attribute</code>", and the attribute's
+   value, then abort these steps. <ref spec="CSP"></p></li>
 
    <li><p>Set the corresponding <span data-x="event handlers">event handler</span> to an
    <span>internal raw uncompiled handler</span> consisting of the attribute's new value and the
