I'm not quite sure what to make of https://w3c.github.io/webappsec-csp/#should-block-navigation-request
To be clear, this is only relevant for the navigate-to and form-action directives, right? It's using https://w3c.github.io/webappsec-csp/#directive-pre-navigation-check which is only implemented for those two directives. But no, there's no "imply" going on: this check uses "request’s client’s global object’s CSP list" explicitly, which is going to be the
GetCSPToInherit in our implementation. That's what we already do for
form-action, because in the form submission case the client is the global of the owner document of the form, which is where we get the CSP from for that check.
I do notice that we have a bunch of failure annotations for form-action WPTs. Have we looked into why, and whether the tests match the spec? Also, why we have failure annotations for tests that https://wpt.fyi/results/content-security-policy/form-action?label=master&product=chrome%5Bexperimental%5D&product=edge&product=firefox%5Bexperimental%5D&product=safari%5Bexperimental%5D&aligned&q=form-action seems to think we are passing?
And while we're here, do we have any form-action WPTs where the source and target have different CSP? My spot-checking hasn't found any. We may need better test coverage here.
frame-src would get applied via https://fetch.spec.whatwg.org/#concept-main-fetch step 2.4 calling https://w3c.github.io/webappsec-csp/#should-block-request which would use "request’s client’s global object’s CSP list" and then call into the various policy pre-request checks, etc. It sounds like for navigation requests this is all completely broken if the intended behavior is the one observed in browsers in the attached testcase. Who's the right person to get the spec here fixed?