### dom/security/nsCSPParser.cpp
# tokens
":"
";"
"/"
"+"
"-"
"."
"_"
"~"
"*"
"'"
"#"
"?"
"%"
"!"
"$"
"&"
"("
")"
"="
"@"

### https://www.w3.org/TR/{CSP,CSP2,CSP3}/
# directive names
"default-src"
"script-src"
"object-src"
"style-src"
"img-src"
"media-src"
"frame-src"
"font-src"
"connect-src"
"report-uri"
"frame-ancestors"
"reflected-xss"
"base-uri"
"form-action"
"manifest-src"
"upgrade-insecure-requests"
"child-src"
"block-all-mixed-content"
"sandbox"
"worker-src"
"plugin-types"
"disown-opener"
"report-to"

# directive values
"'self'"
"'unsafe-inline'"
"'unsafe-eval'"
"'none'"
"'strict-dynamic'"
"'unsafe-hashed-attributes'"
"'nonce-AA=='"
"'sha256-fw=='"
"'sha384-/w=='"
"'sha512-//8='"

# subresources
"a"
"audio"
"embed"
"iframe"
"img"
"link"
"object"
"script"
"source"
"style"
"track"
"video"

# sandboxing flags
"allow-forms"
"allow-pointer-lock"
"allow-popups"
"allow-same-origin"
"allow-scripts"
"allow-top-navigation"
"allow-top-navigation-by-user-activation"

# URI components
"https:"
"ws:"
"blob:"
"data:"
"filesystem:"
"javascript:"
"http://"
"selfuri.com"
"127.0.0.1"
"::1"