Add notes about non-normativity. (#655)

SHA: d091bce
Reason: push, by mikewest

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

index.html

@@ -7,7 +7,7 @@
   <link href="https://www.w3.org/StyleSheets/TR/2021/W3C-WD" rel="stylesheet">
   <meta content="Bikeshed version 82ce88815, updated Thu Sep 7 16:33:55 2023 -0700" name="generator">
   <link href="https://www.w3.org/TR/CSP3/" rel="canonical">
-  <meta content="f17c7b4bb5bba44802c4c66098b64aac9fee0703" name="document-revision">
+  <meta content="d091bce6fc43f33dcd4ad08cf7bc34069142abfa" name="document-revision">
 <style>
   ul.toc ul ul ul {
     margin: 0 0 0 2em;
@@ -4645,6 +4645,7 @@ <h3 class="heading settled" data-level="8.1" id="multiple-policies"><span class=
   it meets both policy’s criteria: in this case, the only origin that can match
   is <code>http://example.com</code>, as both policies allow it.</p>
     <h3 class="heading settled" data-level="8.2" id="strict-dynamic-usage"><span class="secno">8.2. </span><span class="content"> Usage of "<code>'strict-dynamic'</code>" </span><a class="self-link" href="#strict-dynamic-usage"></a></h3>
+    <p><em>This section is not normative.</em></p>
     <p>Host- and path-based policies are tough to get right, especially on sprawling origins like CDNs.
   The <a href="https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it%27s-CSP!%22#107-bytes">solutions
   to Cure53’s H5SC Minichallenge 3: "Sh*t, it’s CSP!"</a> <a data-link-type="biblio" href="#biblio-h5sc3" title="H5SC Minichallenge 3: &quot;Sh*t, it&apos;s CSP!&quot;">[H5SC3]</a> are good examples of the
@@ -4731,6 +4732,7 @@ <h3 class="heading settled" data-level="8.3" id="unsafe-hashes-usage"><span clas
     </section>
     <section>
      <h3 class="heading settled" data-level="8.4" id="external-hash"><span class="secno">8.4. </span><span class="content"> Allowing external JavaScript via hashes </span><a class="self-link" href="#external-hash"></a></h3>
+     <p><em>This section is not normative.</em></p>
      <p>In <a data-link-type="biblio" href="#biblio-csp2" title="Content Security Policy Level 2">[CSP2]</a>, hash <a data-link-type="dfn" href="#source-expression" id="ref-for-source-expression⑨">source expressions</a> could only match inlined
     script, but now that Subresource Integrity <a data-link-type="biblio" href="#biblio-sri" title="Subresource Integrity">[SRI]</a> is widely deployed,
     we can expand the scope to enable externalized JavaScript as well.</p>
@@ -4776,6 +4778,7 @@ <h3 class="heading settled" data-level="8.4" id="external-hash"><span class="sec
     </section>
     <section>
      <h3 class="heading settled" data-level="8.5" id="strict-csp"><span class="secno">8.5. </span><span class="content"> Strict CSP </span><a class="self-link" href="#strict-csp"></a></h3>
+     <p><em>This section is not normative.</em></p>
      <p>Deployment of an effective CSP against XSS is a challenge (as described in <a href="https://dl.acm.org/doi/10.1145/2976749.2978363">CSP Is Dead, Long
     Live CSP!</a> <a data-link-type="biblio" href="#biblio-long-live-csp" title="CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy">[LONG-LIVE-CSP]</a>). However, enforcing the following set of CSP
     directives has been identified as an effective and deployable mitigation
@@ -4804,6 +4807,7 @@ <h3 class="heading settled" data-level="8.5" id="strict-csp"><span class="secno"
     </section>
     <section>
      <h3 class="heading settled" data-level="8.6" id="exfiltration"><span class="secno">8.6. </span><span class="content"> Exfiltration </span><a class="self-link" href="#exfiltration"></a></h3>
+     <p><em>This section is not normative.</em></p>
      <p>Data exfiltration can occur when the contents of the request, such as the URL, contain
     information about the user or page that should be restricted and not shared.</p>
      <p>Content Security Policy can mitigate data exfiltration if used to create allowlists of servers