W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

CSP directive-value question

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 17 Mar 2011 11:14:30 -0700
Message-ID: <AANLkTi=oSkhVt7mm4cuazR+hM_pRmO_NbH=5tNxmShSP@mail.gmail.com>
To: public-web-security@w3.org
From: https://dvcs.w3.org/hg/content-security-policy/raw-file/1a29ed0d9fdc/csp-specification.dev.html#formal-policy-grammar

directive-value   = *<VCHAR except ";">

which http://tools.ietf.org/html/rfc5234#appendix-B.1 says is:

         VCHAR          =  %x21-7E
                                ; visible (printing) characters

but

script-src        = "script-src" [ 1*LWSP source-list ]

and

source-list       = ( *LWSP / source ) *( 1*LWSP source )
                  / "'none'"

which is impossible because VCHAR odes not contain LWSP.  Perhaps
directive-value should allow LWSP as well as VCHAR?

Adam
Received on Thursday, 17 March 2011 18:15:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 17 March 2011 18:15:36 GMT