- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 17 Mar 2011 11:47:25 -0700
- To: public-web-security@w3.org
Two more questions:
1) The spec uses LWSP, but I suspect we should use WSP instead:
LWSP = *(WSP / CRLF WSP)
; Use of this linear-white-space rule
; permits lines containing only white
; space that are no longer legal in
; mail headers and have caused
; interoperability problems in other
; contexts.
; Do not use when defining mail
; headers and use with caution in
; other contexts.
WSP = SP / HTAB
; white space
Specifically, 1*LWSP doesn't make much sense because LWSP can produce
zero characters.
2) The spec dosen't define error handling. For example, how should
the following parse:
Content-Security-Policy: default-src 'self'; helloXgoodbye
where X is %x07, for example? Also, what about
Content-Security-Policy: default-src 'self'; ;
? Notice that between the two ";" characters, we have a SP, which
means we must have produced a directive, but directive necessarily
requires producing a directive-name, which necessarily requires
producing either an ALPHA, DIGIT, or "-" character (which this string
lacks).
In both cases, I would expect we'd like to honor the default-src
directive rather than rejecting the entire policy.
Adam
On Thu, Mar 17, 2011 at 11:14 AM, Adam Barth <w3c@adambarth.com> wrote:
> From: https://dvcs.w3.org/hg/content-security-policy/raw-file/1a29ed0d9fdc/csp-specification.dev.html#formal-policy-grammar
>
> directive-value = *<VCHAR except ";">
>
> which http://tools.ietf.org/html/rfc5234#appendix-B.1 says is:
>
> VCHAR = %x21-7E
> ; visible (printing) characters
>
> but
>
> script-src = "script-src" [ 1*LWSP source-list ]
>
> and
>
> source-list = ( *LWSP / source ) *( 1*LWSP source )
> / "'none'"
>
> which is impossible because VCHAR odes not contain LWSP. Perhaps
> directive-value should allow LWSP as well as VCHAR?
>
> Adam
>
Received on Thursday, 17 March 2011 18:49:08 UTC