W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: CSP directive-value question

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 17 Mar 2011 11:47:25 -0700
Message-ID: <AANLkTik+J-NVv8B4fJj9=k+x7GcrVsipEeuwRE=QboZ8@mail.gmail.com>
To: public-web-security@w3.org
Two more questions:

1) The spec uses LWSP, but I suspect we should use WSP instead:

         LWSP           =  *(WSP / CRLF WSP)
                                ; Use of this linear-white-space rule
                                ;  permits lines containing only white
                                ;  space that are no longer legal in
                                ;  mail headers and have caused
                                ;  interoperability problems in other
                                ;  contexts.
                                ; Do not use when defining mail
                                ;  headers and use with caution in
                                ;  other contexts.

         WSP            =  SP / HTAB
                                ; white space


Specifically, 1*LWSP doesn't make much sense because LWSP can produce
zero characters.

2) The spec dosen't define error handling.  For example, how should
the following parse:

Content-Security-Policy: default-src 'self'; helloXgoodbye

where X is %x07, for example?  Also, what about

Content-Security-Policy: default-src 'self';  ;

?  Notice that between the two ";" characters, we have a SP, which
means we must have produced a directive, but directive necessarily
requires producing a directive-name, which necessarily requires
producing either an ALPHA, DIGIT, or "-" character (which this string
lacks).

In both cases, I would expect we'd like to honor the default-src
directive rather than rejecting the entire policy.

Adam


On Thu, Mar 17, 2011 at 11:14 AM, Adam Barth <w3c@adambarth.com> wrote:
> From: https://dvcs.w3.org/hg/content-security-policy/raw-file/1a29ed0d9fdc/csp-specification.dev.html#formal-policy-grammar
>
> directive-value   = *<VCHAR except ";">
>
> which http://tools.ietf.org/html/rfc5234#appendix-B.1 says is:
>
>         VCHAR          =  %x21-7E
>                                ; visible (printing) characters
>
> but
>
> script-src        = "script-src" [ 1*LWSP source-list ]
>
> and
>
> source-list       = ( *LWSP / source ) *( 1*LWSP source )
>                  / "'none'"
>
> which is impossible because VCHAR odes not contain LWSP.  Perhaps
> directive-value should allow LWSP as well as VCHAR?
>
> Adam
>
Received on Thursday, 17 March 2011 18:49:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 17 March 2011 18:49:09 GMT