W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: CSP directive-value question

From: Brandon Sterne <bsterne@mozilla.com>
Date: Thu, 17 Mar 2011 13:49:50 -0700
Message-ID: <4D8273EE.5030104@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
I also agree that these are legitimate bugs in the grammar which are
also fixed by your patch.  Updated revision coming up shortly.

Thanks,
Brandon


On 03/17/2011 11:47 AM, Adam Barth wrote:
> Two more questions:
> 
> 1) The spec uses LWSP, but I suspect we should use WSP instead:
> 
>          LWSP           =  *(WSP / CRLF WSP)
>                                 ; Use of this linear-white-space rule
>                                 ;  permits lines containing only white
>                                 ;  space that are no longer legal in
>                                 ;  mail headers and have caused
>                                 ;  interoperability problems in other
>                                 ;  contexts.
>                                 ; Do not use when defining mail
>                                 ;  headers and use with caution in
>                                 ;  other contexts.
> 
>          WSP            =  SP / HTAB
>                                 ; white space
> 
> 
> Specifically, 1*LWSP doesn't make much sense because LWSP can produce
> zero characters.
> 
> 2) The spec dosen't define error handling.  For example, how should
> the following parse:
> 
> Content-Security-Policy: default-src 'self'; helloXgoodbye
> 
> where X is %x07, for example?  Also, what about
> 
> Content-Security-Policy: default-src 'self';  ;
> 
> ?  Notice that between the two ";" characters, we have a SP, which
> means we must have produced a directive, but directive necessarily
> requires producing a directive-name, which necessarily requires
> producing either an ALPHA, DIGIT, or "-" character (which this string
> lacks).
> 
> In both cases, I would expect we'd like to honor the default-src
> directive rather than rejecting the entire policy.
> 
> Adam
Received on Thursday, 17 March 2011 20:48:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 17 March 2011 20:48:34 GMT