W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: [Content Security Policy] review of unofficial draft revision 20110315

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 24 Mar 2011 21:22:13 -0700
Message-ID: <AANLkTi=mt9SjpJ9Jtka5-1Fac6mSQ1ptQr3KOz+orj8o@mail.gmail.com>
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: W3C Web Security Interest Group <public-web-security@w3.org>
Just a quick response to one of your points.

On Wed, Mar 23, 2011 at 4:55 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
> 4. Grammar issues/comments:
>
> The text in S3.4.1 indicates that a "host" can be null, but..
>
>  host              = [ "*." ] 1*host-char *( "." 1*host-char )
>                    / "*"
>
> ..should first "1*host-char" be " *host-char " ?  ie can "host" be null ?
>
> ah --- the nullness is in the source production...
>
>  source            = scheme ":"
>                    / ( [ scheme "://" ] host [ port ] )
>                    / "'self'"
>                      ; <scheme> production from RFC 3986
>
> ..in that source can have just a " scheme: ".
>
>
> Port also can't be null on its own..
>
>  port              = ":" ( 1*DIGIT / "*" )
>
>
> These could be re-written so that their being null is a property of those
> productions themselves rather than a property of the source production -
> this might be more clear.
>
> Unless there's some subtle advantage to having the grammar as presently
> specified that I'm missing?

There's a problem with ambiguity if we let these fields be null unto themselves:

a:

is that a scheme without a host or a host without a port?  Host could
possibly be nullable unto itself, but that would be pretty
non-sensical:

http://:8080

Adam
Received on Friday, 25 March 2011 04:23:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 March 2011 04:23:19 GMT