W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: some further Comments on Content Security Policy 1.0 Editor's Draft

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Tue, 03 Jul 2012 13:52:49 -0700
Message-ID: <4FF35BA1.7060202@KingsMountain.com>
To: W3C Web App Security WG <public-webappsec@w3.org>
when reviewing the recent "CSP 1.1: More granular source list definitions" 
thread, I had these questions regarding CSP 1.0...

1. unless I've missed it, there does not appear to be any suggestion in the 
spec regarding whether the user agent to log and/or report CSP Policy parse 
errors, nor discussion whether a directive with a source-expression violating 
the grammar -- such as Odin's example..

   script-src: http://my-site.com/js/

..which a lenient parser would likely match to the host-source production -- 
must/should be enforced or ignored by the user agent.


2. Why does the directive production have a rigid requirement on one space char 
between directive-name and directive-value ?  given that directives have the 
";" separator, why not..

   directive         = *WSP [ directive-name [ 1*WSP directive-value ] ]

which is more lenient for site operators to get right?



HTH,

=JeffH
Received on Tuesday, 3 July 2012 20:53:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2012 20:53:14 GMT