W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: some further Comments on Content Security Policy 1.0 Editor's Draft

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 3 Jul 2012 14:32:12 -0700
Message-ID: <CAJE5ia8sZM-gkJiRzJY5HpZ6Fmp_ZZe=SgJZerHeNmz_98OiVw@mail.gmail.com>
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: W3C Web App Security WG <public-webappsec@w3.org>
On Tue, Jul 3, 2012 at 1:52 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
> when reviewing the recent "CSP 1.1: More granular source list definitions"
> thread, I had these questions regarding CSP 1.0...
>
> 1. unless I've missed it, there does not appear to be any suggestion in the
> spec regarding whether the user agent to log and/or report CSP Policy parse
> errors, nor discussion whether a directive with a source-expression
> violating the grammar -- such as Odin's example..
>
>   script-src: http://my-site.com/js/
>
> ..which a lenient parser would likely match to the host-source production --
> must/should be enforced or ignored by the user agent.

There's no requirement to log errors to the console, but a bunch of
implementations do.  I guess we could send violation reports, but
logging to the developer console seems to be effective in helping
folks author good policies.

> 2. Why does the directive production have a rigid requirement on one space
> char between directive-name and directive-value ?  given that directives
> have the ";" separator, why not..
>
>   directive         = *WSP [ directive-name [ 1*WSP directive-value ] ]
>
> which is more lenient for site operators to get right?

It's just to make the parsing unambiguous.  Notice that source-list
allows leading WSP, which means any non-zero amount of WSP is allowed
here anyway.

Adam
Received on Tuesday, 3 July 2012 21:33:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2012 21:33:13 GMT