W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: some further Comments on Content Security Policy 1.0 Editor's Draft

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Thu, 05 Jul 2012 08:42:38 -0700
Message-ID: <4FF5B5EE.6010602@KingsMountain.com>
To: Adam Barth <w3c@adambarth.com>
CC: W3C Web App Security WG <public-webappsec@w3.org>
 >> understood. In any case, the spec is silent about parsing errors AFAICT
 >> (yes?).  Mentioning them (in the framework section), and their ramifications
 >> would be a good idea it seems.
 >
 > There isn't a notion of a parse error in the spec.  There's the set of
 > strings that servers ought to generate and a requirements for how user
 > agents must interpret every possible input.

Ok, thx, if i understand correctly, directive value tokens that don't match the 
source-expression ABNF is ignored by the "parse a source list" algorithm and is 
simply not added  to the resultant set of source expressions in step 3.

So for CSP 1.0, if one has a directive with a value like so..

    script-src http://my-site.com/js/

..which doesn't match any source-expression grammar, the directive would be 
equivalent to..

    script-src

..which appears to have the same effect as having..

    script-src 'none'

?


=JeffH
Received on Thursday, 5 July 2012 15:43:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 5 July 2012 15:43:11 GMT