W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Recent CSP edits

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 18 May 2012 13:15:37 -0700
Message-ID: <CAJE5ia_pTAKmPgi3XcSWKC6_9nxOAkU+RKmdOk7icpYztOFCBw@mail.gmail.com>
To: public-webappsec@w3.org
On the last telecon, I was given a handful of editing tasks for CSP
1.0.  I believe my CSP 1.0 editing queue is now empty.

1) This patch allows servers to send multiple Content-Security-Policy headers.


2) This patch removes the draconian error handling for including a
comma in a CSP policy.  Combined with the previous patch, these
patches cause user agents to split the Content-Security-Policy on
comma before feeding it to the policy parser (thanks to a bit of ABNF


3) This patch changes the error handling behavior for parsing host
expressions in source lists.  As discussed, we'll now ignore the stuff
after a "/" so that we can later introduce semantics for that syntax
(e.g., to restrict fetching resources by path as well).


Received on Friday, 18 May 2012 20:16:33 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 13:26:29 UTC