W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: some further Comments on Content Security Policy 1.0 Editor's Draft

From: Mike West <mkwst@google.com>
Date: Mon, 3 Sep 2012 12:50:32 +0200
Message-ID: <CAKXHy=cT4cDQCzGWr0UW5S4pJvHAs5=nN1qAJiNM3mBHk7xU6Q@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>, W3C Web App Security WG <public-webappsec@w3.org>
On Thu, Jul 5, 2012 at 11:47 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Thu, Jul 5, 2012 at 8:42 AM, =JeffH <Jeff.Hodges@kingsmountain.com>
> wrote:
>  > So for CSP 1.0, if one has a directive with a value like so..
> >
> >    script-src http://my-site.com/js/
> >
> > ..which doesn't match any source-expression grammar,
>
> Ah, you're right that there's a subtle bug.
>
> "For each token returned by splitting source list on spaces, if the
> token matches the grammar for source-expression, add the token to the
> set of source expressions."
>
> should read
>
> "For each token returned by splitting source list on spaces, if the
> token matches the grammar for source-expression or ext-host-source,
> add the token to the set of source expressions."
>
> Then the net result will be treating it like the following:
>
> script-src http://my-site.com


Hey Adam, it doesn't look like this change made it into
http://www.w3.org/TR/CSP/ (or into
http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html).
Would you mind taking a look while you're working through any other
feedback you received during the 1.0 Last Call period?

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 3 September 2012 10:51:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 3 September 2012 10:51:26 GMT