On Thu, Jul 5, 2012 at 11:47 PM, Adam Barth <w3c@adambarth.com> wrote: > On Thu, Jul 5, 2012 at 8:42 AM, =JeffH <Jeff.Hodges@kingsmountain.com> > wrote: > > So for CSP 1.0, if one has a directive with a value like so.. > > > > script-src http://my-site.com/js/ > > > > ..which doesn't match any source-expression grammar, > > Ah, you're right that there's a subtle bug. > > "For each token returned by splitting source list on spaces, if the > token matches the grammar for source-expression, add the token to the > set of source expressions." > > should read > > "For each token returned by splitting source list on spaces, if the > token matches the grammar for source-expression or ext-host-source, > add the token to the set of source expressions." > > Then the net result will be treating it like the following: > > script-src http://my-site.com Hey Adam, it doesn't look like this change made it into http://www.w3.org/TR/CSP/ (or into http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html). Would you mind taking a look while you're working through any other feedback you received during the 1.0 Last Call period? -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 3 September 2012 10:51:25 UTC