W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: some further Comments on Content Security Policy 1.0 Editor's Draft

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 3 Sep 2012 08:45:56 -0700
Message-ID: <CAJE5ia9JTxMXEc0_Nqn7rJdPy=Uj6WiWckwcFAqwJDNqXawaGg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>, W3C Web App Security WG <public-webappsec@w3.org>
On Mon, Sep 3, 2012 at 3:50 AM, Mike West <mkwst@google.com> wrote:
> On Thu, Jul 5, 2012 at 11:47 PM, Adam Barth <w3c@adambarth.com> wrote:
>>
>> On Thu, Jul 5, 2012 at 8:42 AM, =JeffH <Jeff.Hodges@kingsmountain.com>
>> wrote:
>>  > So for CSP 1.0, if one has a directive with a value like so..
>> >
>> >    script-src http://my-site.com/js/
>> >
>> > ..which doesn't match any source-expression grammar,
>>
>> Ah, you're right that there's a subtle bug.
>>
>> "For each token returned by splitting source list on spaces, if the
>> token matches the grammar for source-expression, add the token to the
>> set of source expressions."
>>
>> should read
>>
>> "For each token returned by splitting source list on spaces, if the
>> token matches the grammar for source-expression or ext-host-source,
>> add the token to the set of source expressions."
>>
>> Then the net result will be treating it like the following:
>>
>> script-src http://my-site.com
>
>
> Hey Adam, it doesn't look like this change made it into
> http://www.w3.org/TR/CSP/ (or into
> http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html).
> Would you mind taking a look while you're working through any other feedback
> you received during the 1.0 Last Call period?

Fixed.

Thanks!
Adam
Received on Monday, 3 September 2012 15:46:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 3 September 2012 15:46:56 GMT