RE: [CSP] feedback sandbox ABNF grammar conflict from Stefan Ossendorf on 2014-08-18 (public-webappsec@w3.org from August 2014)

From: Stefan Ossendorf <stefan.ossendorf@outlook.de>
Date: Mon, 18 Aug 2014 08:57:33 +0200
To: Mike West <mkwst@google.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>
Message-ID: <DUB113-W35366BF9FBAC24DDEC93C9E2D40@phx.gbl>

My pleasure!

Please dismiss my pull-request :)

There is a 3rd option for the grammer :D

-Stefan

(sry, forgot cc)

From: mkwst@google.com
Date: Mon, 18 Aug 2014 08:48:12 +0200
Subject: Re: [CSP] feedback sandbox ABNF grammar conflict
To: stefan.ossendorf@outlook.de
CC: public-webappsec@w3.org; dev.akhawe@gmail.com

Thanks!
https://github.com/w3c/webappsec/commit/570ca5210a5055110acf3894978ace0333e048a2

-mike--
Mike West <mkwst@google.com>Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891Sitz der Gesellschaft: HamburgGeschäftsführer: Graham Law, Christine Elizabeth Flores

(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Aug 12, 2014 at 8:46 PM, Stefan Ossendorf <stefan.ossendorf@outlook.de> wrote:

Hi Mike,

 sadly the grammar is still wrong L. Now I can chain sandbox-tokens without the separating whitespaces.

 My suggestions are:

1. ExplicitABNF: *WSP / sandbox-token *( 1*WSP sandbox-token)

OrABNF:  “” / sandbox-token *( 1*WSP sandbox-token)

 I’m not sure if “” count as empty

 2. Implicit

ABNF: *( 1*WSP sandbox-token )Or

ABNF: *( sandbox-token 1*WSP ) 

-Stefan 

Ps: Np ;-) Germany is nice ;) 

Von: Mike West [mailto:mkwst@google.com] 

Gesendet: Montag, 11. August 2014 22:17
An: Devdatta Akhawe
Cc: Stefan Ossendorf; public-webappsec@w3.org
Betreff: Re: [CSP] feedback sandbox ABNF grammar conflict

 The grammar is no longer wrong (I hope... ABNF is not my strong suit): https://github.com/w3c/webappsec/commit/0822e8bafa7f53adb1c546864abfae79e2ee05f2

 Thanks for the report, Stefan! -mike

--
Mike West <mkwst@google.com>

Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891Sitz der Gesellschaft: Hamburg

Geschäftsführer: Graham Law, Christine Elizabeth Flores(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

 On Mon, Aug 11, 2014 at 7:46 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

I believe the grammar is wrong and the empty token list is fine. See
also http://developers.whatwg.org/the-iframe-element.html#attr-iframe-sandbox

=Dev

On 10 August 2014 13:04, Stefan Ossendorf <stefan.ossendorf@outlook.de> wrote:

> Hello,
>
>
>
> I’m trying to implement the CSP Spec from
> (https://w3c.github.io/webappsec/specs/content-security-policy/#directive-sandbox).

>
> But the ABNF of sandbox is not clear.
>
> Quote:
>
> directive-name    = "sandbox"
>
> directive-value   = sandbox-token *( 1*WSP sandbox-token )
>
> sandbox-token     = <token from RFC 7230>

>
>
>
> But the first example under „Usage“ say it’s possible to create an empty
> sandbox directive without any value. The ABNF says but at least one token
> and a token can’t be empty according to the token spec.

>
> What’s correct?
>
>
>
> Thanks in advance
>
> Stefan Ossendorf

Received on Monday, 18 August 2014 06:58:01 UTC