- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 3 Sep 2012 08:45:56 -0700
- To: Mike West <mkwst@google.com>
- Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>, W3C Web App Security WG <public-webappsec@w3.org>
On Mon, Sep 3, 2012 at 3:50 AM, Mike West <mkwst@google.com> wrote: > On Thu, Jul 5, 2012 at 11:47 PM, Adam Barth <w3c@adambarth.com> wrote: >> >> On Thu, Jul 5, 2012 at 8:42 AM, =JeffH <Jeff.Hodges@kingsmountain.com> >> wrote: >> > So for CSP 1.0, if one has a directive with a value like so.. >> > >> > script-src http://my-site.com/js/ >> > >> > ..which doesn't match any source-expression grammar, >> >> Ah, you're right that there's a subtle bug. >> >> "For each token returned by splitting source list on spaces, if the >> token matches the grammar for source-expression, add the token to the >> set of source expressions." >> >> should read >> >> "For each token returned by splitting source list on spaces, if the >> token matches the grammar for source-expression or ext-host-source, >> add the token to the set of source expressions." >> >> Then the net result will be treating it like the following: >> >> script-src http://my-site.com > > > Hey Adam, it doesn't look like this change made it into > http://www.w3.org/TR/CSP/ (or into > http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-1.0-specification.html). > Would you mind taking a look while you're working through any other feedback > you received during the 1.0 Last Call period? Fixed. Thanks! Adam
Received on Monday, 3 September 2012 15:46:56 UTC