CSP directive-value question from Adam Barth on 2011-03-17 (public-web-security@w3.org from March 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 17 Mar 2011 11:14:30 -0700
To: public-web-security@w3.org
Message-ID: <AANLkTi=oSkhVt7mm4cuazR+hM_pRmO_NbH=5tNxmShSP@mail.gmail.com>

From: https://dvcs.w3.org/hg/content-security-policy/raw-file/1a29ed0d9fdc/csp-specification.dev.html#formal-policy-grammar

directive-value   = *<VCHAR except ";">

which http://tools.ietf.org/html/rfc5234#appendix-B.1 says is:

         VCHAR          =  %x21-7E
                                ; visible (printing) characters

but

script-src        = "script-src" [ 1*LWSP source-list ]

and

source-list       = ( *LWSP / source ) *( 1*LWSP source )
                  / "'none'"

which is impossible because VCHAR odes not contain LWSP.  Perhaps
directive-value should allow LWSP as well as VCHAR?

Adam

Received on Thursday, 17 March 2011 18:15:35 UTC