- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Thu, 17 Mar 2011 13:49:50 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: public-web-security@w3.org
I also agree that these are legitimate bugs in the grammar which are also fixed by your patch. Updated revision coming up shortly. Thanks, Brandon On 03/17/2011 11:47 AM, Adam Barth wrote: > Two more questions: > > 1) The spec uses LWSP, but I suspect we should use WSP instead: > > LWSP = *(WSP / CRLF WSP) > ; Use of this linear-white-space rule > ; permits lines containing only white > ; space that are no longer legal in > ; mail headers and have caused > ; interoperability problems in other > ; contexts. > ; Do not use when defining mail > ; headers and use with caution in > ; other contexts. > > WSP = SP / HTAB > ; white space > > > Specifically, 1*LWSP doesn't make much sense because LWSP can produce > zero characters. > > 2) The spec dosen't define error handling. For example, how should > the following parse: > > Content-Security-Policy: default-src 'self'; helloXgoodbye > > where X is %x07, for example? Also, what about > > Content-Security-Policy: default-src 'self'; ; > > ? Notice that between the two ";" characters, we have a SP, which > means we must have produced a directive, but directive necessarily > requires producing a directive-name, which necessarily requires > producing either an ALPHA, DIGIT, or "-" character (which this string > lacks). > > In both cases, I would expect we'd like to honor the default-src > directive rather than rejecting the entire policy. > > Adam
Received on Thursday, 17 March 2011 20:48:34 UTC