Re: some further Comments on Content Security Policy 1.0 Editor's Draft

when reviewing the recent "CSP 1.1: More granular source list definitions" 
thread, I had these questions regarding CSP 1.0...

1. unless I've missed it, there does not appear to be any suggestion in the 
spec regarding whether the user agent to log and/or report CSP Policy parse 
errors, nor discussion whether a directive with a source-expression violating 
the grammar -- such as Odin's example..

   script-src: http://my-site.com/js/

..which a lenient parser would likely match to the host-source production -- 
must/should be enforced or ignored by the user agent.


2. Why does the directive production have a rigid requirement on one space char 
between directive-name and directive-value ?  given that directives have the 
";" separator, why not..

   directive         = *WSP [ directive-name [ 1*WSP directive-value ] ]

which is more lenient for site operators to get right?



HTH,

=JeffH

Received on Tuesday, 3 July 2012 20:53:13 UTC