- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Tue, 03 Jul 2012 13:52:49 -0700
- To: W3C Web App Security WG <public-webappsec@w3.org>
when reviewing the recent "CSP 1.1: More granular source list definitions" thread, I had these questions regarding CSP 1.0... 1. unless I've missed it, there does not appear to be any suggestion in the spec regarding whether the user agent to log and/or report CSP Policy parse errors, nor discussion whether a directive with a source-expression violating the grammar -- such as Odin's example.. script-src: http://my-site.com/js/ ..which a lenient parser would likely match to the host-source production -- must/should be enforced or ignored by the user agent. 2. Why does the directive production have a rigid requirement on one space char between directive-name and directive-value ? given that directives have the ";" separator, why not.. directive = *WSP [ directive-name [ 1*WSP directive-value ] ] which is more lenient for site operators to get right? HTH, =JeffH
Received on Tuesday, 3 July 2012 20:53:13 UTC