- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 3 Jul 2012 14:32:12 -0700
- To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
- Cc: W3C Web App Security WG <public-webappsec@w3.org>
On Tue, Jul 3, 2012 at 1:52 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote: > when reviewing the recent "CSP 1.1: More granular source list definitions" > thread, I had these questions regarding CSP 1.0... > > 1. unless I've missed it, there does not appear to be any suggestion in the > spec regarding whether the user agent to log and/or report CSP Policy parse > errors, nor discussion whether a directive with a source-expression > violating the grammar -- such as Odin's example.. > > script-src: http://my-site.com/js/ > > ..which a lenient parser would likely match to the host-source production -- > must/should be enforced or ignored by the user agent. There's no requirement to log errors to the console, but a bunch of implementations do. I guess we could send violation reports, but logging to the developer console seems to be effective in helping folks author good policies. > 2. Why does the directive production have a rigid requirement on one space > char between directive-name and directive-value ? given that directives > have the ";" separator, why not.. > > directive = *WSP [ directive-name [ 1*WSP directive-value ] ] > > which is more lenient for site operators to get right? It's just to make the parsing unambiguous. Notice that source-list allows leading WSP, which means any non-zero amount of WSP is allowed here anyway. Adam
Received on Tuesday, 3 July 2012 21:33:13 UTC