Re: some further Comments on Content Security Policy 1.0 Editor's Draft

On Tue, Jul 3, 2012 at 1:52 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
> when reviewing the recent "CSP 1.1: More granular source list definitions"
> thread, I had these questions regarding CSP 1.0...
>
> 1. unless I've missed it, there does not appear to be any suggestion in the
> spec regarding whether the user agent to log and/or report CSP Policy parse
> errors, nor discussion whether a directive with a source-expression
> violating the grammar -- such as Odin's example..
>
>   script-src: http://my-site.com/js/
>
> ..which a lenient parser would likely match to the host-source production --
> must/should be enforced or ignored by the user agent.

There's no requirement to log errors to the console, but a bunch of
implementations do.  I guess we could send violation reports, but
logging to the developer console seems to be effective in helping
folks author good policies.

> 2. Why does the directive production have a rigid requirement on one space
> char between directive-name and directive-value ?  given that directives
> have the ";" separator, why not..
>
>   directive         = *WSP [ directive-name [ 1*WSP directive-value ] ]
>
> which is more lenient for site operators to get right?

It's just to make the parsing unambiguous.  Notice that source-list
allows leading WSP, which means any non-zero amount of WSP is allowed
here anyway.

Adam

Received on Tuesday, 3 July 2012 21:33:13 UTC