- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Thu, 05 Jul 2012 08:42:38 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: W3C Web App Security WG <public-webappsec@w3.org>
>> understood. In any case, the spec is silent about parsing errors AFAICT
>> (yes?). Mentioning them (in the framework section), and their ramifications
>> would be a good idea it seems.
>
> There isn't a notion of a parse error in the spec. There's the set of
> strings that servers ought to generate and a requirements for how user
> agents must interpret every possible input.
Ok, thx, if i understand correctly, directive value tokens that don't match the
source-expression ABNF is ignored by the "parse a source list" algorithm and is
simply not added to the resultant set of source expressions in step 3.
So for CSP 1.0, if one has a directive with a value like so..
script-src http://my-site.com/js/
..which doesn't match any source-expression grammar, the directive would be
equivalent to..
script-src
..which appears to have the same effect as having..
script-src 'none'
?
=JeffH
Received on Thursday, 5 July 2012 15:43:10 UTC