- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 18 May 2012 13:15:37 -0700
- To: public-webappsec@w3.org
On the last telecon, I was given a handful of editing tasks for CSP 1.0. I believe my CSP 1.0 editing queue is now empty. 1) This patch allows servers to send multiple Content-Security-Policy headers. http://dvcs.w3.org/hg/content-security-policy/rev/f0931d0ab6eb 2) This patch removes the draconian error handling for including a comma in a CSP policy. Combined with the previous patch, these patches cause user agents to split the Content-Security-Policy on comma before feeding it to the policy parser (thanks to a bit of ABNF magic). http://dvcs.w3.org/hg/content-security-policy/rev/92b2fc38ee2e 3) This patch changes the error handling behavior for parsing host expressions in source lists. As discussed, we'll now ignore the stuff after a "/" so that we can later introduce semantics for that syntax (e.g., to restrict fetching resources by path as well). http://dvcs.w3.org/hg/content-security-policy/rev/7e066a2ccb94 Thanks! Adam
Received on Friday, 18 May 2012 20:16:33 UTC