Recent CSP edits from Adam Barth on 2012-05-18 (public-webappsec@w3.org from May 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 18 May 2012 13:15:37 -0700
To: public-webappsec@w3.org
Message-ID: <CAJE5ia_pTAKmPgi3XcSWKC6_9nxOAkU+RKmdOk7icpYztOFCBw@mail.gmail.com>

On the last telecon, I was given a handful of editing tasks for CSP
1.0.  I believe my CSP 1.0 editing queue is now empty.

1) This patch allows servers to send multiple Content-Security-Policy headers.

http://dvcs.w3.org/hg/content-security-policy/rev/f0931d0ab6eb

2) This patch removes the draconian error handling for including a
comma in a CSP policy.  Combined with the previous patch, these
patches cause user agents to split the Content-Security-Policy on
comma before feeding it to the policy parser (thanks to a bit of ABNF
magic).

http://dvcs.w3.org/hg/content-security-policy/rev/92b2fc38ee2e

3) This patch changes the error handling behavior for parsing host
expressions in source lists.  As discussed, we'll now ignore the stuff
after a "/" so that we can later introduce semantics for that syntax
(e.g., to restrict fetching resources by path as well).

http://dvcs.w3.org/hg/content-security-policy/rev/7e066a2ccb94

Thanks!
Adam

Received on Friday, 18 May 2012 20:16:33 UTC