AW: [CSP] feedback sandbox ABNF grammar conflict from Stefan Ossendorf on 2014-08-12 (public-webappsec@w3.org from August 2014)

From: Stefan Ossendorf <stefan.ossendorf@outlook.de>
Date: Tue, 12 Aug 2014 20:46:04 +0200
To: "'Mike West'" <mkwst@google.com>
CC: <public-webappsec@w3.org>, "'Devdatta Akhawe'" <dev.akhawe@gmail.com>
Message-ID: <DUB113-DS209D0E05BE7526ADD59CCAE2EA0@phx.gbl>

Hi Mike,

sadly the grammar is still wrong L. Now I can chain sandbox-tokens without the separating whitespaces.

My suggestions are:

1. Explicit

ABNF: *WSP / sandbox-token *( 1*WSP sandbox-token)

Or

ABNF:  “” / sandbox-token *( 1*WSP sandbox-token)

I’m not sure if “” count as empty

2. Implicit

ABNF: *( 1*WSP sandbox-token )

Or

ABNF: *( sandbox-token 1*WSP )

-Stefan

Ps: Np ;-) Germany is nice ;)

Von: Mike West [mailto:mkwst@google.com] 
Gesendet: Montag, 11. August 2014 22:17
An: Devdatta Akhawe
Cc: Stefan Ossendorf; public-webappsec@w3.org
Betreff: Re: [CSP] feedback sandbox ABNF grammar conflict

The grammar is no longer wrong (I hope... ABNF is not my strong suit): https://github.com/w3c/webappsec/commit/0822e8bafa7f53adb1c546864abfae79e2ee05f2

Thanks for the report, Stefan!

-mike

--
Mike West <mkwst@google.com>

Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg

Geschäftsführer: Graham Law, Christine Elizabeth Flores

(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Mon, Aug 11, 2014 at 7:46 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:

I believe the grammar is wrong and the empty token list is fine. See
also http://developers.whatwg.org/the-iframe-element.html#attr-iframe-sandbox

=Dev

On 10 August 2014 13:04, Stefan Ossendorf <stefan.ossendorf@outlook.de> wrote:
> Hello,
>
>
>
> I’m trying to implement the CSP Spec from
> (https://w3c.github.io/webappsec/specs/content-security-policy/#directive-sandbox).
>
> But the ABNF of sandbox is not clear.
>
> Quote:
>
> directive-name    = "sandbox"
>
> directive-value   = sandbox-token *( 1*WSP sandbox-token )
>
> sandbox-token     = <token from RFC 7230>
>
>
>
> But the first example under „Usage“ say it’s possible to create an empty
> sandbox directive without any value. The ABNF says but at least one token
> and a token can’t be empty according to the token spec.
>
> What’s correct?
>
>
>
> Thanks in advance
>
> Stefan Ossendorf

Received on Tuesday, 12 August 2014 18:46:27 UTC