Re: [CSP] feedback sandbox ABNF grammar conflict from Mike West on 2014-08-18 (public-webappsec@w3.org from August 2014)

From: Mike West <mkwst@google.com>
Date: Mon, 18 Aug 2014 08:48:12 +0200
To: Stefan Ossendorf <stefan.ossendorf@outlook.de>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Devdatta Akhawe <dev.akhawe@gmail.com>
Message-ID: <CAKXHy=fBzy2DNnkBonet6T7cbN7O7d4HVfu_phF3NHPydANADg@mail.gmail.com>

Thanks!

https://github.com/w3c/webappsec/commit/570ca5210a5055110acf3894978ace0333e048a2

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Tue, Aug 12, 2014 at 8:46 PM, Stefan Ossendorf <
stefan.ossendorf@outlook.de> wrote:

> Hi Mike,
>
>
>
> sadly the grammar is still wrong L. Now I can chain sandbox-tokens
> without the separating whitespaces.
>
>
>
> My suggestions are:
>
> 1. Explicit
>
> ABNF: *WSP / sandbox-token *( 1*WSP sandbox-token)
>
> Or
>
> ABNF:  “” / sandbox-token *( 1*WSP sandbox-token)
>
>
>
> I’m not sure if “” count as empty
>
>
>
> 2. Implicit
>
> ABNF: *( 1*WSP sandbox-token )
>
> Or
>
> ABNF: *( sandbox-token 1*WSP )
>
>
>
> -Stefan
>
>
>
> Ps: Np ;-) Germany is nice ;)
>
>
>
> *Von:* Mike West [mailto:mkwst@google.com]
> *Gesendet:* Montag, 11. August 2014 22:17
> *An:* Devdatta Akhawe
> *Cc:* Stefan Ossendorf; public-webappsec@w3.org
> *Betreff:* Re: [CSP] feedback sandbox ABNF grammar conflict
>
>
>
> The grammar is no longer wrong (I hope... ABNF is not my strong suit):
> https://github.com/w3c/webappsec/commit/0822e8bafa7f53adb1c546864abfae79e2ee05f2
>
>
>
> Thanks for the report, Stefan!
>
>
>
> -mike
>
>
> --
> Mike West <mkwst@google.com>
>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
>
> Sitz der Gesellschaft: Hamburg
>
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>
>
> On Mon, Aug 11, 2014 at 7:46 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
> wrote:
>
> I believe the grammar is wrong and the empty token list is fine. See
> also
> http://developers.whatwg.org/the-iframe-element.html#attr-iframe-sandbox
>
>
> =Dev
>
>
>
> On 10 August 2014 13:04, Stefan Ossendorf <stefan.ossendorf@outlook.de>
> wrote:
> > Hello,
> >
> >
> >
> > I’m trying to implement the CSP Spec from
> > (
> https://w3c.github.io/webappsec/specs/content-security-policy/#directive-sandbox
> ).
> >
> > But the ABNF of sandbox is not clear.
> >
> > Quote:
> >
> > directive-name    = "sandbox"
> >
> > directive-value   = sandbox-token *( 1*WSP sandbox-token )
> >
> > sandbox-token     = <token from RFC 7230>
> >
> >
> >
> > But the first example under „Usage“ say it’s possible to create an empty
> > sandbox directive without any value. The ABNF says but at least one token
> > and a token can’t be empty according to the token spec.
> >
> > What’s correct?
> >
> >
> >
> > Thanks in advance
> >
> > Stefan Ossendorf
>
>
>

Received on Monday, 18 August 2014 06:49:01 UTC