W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Are CSP directives case insensitive?

From: John Wong <gokoproject@gmail.com>
Date: Fri, 17 Jan 2014 18:15:11 -0500
Message-ID: <CACCLA55p=nYSFXqguBpwV_k_ZTfYvdr4aRgaASLo4e+Ny0_7ZQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I happen to have this discussion again on #security with the Mozillians
today.
Issue: the 1.0 spec does not seem to specify whether directive names should
be case insensitive or not (a quick glance on 1.1 draft also seems to be
case as well). Correct me if I am wrong.

Someone told me that since the grammar follows the ABNF, the following is
implicit in CSP spec:

      ABNF strings are case insensitive and the character set for these
      strings is US-ASCII.

http://www.ietf.org/rfc/rfc5234.txt

It is worthwhile that we determine whether CSP directives should be
case insensitive or not and write that into the spec explicitly.
For Firefox's bug, please see
https://bugzilla.mozilla.org/show_bug.cgi?id=938652

Thanks.
Yeuk Hon

On Mon, Oct 28, 2013 at 3:29 PM, John Wong <gokoproject@gmail.com> wrote:

> Hi,
>
> The UA algorithm states we can take source expressions case insensitive.
> What about directive names themselves? For example, 'self' and 'SELF' are
> acceptable. [1]
>
> > If the source expression is a case insensitive match for 'self'(including the quotation marks)
>
> [1]: http://www.w3.org/TR/CSP/#parsing-1
>
> Thanks.
>
> Yeuk Hon
>
Received on Friday, 17 January 2014 23:15:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC