- From: John Wong <gokoproject@gmail.com>
- Date: Fri, 17 Jan 2014 18:15:11 -0500
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CACCLA55p=nYSFXqguBpwV_k_ZTfYvdr4aRgaASLo4e+Ny0_7ZQ@mail.gmail.com>
I happen to have this discussion again on #security with the Mozillians
today.
Issue: the 1.0 spec does not seem to specify whether directive names should
be case insensitive or not (a quick glance on 1.1 draft also seems to be
case as well). Correct me if I am wrong.
Someone told me that since the grammar follows the ABNF, the following is
implicit in CSP spec:
ABNF strings are case insensitive and the character set for these
strings is US-ASCII.
http://www.ietf.org/rfc/rfc5234.txt
It is worthwhile that we determine whether CSP directives should be
case insensitive or not and write that into the spec explicitly.
For Firefox's bug, please see
https://bugzilla.mozilla.org/show_bug.cgi?id=938652
Thanks.
Yeuk Hon
On Mon, Oct 28, 2013 at 3:29 PM, John Wong <gokoproject@gmail.com> wrote:
> Hi,
>
> The UA algorithm states we can take source expressions case insensitive.
> What about directive names themselves? For example, 'self' and 'SELF' are
> acceptable. [1]
>
> > If the source expression is a case insensitive match for 'self'(including the quotation marks)
>
> [1]: http://www.w3.org/TR/CSP/#parsing-1
>
> Thanks.
>
> Yeuk Hon
>
Received on Friday, 17 January 2014 23:15:38 UTC