Re: Are CSP directives case insensitive?

I happen to have this discussion again on #security with the Mozillians
Issue: the 1.0 spec does not seem to specify whether directive names should
be case insensitive or not (a quick glance on 1.1 draft also seems to be
case as well). Correct me if I am wrong.

Someone told me that since the grammar follows the ABNF, the following is
implicit in CSP spec:

      ABNF strings are case insensitive and the character set for these
      strings is US-ASCII.

It is worthwhile that we determine whether CSP directives should be
case insensitive or not and write that into the spec explicitly.
For Firefox's bug, please see

Yeuk Hon

On Mon, Oct 28, 2013 at 3:29 PM, John Wong <> wrote:

> Hi,
> The UA algorithm states we can take source expressions case insensitive.
> What about directive names themselves? For example, 'self' and 'SELF' are
> acceptable. [1]
> > If the source expression is a case insensitive match for 'self'(including the quotation marks)
> [1]:
> Thanks.
> Yeuk Hon

Received on Friday, 17 January 2014 23:15:38 UTC