CSP: clarify whitespace characters

[mikewest]

From @michaelficarra on October 6, 2015 12:57

See my comment in w3c/webappsec#495 (comment).

4.2.1 separates source expressions on U+0020 (space), U+0009 (tab), U+000A (line feed), U+000C (form feed), and U+000D (carriage return), and the source-list grammar separates source expression on WSP, which is only U+0020 (space) and U+0009 (tab).

I think we should just replace usage of RFC 5234 WSP (the latter usage above) with HTML5's space characters (the former usage above).

Copied from original issue: w3c/webappsec#498

[mikewest]

From @hillbrad on October 6, 2015 18:12

As part of a HTTP header, though, we can't allow line feeds or carriage
returns.

On Tue, Oct 6, 2015 at 5:57 AM Michael Ficarra [email protected]
wrote:

See my comment in #495 (comment)
w3c/webappsec#495 (comment).

4.2.1 separates source expressions on U+0020 (space), U+0009 (tab), U+000A
(line feed), U+000C (form feed), and U+000D (carriage return), and the
source-list grammar separates source expression on WSP, which is only
U+0020 (space) and U+0009 (tab).

I think we should just replace usage of RFC 5234 WSP (the latter usage
above) with HTML5's space characters (the former usage above).

—
Reply to this email directly or view it on GitHub
w3c/webappsec#498.

[mikewest]

From @shekyan on October 6, 2015 18:46

CSP spec should be transport agnostic and inputs containing LF and CR would be restricted by HTTP. Consider the case of meta-tag as a transport and HTML entity representing a new line.