CSP: clarify whitespace characters

[michaelficarra]

See my comment in #495 (comment).

4.2.1 separates source expressions on U+0020 (space), U+0009 (tab), U+000A (line feed), U+000C (form feed), and U+000D (carriage return), and the source-list grammar separates source expression on WSP, which is only U+0020 (space) and U+0009 (tab).

I think we should just replace usage of RFC 5234 WSP (the latter usage above) with HTML5's space characters (the former usage above).

[hillbrad]

As part of a HTTP header, though, we can't allow line feeds or carriage
returns.

On Tue, Oct 6, 2015 at 5:57 AM Michael Ficarra [email protected]
wrote:

See my comment in #495 (comment)
#495 (comment).

4.2.1 separates source expressions on U+0020 (space), U+0009 (tab), U+000A
(line feed), U+000C (form feed), and U+000D (carriage return), and the
source-list grammar separates source expression on WSP, which is only
U+0020 (space) and U+0009 (tab).

I think we should just replace usage of RFC 5234 WSP (the latter usage
above) with HTML5's space characters (the former usage above).

—
Reply to this email directly or view it on GitHub
#498.

[shekyan]

CSP spec should be transport agnostic and inputs containing LF and CR would be restricted by HTTP. Consider the case of meta-tag as a transport and HTML entity representing a new line.

[mikewest]

This issue was moved to w3c/webappsec-csp#5