search

shapesecurity / salvation

Parse Content Security Policy headers, warn about policy errors, safely manipulate, render, and optimise policies
http://cspvalidator.org
Apache License 2.0
68 stars 27 forks source link

“Expecting directive-name but found [newline]” error #234

Closed sideshowbarker closed 4 years ago

sideshowbarker commented 4 years ago

See https://github.com/validator/validator/issues/917. The Nu Html Checker uses Salvation to check the CSP policy in the following meta element:

<meta http-equiv="Content-Security-Policy" content="
    default-src 'self';
    script-src  'self' 'unsafe-eval';
    style-src   'self' 'unsafe-inline';
    connect-src 'self' data:;
"/>

… and Salvation responds with this error:

Expecting directive-name but found [newline]

Looking at https://w3c.github.io/webappsec-csp/#grammardef-serialized-policy

serialized-policy = serialized-directive *( optional-ascii-whitespace ";" [ optional-ascii-whitespace serialized-directive ] )

…I see that per the spec, newlines are allowed after the ; separator and before directive names.

So does Salvation not allow newlines there?

bakkot commented 4 years ago

Yup, that looks like a bug.

bakkot commented 4 years ago

This fix was released in 2.7.2.