Add CSP syntax checking for <meta> & HTTP header

Adds datatype/microsyntax-checking of the "content" attribute of the
<meta http-equiv=content-security-policy content="..."> element, along with
such checking of the value of the Content-Security-Policy HTTP header.

Fixes https://github.com/validator/validator/issues/153

diff --git a/common.rnc b/common.rnc
index 3352fd8e7dfae3b969756fee6f7cf94367b2b8a0..68d9acc5f28f90fb0300aa71f261c8c25c0580be 100644 (file)
--- a/common.rnc
+++ b/common.rnc
@@ -394,6 +394,10 @@ common.attrs.other =
        common.data.integrity =
                w:integrity-metadata
 
+## Content Security Policy
+       common.data.content-security-policy =
+               w:content-security-policy
+
 ## List of sandbox keywords
        common.data.sandbox-allow-list =
                w:string "" | w:sandbox-allow-list

diff --git a/meta.rnc b/meta.rnc
index e97e0dee3a0a3c59722f7ac125801b534ce002a0..ff67c2d4e87d5e9578b1eb9b6a3552c0e55fee16 100644 (file)
--- a/meta.rnc
+++ b/meta.rnc
@@ -324,6 +324,31 @@ datatypes w = "http://whattf.org/datatype-draft"
                                                                # if the definition is 
                                                                # reused in another language
 
+## Content Security Policy pragma directive: <meta http-equiv='content-security-policy'>
+
+       meta.http-equiv.content-security-policy.elem =
+               element meta { meta.inner & meta.http-equiv.content-security-policy.attrs }
+       meta.http-equiv.content-security-policy.attrs =
+               (       common.attrs.basic
+               &       common.attrs.i18n
+               &       common.attrs.present
+               &       common.attrs.other
+               &       meta.http-equiv.attrs.http-equiv.content-security-policy
+               &       meta.http-equiv.attrs.content.content-security-policy
+               &       (       common.attrs.aria.role.presentation
+                       |       common.attrs.aria.role.menuitem
+                       )?
+               )
+               meta.http-equiv.attrs.http-equiv.content-security-policy =
+                       attribute http-equiv {
+                               w:string "content-security-policy"
+                       }
+               meta.http-equiv.attrs.content.content-security-policy =
+                       attribute content {
+                               common.data.content-security-policy
+                       }
+       common.elem.metadata |= meta.http-equiv.content-security-policy.elem
+
 ## "x-ua-compatible" pragma directive: <meta http-equiv='x-ua-compatible'>
 
        meta.http-equiv.x-ua-compatible.elem =