From: Michael[tm] Smith <mike@w3.org>
Date: Wed, 30 Dec 2015 23:51:52 +0000 (+0900)
Subject: Add CSP syntax checking for <meta> & HTTP header
X-Git-Url: https://code.delx.au/gnu-emacs-elpa/commitdiff_plain/fec8cdffb904d2d58b3fb10d90efa095ce5e1f76

Add CSP syntax checking for <meta> & HTTP header

Adds datatype/microsyntax-checking of the "content" attribute of the
<meta http-equiv=content-security-policy content="..."> element, along with
such checking of the value of the Content-Security-Policy HTTP header.

Fixes https://github.com/validator/validator/issues/153
---

diff --git a/common.rnc b/common.rnc
index 3352fd8e7..68d9acc5f 100644
--- a/common.rnc
+++ b/common.rnc
@@ -394,6 +394,10 @@ common.attrs.other =
 	common.data.integrity =
 		w:integrity-metadata
 
+## Content Security Policy
+	common.data.content-security-policy =
+		w:content-security-policy
+
 ## List of sandbox keywords
 	common.data.sandbox-allow-list =
 		w:string "" | w:sandbox-allow-list
diff --git a/meta.rnc b/meta.rnc
index e97e0dee3..ff67c2d4e 100644
--- a/meta.rnc
+++ b/meta.rnc
@@ -324,6 +324,31 @@ datatypes w = "http://whattf.org/datatype-draft"
                                                                # if the definition is 
                                                                # reused in another language
 
+## Content Security Policy pragma directive: <meta http-equiv='content-security-policy'>
+
+	meta.http-equiv.content-security-policy.elem =
+		element meta { meta.inner & meta.http-equiv.content-security-policy.attrs }
+	meta.http-equiv.content-security-policy.attrs =
+		(	common.attrs.basic
+		&	common.attrs.i18n
+		&	common.attrs.present
+		&	common.attrs.other
+		&	meta.http-equiv.attrs.http-equiv.content-security-policy
+		&	meta.http-equiv.attrs.content.content-security-policy
+		&	(	common.attrs.aria.role.presentation
+			|	common.attrs.aria.role.menuitem
+			)?
+		)
+		meta.http-equiv.attrs.http-equiv.content-security-policy =
+			attribute http-equiv {
+				w:string "content-security-policy"
+			}
+		meta.http-equiv.attrs.content.content-security-policy =
+			attribute content {
+				common.data.content-security-policy
+			}
+	common.elem.metadata |= meta.http-equiv.content-security-policy.elem
+
 ## "x-ua-compatible" pragma directive: <meta http-equiv='x-ua-compatible'>
 
 	meta.http-equiv.x-ua-compatible.elem =