Superfluous requirements for directives in CSP #2458
Description
Information
- Language: CSP.
- Plugins: none.
Does the problem still occur in the latest version of Prism?
Yes.
Description
As stated in CSP 1.0, CSP 1.1, CSP2, and CSP3, values of directives may be omitted.
For example, empty values of default-src, script-src, style-src, etc., are equivalent to 'none' (see CSP 1.0, CSP 1.1, CSP2, CSP3).
Some directives don’t have values at all. These are block-all-mixed-content, upgrade-insecure-requests, etc.
However, Prism doesn’t recognize the following values:
block-all-mixed-content
default-src
sandbox
upgrade-insecure-requests
We could use trailing spaces (block-all-mixed-content ), but this looks ugly. We could use trailing semicolons (block-all-mixed-content;), but CSP allows semicolons only as delimiters. Moreover, sandbox may or may not have a value, but the following doesn’t work either.
sandbox;
I think, spaces and semicolons should be removed from this regular expression.
May I suggest the following as a replacement?
/\b(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)\b/iCode snippet
The code being highlighted incorrectly.
block-all-mixed-content
default-src
sandbox
sandbox;
upgrade-insecure-requests