Superfluous requirements for directives in CSP

[edukisto]

Information

• Language: CSP.
• Plugins: none.

Does the problem still occur in the latest version of Prism?

Yes.

Description

As stated in CSP 1.0, CSP 1.1, CSP2, and CSP3, values of directives may be omitted.

For example, empty values of default-src, script-src, style-src, etc., are equivalent to 'none' (see CSP 1.0, CSP 1.1, CSP2, CSP3).

Some directives don’t have values at all. These are block-all-mixed-content, upgrade-insecure-requests, etc.

However, Prism doesn’t recognize the following values:

block-all-mixed-content
default-src
sandbox
upgrade-insecure-requests

We could use trailing spaces (block-all-mixed-content ), but this looks ugly. We could use trailing semicolons (block-all-mixed-content;), but CSP allows semicolons only as delimiters. Moreover, sandbox may or may not have a value, but the following doesn’t work either.

sandbox;

I think, spaces and semicolons should be removed from this regular expression.

May I suggest the following as a replacement?

/\b(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)\b/i

Code snippet

The code being highlighted incorrectly.

block-all-mixed-content
default-src
sandbox
sandbox;
upgrade-insecure-requests