We've been talking a lot about policy semantics, but we haven't talked much about syntax. It seems like the two main things we'd like to get out of the syntax are: 1) Compactness. Policies should be short. 2) Legibility. It should be easy for humans to read and author policies. 3) Extensibility. We'd like a flexible syntax that we can extend for many years to come. The current syntax seems to be something like the following: policy = directive *( ";" directive ) directive = *LWS directive-name 1*LWS directive-value directive-name = <CHAR, except LWS and ";"> directive-value = <CHAR, except ";"> Is that right? Another alternative is something like JSON, which is compact and extensible, but might not be sufficiently legible: Content-Security-Policy: {"script-src": ["example.com", "*.paypalobjects.com"]} The main benefit of JSON is that its familiar to web developers and extends nicely to more complex directives: Content-Security-Policy: {"script-src": ["example.com", "*.paypalobjects.com"], "object-type": {"application/java": ["*.sun.com"], "application/pdf: ["*.amazonaws.com", "assets.example.com"]}} AdamReceived on Tuesday, 1 February 2011 19:00:32 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 February 2011 19:00:33 GMT