W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

CSP syntax

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 1 Feb 2011 10:59:10 -0800
Message-ID: <AANLkTimCnu98OkbrJXaZhOTnf-tVSog6KMHn=U5ajFe9@mail.gmail.com>
To: public-web-security@w3.org
We've been talking a lot about policy semantics, but we haven't talked
much about syntax.  It seems like the two main things we'd like to get
out of the syntax are:

1) Compactness.  Policies should be short.
2) Legibility.  It should be easy for humans to read and author policies.
3) Extensibility.  We'd like a flexible syntax that we can extend for
many years to come.

The current syntax seems to be something like the following:

policy = directive *( ";" directive )
directive = *LWS directive-name 1*LWS directive-value
directive-name = <CHAR, except LWS and ";">
directive-value = <CHAR, except ";">

Is that right?

Another alternative is something like JSON, which is compact and
extensible, but might not be sufficiently legible:

Content-Security-Policy: {"script-src": ["example.com", "*.paypalobjects.com"]}

The main benefit of JSON is that its familiar to web developers and
extends nicely to more complex directives:

Content-Security-Policy: {"script-src": ["example.com",
"*.paypalobjects.com"], "object-type": {"application/java":
["*.sun.com"], "application/pdf: ["*.amazonaws.com",
"assets.example.com"]}}

Adam
Received on Tuesday, 1 February 2011 19:00:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 February 2011 19:00:33 GMT