W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: Gareth Heyes <gazheyes@gmail.com>
Date: Tue, 1 Feb 2011 19:16:09 +0000
Message-Id: <C9435EAB-2CEE-491F-82ED-5A20944786BB@gmail.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
To: Adam Barth <w3c@adambarth.com>
JSON policies +1

Sent from my secret lair

On 1 Feb 2011, at 18:59, Adam Barth <w3c@adambarth.com> wrote:

> We've been talking a lot about policy semantics, but we haven't talked
> much about syntax.  It seems like the two main things we'd like to get
> out of the syntax are:
> 
> 1) Compactness.  Policies should be short.
> 2) Legibility.  It should be easy for humans to read and author policies.
> 3) Extensibility.  We'd like a flexible syntax that we can extend for
> many years to come.
> 
> The current syntax seems to be something like the following:
> 
> policy = directive *( ";" directive )
> directive = *LWS directive-name 1*LWS directive-value
> directive-name = <CHAR, except LWS and ";">
> directive-value = <CHAR, except ";">
> 
> Is that right?
> 
> Another alternative is something like JSON, which is compact and
> extensible, but might not be sufficiently legible:
> 
> Content-Security-Policy: {"script-src": ["example.com", "*.paypalobjects.com"]}
> 
> The main benefit of JSON is that its familiar to web developers and
> extends nicely to more complex directives:
> 
> Content-Security-Policy: {"script-src": ["example.com",
> "*.paypalobjects.com"], "object-type": {"application/java":
> ["*.sun.com"], "application/pdf: ["*.amazonaws.com",
> "assets.example.com"]}}
> 
> Adam
> 
Received on Tuesday, 1 February 2011 19:17:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 February 2011 19:17:30 GMT