W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 01 Feb 2011 13:41:41 -0800
Message-ID: <4D487E15.1030805@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
On 2/1/11 10:59 AM, Adam Barth wrote:
> The current syntax seems to be something like the following:
> policy = directive *( ";" directive )
> directive = *LWS directive-name 1*LWS directive-value
> directive-name = <CHAR, except LWS and ";">
> directive-value = <CHAR, except ";">
> Is that right?

Very close, if you get rid of the current requirement to explicitly
specify "allow" (which I don't like anyway)


> Another alternative is something like JSON, which is compact and
> extensible, but might not be sufficiently legible:
> Content-Security-Policy: {"script-src": ["example.com", "*.paypalobjects.com"]}

I'll grant the extensibility win, but it's LESS compact than what we
have now due to the required braces, brackets, and quoting. It's a
clear lose on legibility but that may be somewhat compensated for by
making it easy for tools to parse and write.

-Dan Veditz
Received on Tuesday, 1 February 2011 21:42:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC