W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 1 Feb 2011 14:07:51 -0800
Message-ID: <AANLkTimwrGFKsz7bcMjtKaumRDiyzxS6-OOxiAx0xHUX@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: public-web-security@w3.org
On Tue, Feb 1, 2011 at 1:41 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 2/1/11 10:59 AM, Adam Barth wrote:
>> The current syntax seems to be something like the following:
>>
>> policy = directive *( ";" directive )
>> directive = *LWS directive-name 1*LWS directive-value
>> directive-name = <CHAR, except LWS and ";">
>> directive-value = <CHAR, except ";">
>>
>> Is that right?
>
> Very close, if you get rid of the current requirement to explicitly
> specify "allow" (which I don't like anyway)
>
> https://wiki.mozilla.org/Security/CSP/Specification#Formal_Policy_Syntax
>
>> Another alternative is something like JSON, which is compact and
>> extensible, but might not be sufficiently legible:
>>
>> Content-Security-Policy: {"script-src": ["example.com", "*.paypalobjects.com"]}
>
> I'll grant the extensibility win, but it's LESS compact than what we
> have now due to the required braces, brackets, and quoting. It's a
> clear lose on legibility but that may be somewhat compensated for by
> making it easy for tools to parse and write.

Only less compact by a nose.  :)

Adam
Received on Tuesday, 1 February 2011 22:08:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 February 2011 22:08:57 GMT