W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: Gervase Markham <gerv@mozilla.org>
Date: Wed, 02 Feb 2011 09:35:50 +0000
Message-ID: <4D492576.2040607@mozilla.org>
To: Daniel Veditz <dveditz@mozilla.com>
CC: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
On 01/02/11 21:41, Daniel Veditz wrote:
> I'll grant the extensibility win, but it's LESS compact than what we
> have now due to the required braces, brackets, and quoting. It's a
> clear lose on legibility but that may be somewhat compensated for by
> making it easy for tools to parse and write.

We could get all that back by following the Do-Not-Track header (DNT) 
and calling our header CSP instead of Content-Security-Policy ;-)

I'm thinking it's best if we adopt _some_ other mini-language rather 
than inventing our own. At the moment, what we have is something like 
the syntax used for Accept: headers. If we can match that, perhaps we 
should. Otherwise, I see the value of JSON. Web developers are becoming 
increasingly familiar with it, and the extensibility model is clear.

If we were desperate for space, we could define the top-level as a hash, 
and omit the outer { and }!

Gerv
Received on Wednesday, 2 February 2011 09:36:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 2 February 2011 09:36:26 GMT