W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: Terri Oda <terri@zone12.com>
Date: Thu, 03 Feb 2011 01:18:22 -0500
Message-ID: <4D4A48AE.3080902@zone12.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
Adam Barth wrote:
> The main benefit of JSON is that its familiar to web developers 

Actually, if we're looking for a syntax that is maximally familiar to 
web developers, wouldn't it make more sense to use CSS?

Content-Security-Policy: {
	script-src: example.com, paypalobjects.com;
}

There might have to be a little tweaking to get the sort of extensible 
syntax you get in JSON:

Content-Security-Policy: {
	script-src: example.com, *.paypalobjects.com;
         object-type: {
		"application/java": *.sun.com;
		"application/pdf: *.amazonaws.com, assets.example.com;
	}
}

And in the end it's not *that* different syntax-wise, but I'm relatively 
certain knowledge of CSS is much more common among developers and site 
maintainers than knowledge of JSON, so it'll be more accessible for a 
wider range of people.
Received on Thursday, 3 February 2011 06:18:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 3 February 2011 06:18:50 GMT