- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 2 Feb 2011 22:22:14 -0800
- To: Terri Oda <terri@zone12.com>
- Cc: public-web-security@w3.org
On Wed, Feb 2, 2011 at 10:18 PM, Terri Oda <terri@zone12.com> wrote:
> Adam Barth wrote:
>>
>> The main benefit of JSON is that its familiar to web developers
>
> Actually, if we're looking for a syntax that is maximally familiar to web
> developers, wouldn't it make more sense to use CSS?
>
> Content-Security-Policy: {
> script-src: example.com, paypalobjects.com;
> }
>
> There might have to be a little tweaking to get the sort of extensible
> syntax you get in JSON:
>
> Content-Security-Policy: {
> script-src: example.com, *.paypalobjects.com;
> object-type: {
> "application/java": *.sun.com;
> "application/pdf: *.amazonaws.com, assets.example.com;
> }
> }
>
> And in the end it's not *that* different syntax-wise, but I'm relatively
> certain knowledge of CSS is much more common among developers and site
> maintainers than knowledge of JSON, so it'll be more accessible for a wider
> range of people.
The above don't look very much like CSS... CSS also has the problem
of not having a precise spec for how to parse it (which is why
everyone's CSS parser is slightly different).
Adam
Received on Thursday, 3 February 2011 06:23:22 UTC