W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 2 Feb 2011 22:22:14 -0800
Message-ID: <AANLkTikkYyX6pQGzy2fjN8_xYichDJJTw+0fKHnndayr@mail.gmail.com>
To: Terri Oda <terri@zone12.com>
Cc: public-web-security@w3.org
On Wed, Feb 2, 2011 at 10:18 PM, Terri Oda <terri@zone12.com> wrote:
> Adam Barth wrote:
>>
>> The main benefit of JSON is that its familiar to web developers
>
> Actually, if we're looking for a syntax that is maximally familiar to web
> developers, wouldn't it make more sense to use CSS?
>
> Content-Security-Policy: {
>        script-src: example.com, paypalobjects.com;
> }
>
> There might have to be a little tweaking to get the sort of extensible
> syntax you get in JSON:
>
> Content-Security-Policy: {
>        script-src: example.com, *.paypalobjects.com;
>        object-type: {
>                "application/java": *.sun.com;
>                "application/pdf: *.amazonaws.com, assets.example.com;
>        }
> }
>
> And in the end it's not *that* different syntax-wise, but I'm relatively
> certain knowledge of CSS is much more common among developers and site
> maintainers than knowledge of JSON, so it'll be more accessible for a wider
> range of people.

The above don't look very much like CSS...  CSS also has the problem
of not having a precise spec for how to parse it (which is why
everyone's CSS parser is slightly different).

Adam
Received on Thursday, 3 February 2011 06:23:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 3 February 2011 06:23:23 GMT