Re: CSP syntax from =JeffH on 2011-02-03 (public-web-security@w3.org from February 2011)

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Thu, 03 Feb 2011 13:33:58 -0800
To: W3C Web Security Interest Group <public-web-security@w3.org>
Message-ID: <4D4B1F46.6030901@KingsMountain.com>

 > Yes, the downside of using a CSS-based syntax is that there's a distinct
 > trade off of potentially more difficult work for browser developers in
 > exchange for a more familiar syntax for end-user web developers.  ... but I
 > don't think that having to define it more precisely will necessarily negate
 > the benefits of a highly familiar  syntax.

Hi,

You're assuming that the folks providing some web application/site that would 
be configuring security policy are "web developers". This isn't the case in a 
non-trivial percentage of cases (e.g. "large" sites, such as ours (PayPal)). 
Info-sec / site operations folks will be ones managing site sec policy in such 
cases and one can't necessarily assume such folk are experienced web devs.

I don't think any particular syntax is easily justifiable as "the most widely 
understood/used" syntax for the breadth of types of folks who'll end up trying 
to understand/wield CSP et al.  Making the choice will be the typical trade-off 
exercise between human palatability & wieldability, expressability, 
parseability, and http header-field manglement robustness.

=JeffH

Received on Thursday, 3 February 2011 21:34:28 UTC