W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Thu, 03 Feb 2011 13:47:32 -0800
Message-ID: <4D4B2274.2020006@KingsMountain.com>
To: W3C Web Security Interest Group <public-web-security@w3.org>
Gerv said..
 >
 > JSON is designed for arbitrary values and nesting; it has the usual
 > standard primitives (number, string, array, hash). It's the less verbose
 > and far easier to understand alternative to XML, and it's becoming the
 > web's data interchange format.
 >
 > If we are going with an already-standard syntax, it's the clear front
 > runner IMO.

While JSON (RFC4627) has some attractiveness (to me) in its simplicity and 
expressivity, I wonder about whether there's any other presently-deployed and 
browser-supported HTTP header field that's expressed in JSON-based syntax?

Also, a key thing to remember is that the CSP spec (and whatever it morphs into 
and/or gets combined with) will need to specify a "schema" / "grammar" for the 
policy expressions.

If one leverages ABNF (RFC4234), which is used by the HTTPbis spec set to 
specify header fields (or uses RFC2616's ABNF), then one is directly defining 
the policy expression "schema" / "grammar", in the same fashion as the present 
CSP spec has done.

If one uses JSON, there's a need to somehow define the policy expression 
"schema" / "grammar" in JSON terms. 
<http://tools.ietf.org/html/draft-zyp-json-schema> defines one approach one 
approach to JSON schemas. Are there others?

=JeffH
Received on Thursday, 3 February 2011 21:48:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 3 February 2011 21:48:02 GMT