W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 3 Feb 2011 14:36:58 -0800
Message-ID: <AANLkTimOUe6k-W99FRQwAoMfWeipM-uRurSH8c6T=Oh_@mail.gmail.com>
To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
Cc: W3C Web Security Interest Group <public-web-security@w3.org>
> While JSON (RFC4627) has some attractiveness (to me) in its simplicity and
> expressivity, I wonder about whether there's any other presently-deployed
> and browser-supported HTTP header field that's expressed in JSON-based
> syntax?

Yeah, I don't understand the appeal of going there; JSON is out of
place in HTTP headers, follows different semantics, and actually
requires a fairly complex parser; some HTTP clients happen to have it
already (and amusingly, implement generally incompatible supersets of
the rather dodgy JSON RFC); some other other user agents may want to
obey CSP, but are not so fortunate.

If we think there is a benefit of having finer-grained policies, this
does not have to be implemented as an object hierarchy; for example,
Adam's case:

{ ... "object-type": {"application/java": ["*.sun.com"],
"application/pdf: ["*.amazonaws.com", "assets.example.com"]}}

...can be far more legibly written as:

object-src["foo/bar"] = "*.example1.com *.example2.com"
object-src["bar/baz"] = "..."

...without the need for excess nesting, etc.

/mz

PS. We started with "in general, I'm more interested in feedback that
leads to simplification rather than feedback that leads to more
complexity" ;-)
Received on Thursday, 3 February 2011 22:37:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 3 February 2011 22:37:52 GMT