W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 4 Feb 2011 12:31:27 +0000
Message-ID: <AANLkTikwOgro0KzfA5Xn9izZ9e2kxLcEqcXE=bFT6h0z@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>, W3C Web Security Interest Group <public-web-security@w3.org>
On 3 February 2011 22:36, Michal Zalewski <lcamtuf@coredump.cx> wrote:

> Yeah, I don't understand the appeal of going there; JSON is out of
> place in HTTP headers, follows different semantics, and actually
> requires a fairly complex parser; some HTTP clients happen to have it
> already (and amusingly, implement generally incompatible supersets of
> the rather dodgy JSON RFC); some other other user agents may want to
> obey CSP, but are not so fortunate.
>

The trouble is the method of sending a policy is conflicting with the
usability of implementing it. I know why it's being sent via http headers..
speed. Because of that it will have to be compressed but what is the bloody
point of having a nice fast policy if nobody uses it apart from Facebook?
How about a compromise between a lighter policy syntax within HTTP headers
with a option to specify a policy link which has a more familiar syntax like
CSS/JSON?
Received on Friday, 4 February 2011 12:32:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 February 2011 12:32:01 GMT