On 3 February 2011 22:36, Michal Zalewski <lcamtuf@coredump.cx> wrote: > Yeah, I don't understand the appeal of going there; JSON is out of > place in HTTP headers, follows different semantics, and actually > requires a fairly complex parser; some HTTP clients happen to have it > already (and amusingly, implement generally incompatible supersets of > the rather dodgy JSON RFC); some other other user agents may want to > obey CSP, but are not so fortunate. > The trouble is the method of sending a policy is conflicting with the usability of implementing it. I know why it's being sent via http headers.. speed. Because of that it will have to be compressed but what is the bloody point of having a nice fast policy if nobody uses it apart from Facebook? How about a compromise between a lighter policy syntax within HTTP headers with a option to specify a policy link which has a more familiar syntax like CSS/JSON?
Received on Friday, 4 February 2011 12:32:00 UTC