W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax

From: Lucas Adamski <ladamski@mozilla.com>
Date: Fri, 04 Feb 2011 12:27:05 -0800
Message-ID: <4D4C6119.4060709@mozilla.com>
To: W3C Web Security Interest Group <public-web-security@w3.org>
You continue to assert that the JSON format is much easier to
use/understand than the current one.  I realize that is your personal
preference, but there needs to be some more data points than that.   I
personally think JSON is a cumbersome format to use, especially in an
HTTP header.  So now our opinions have canceled each other out, and
where are we?

My specific concern with JSON is that its a data format that is simply a
child of its environment: JavaScript.  Its purpose is to escape data in
such a way as to be reliably transmitted within, and parse by,
JavaScript.  Neither of those hold true inside an HTTP header.

Can you provide some specific examples where the JSON format is "better"
(more compact, more expressive) than the current proposal?
  Lucas.

On 2/4/2011 4:31 AM, gaz Heyes wrote:
> On 3 February 2011 22:36, Michal Zalewski <lcamtuf@coredump.cx
> <mailto:lcamtuf@coredump.cx>> wrote:
>
>     Yeah, I don't understand the appeal of going there; JSON is out of
>     place in HTTP headers, follows different semantics, and actually
>     requires a fairly complex parser; some HTTP clients happen to have it
>     already (and amusingly, implement generally incompatible supersets of
>     the rather dodgy JSON RFC); some other other user agents may want to
>     obey CSP, but are not so fortunate.
>
>
> The trouble is the method of sending a policy is conflicting with the
> usability of implementing it. I know why it's being sent via http
> headers.. speed. Because of that it will have to be compressed but
> what is the bloody point of having a nice fast policy if nobody uses
> it apart from Facebook? How about a compromise between a lighter
> policy syntax within HTTP headers with a option to specify a policy
> link which has a more familiar syntax like CSS/JSON?
Received on Friday, 4 February 2011 20:28:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 4 February 2011 20:28:29 GMT