W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

RE: CSP syntax

From: Steingruebl, Andy <asteingruebl@paypal-inc.com>
Date: Thu, 10 Feb 2011 22:54:35 -0700
To: gaz Heyes <gazheyes@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>
CC: =JeffH <Jeff.Hodges@kingsmountain.com>, W3C Web Security Interest Group <public-web-security@w3.org>
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEB3A922072@DEN-MEXMS-001.corp.ebay.com>
> From: public-web-security-request@w3.org [mailto:public-web-security-request@w3.org] On Behalf Of gaz Heyes

> On 4 February 2011 12:31, gaz Heyes <gazheyes@gmail.com> wrote:

> Actually I have a better idea, a compiler. Write the policy in CSS/JSON, verify it then it compiles into a compact http header that is very 
> lightweight.

Again, with policies that are to visual inspection rather opaque, we risk repeating some of the same mistakes in the P3P world where people cut and paste compact P3P policies without any understanding of what they are doing.  This can be solved with tooling, it sure would be nice if a web browser and/or a web-based tool existed to clearly explain/expand what a P3P is telling you.  If that doesn't exist though, you end up with something that is prone to even more copy/paste problems.   

- Andy

Received on Friday, 11 February 2011 05:55:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 11 February 2011 05:55:14 GMT