W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

CSP syntax ABNF

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 19 Feb 2011 01:53:37 -0800
Message-ID: <AANLkTinZw1UJyLnM-nmJjp4O4tujMNpFa5VL-Wnf1U9c@mail.gmail.com>
To: public-web-security@w3.org
I've been working on implementing a CSP policy parser for WebKit (see
https://bugs.webkit.org/show_bug.cgi?id=54799), and I've got a few
nits with the grammar in
https://wiki.mozilla.org/Security/CSP/Specification#Formal_Policy_Syntax.
 In no particular order:

1) The grammar written in a non-standard formalism.
2) The syntax deviates from RFC 3968 in somewhat odd ways.  For
example, the syntax for port is slightly more restrictive than in RFC
3968.
3) The presentation doesn't cleanly separate the general gramatical
form of policies from the specific syntax of directives that exist
today, making it hard to know how we can extend the syntax in the
future.

I've taken the liberty of translating the grammar into ABNF (the
standard gramatical formalism used by the IETF).  I've also cleaned up
some of the details to match normal syntax of URIs:

http://www.w3.org/Security/wiki/Content_Security_Policies#Syntax

As part of the translation, I've factored out the "general" syntax
that applies to all directives from the syntax for each given
directive.  The text there is very rough (and certainly doesn't cover
all the directives yet).  I'd also like to separate out conformance
requirements for policy authors and for user agents, but I haven't
gotten there yet.

Thoughts?

Adam
Received on Saturday, 19 February 2011 09:54:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 19 February 2011 09:54:44 GMT