W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

CSP syntax ABNF

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 19 Feb 2011 01:53:37 -0800
Message-ID: <AANLkTinZw1UJyLnM-nmJjp4O4tujMNpFa5VL-Wnf1U9c@mail.gmail.com>
To: public-web-security@w3.org
I've been working on implementing a CSP policy parser for WebKit (see
https://bugs.webkit.org/show_bug.cgi?id=54799), and I've got a few
nits with the grammar in
 In no particular order:

1) The grammar written in a non-standard formalism.
2) The syntax deviates from RFC 3968 in somewhat odd ways.  For
example, the syntax for port is slightly more restrictive than in RFC
3) The presentation doesn't cleanly separate the general gramatical
form of policies from the specific syntax of directives that exist
today, making it hard to know how we can extend the syntax in the

I've taken the liberty of translating the grammar into ABNF (the
standard gramatical formalism used by the IETF).  I've also cleaned up
some of the details to match normal syntax of URIs:


As part of the translation, I've factored out the "general" syntax
that applies to all directives from the syntax for each given
directive.  The text there is very rough (and certainly doesn't cover
all the directives yet).  I'd also like to separate out conformance
requirements for policy authors and for user agents, but I haven't
gotten there yet.


Received on Saturday, 19 February 2011 09:54:42 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC