W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax ABNF

From: Brandon Sterne <bsterne@mozilla.com>
Date: Wed, 23 Feb 2011 17:07:27 -0800
Message-ID: <4D65AF4F.20700@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
Hey Adam,

Thank you for the very useful and detailed feedback.  I am currently in
the process of reformatting the Mozilla CSP proposal into a W3C template
that will be familiar to W3C working group participants and more
normative wherever possible.

I do appreciate the level of detail you are putting into your feedback
points, and I think it's largely valid and should be incorporated in the
specification document we're working on.  However, I worry that
maintaining a separate document with the changes that you favor will
bifurcate the group and will make consensus harder to reach.

May I propose that I be given until EOD Friday to complete the CSP
proposal reformatting, incorporating all of the changes and consensus
points that we've reached as a group, and submit that to the WG as a
initial basis for the specification?

I hope that is not too presumptuous.  I only want to minimize churn as
we push hard to develop the CSP specification.

Best,
Brandon


On 02/19/2011 01:53 AM, Adam Barth wrote:
> I've been working on implementing a CSP policy parser for WebKit (see
> https://bugs.webkit.org/show_bug.cgi?id=54799), and I've got a few
> nits with the grammar in
> https://wiki.mozilla.org/Security/CSP/Specification#Formal_Policy_Syntax.
>  In no particular order:
> 
> 1) The grammar written in a non-standard formalism.
> 2) The syntax deviates from RFC 3968 in somewhat odd ways.  For
> example, the syntax for port is slightly more restrictive than in RFC
> 3968.
> 3) The presentation doesn't cleanly separate the general gramatical
> form of policies from the specific syntax of directives that exist
> today, making it hard to know how we can extend the syntax in the
> future.
> 
> I've taken the liberty of translating the grammar into ABNF (the
> standard gramatical formalism used by the IETF).  I've also cleaned up
> some of the details to match normal syntax of URIs:
> 
> http://www.w3.org/Security/wiki/Content_Security_Policies#Syntax
> 
> As part of the translation, I've factored out the "general" syntax
> that applies to all directives from the syntax for each given
> directive.  The text there is very rough (and certainly doesn't cover
> all the directives yet).  I'd also like to separate out conformance
> requirements for policy authors and for user agents, but I haven't
> gotten there yet.
> 
> Thoughts?
> 
> Adam
> 
Received on Thursday, 24 February 2011 01:06:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 24 February 2011 01:06:57 GMT