W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP syntax ABNF

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 23 Feb 2011 17:08:17 -0800
Message-ID: <AANLkTikgc4ZFnz2U1zH4k_rjU0jvo1b=GsD2ER4bFyaN@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: public-web-security@w3.org
Sure, that sounds fine.  The wiki was just a convenient place to keep
track of things.  Having a real spec document to work from could
certainly be better.  Please feel free to delete the wiki page once
you're done reformatting.

Adam


On Wed, Feb 23, 2011 at 5:07 PM, Brandon Sterne <bsterne@mozilla.com> wrote:
> Hey Adam,
>
> Thank you for the very useful and detailed feedback.  I am currently in
> the process of reformatting the Mozilla CSP proposal into a W3C template
> that will be familiar to W3C working group participants and more
> normative wherever possible.
>
> I do appreciate the level of detail you are putting into your feedback
> points, and I think it's largely valid and should be incorporated in the
> specification document we're working on.  However, I worry that
> maintaining a separate document with the changes that you favor will
> bifurcate the group and will make consensus harder to reach.
>
> May I propose that I be given until EOD Friday to complete the CSP
> proposal reformatting, incorporating all of the changes and consensus
> points that we've reached as a group, and submit that to the WG as a
> initial basis for the specification?
>
> I hope that is not too presumptuous.  I only want to minimize churn as
> we push hard to develop the CSP specification.
>
> Best,
> Brandon
>
>
> On 02/19/2011 01:53 AM, Adam Barth wrote:
>> I've been working on implementing a CSP policy parser for WebKit (see
>> https://bugs.webkit.org/show_bug.cgi?id=54799), and I've got a few
>> nits with the grammar in
>> https://wiki.mozilla.org/Security/CSP/Specification#Formal_Policy_Syntax.
>>  In no particular order:
>>
>> 1) The grammar written in a non-standard formalism.
>> 2) The syntax deviates from RFC 3968 in somewhat odd ways.  For
>> example, the syntax for port is slightly more restrictive than in RFC
>> 3968.
>> 3) The presentation doesn't cleanly separate the general gramatical
>> form of policies from the specific syntax of directives that exist
>> today, making it hard to know how we can extend the syntax in the
>> future.
>>
>> I've taken the liberty of translating the grammar into ABNF (the
>> standard gramatical formalism used by the IETF).  I've also cleaned up
>> some of the details to match normal syntax of URIs:
>>
>> http://www.w3.org/Security/wiki/Content_Security_Policies#Syntax
>>
>> As part of the translation, I've factored out the "general" syntax
>> that applies to all directives from the syntax for each given
>> directive.  The text there is very rough (and certainly doesn't cover
>> all the directives yet).  I'd also like to separate out conformance
>> requirements for policy authors and for user agents, but I haven't
>> gotten there yet.
>>
>> Thoughts?
>>
>> Adam
>>
>
Received on Thursday, 24 February 2011 01:09:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 24 February 2011 01:09:23 GMT