W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Policy syntax (was Re: Scope and complexity)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 25 Jan 2011 14:35:36 -0800
Message-ID: <AANLkTinGGdU2eZcNmYiNPsCNTwVh4doF8DC2OfNAoyG7@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Brandon Sterne <bsterne@mozilla.com>, Gervase Markham <gerv@mozilla.org>, Lucas Adamski <lucas@mozilla.com>, public-web-security@w3.org
On Tue, Jan 25, 2011 at 2:03 PM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 25 January 2011 21:45, Adam Barth <w3c@adambarth.com> wrote:
>> I guess I wish we had an extensibility model more like HTML where we
>> could grow the security protections over time.  For example, we can
>> probably agree that both <canvas> and <video> are great additions to
>> HTML that might not have made sense when folks were designing HTML
>> 1.0.
>
> Glad you're coming around to my way of thinking =)
>
>  X-Content-Security-Policy: policy.csp

Well, if you're into re-using machinery, we should use the Link header
with an appropriate new "rel" attribute.  :)

> policy.csp:-
> * {
>  origin:same-domain;
> }
> img {
>  src:proxy-only;
>  proxy:url(http://www.gmodules.com/ig/proxy?url=);
> }
> a {
>  onclick:true;
> }
>
> This makes so much sense and easy to understand for devs, can be validated
> and you can use existing technology (ie. CSS parsers) to  parse the policy
> file. I'll shut up now

I certainly like the idea of re-using an existing syntax for the
policy language.  CSS is very syntax directed, whereas many things a
policy might want to say don't necessarily relate to CSS selectors.

Adam
Received on Tuesday, 25 January 2011 22:36:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 25 January 2011 22:36:41 GMT