W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: gaz Heyes <gazheyes@gmail.com>
Date: Sat, 29 Jan 2011 09:11:58 +0000
Message-ID: <AANLkTik=CtbUnbQnnGnQ87DngUNmazBS5KhqODbbwFA9@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: public-web-security@w3.org
On 28 January 2011 23:34, Brandon Sterne <bsterne@mozilla.com> wrote:

> Your point has become muddled, unfortunately.  It started as an argument
> against using headers to deliver the policy.  To me, that seems to be an
> orthogonal issue to the policy syntax.  Are you saying "I don't
> understand how to use this syntax to express a policy" or "I don't
> understand how to send HTTP headers"?
>

Ok grrrr I know how to set HTTP header but the syntax is confusing for
example:-
header("X-Content-Security-Policy: allow 'self'; img-src www.gmodules.com;
script-src *.businessinfo.co.uk;");

In particular the semi colon, it seems to indicate next statement yet how
are they related to the "allow" statement. They don't seem to be grouped in
any way, quoted string is confusing why do we need it for allow when we have
protocols? I assume it means allow self for img-src and script-src but how
do I know I'm right? I can see people typing the following: allow 'self;
img-src www.gmodules.com or  allow 'self' img-src www.gmodules.com, because
this is all on one line and name and value are separated by spaces. So in
summary a) Policy syntax is unnecessarily tricky b) No validation of http
headers c) Having one big long line of command is definitely going to
introduce errors
Received on Saturday, 29 January 2011 09:12:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 29 January 2011 09:12:32 GMT