W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Lucas Adamski <ladamski@mozilla.com>
Date: Sun, 30 Jan 2011 16:19:37 -0800
Message-ID: <4D460019.6000700@mozilla.com>
To: gaz Heyes <gazheyes@gmail.com>
CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
The syntax is similar to many policy languages (like firewalls, etc). 
The "allow" directive enforces the default policy except where
overridden by more specific directives; semicolons separate directives; \
is simply a way of escaping the end of the line (I think familiar to
anyone who's ever done PHP, etc).. mostly for readability, probably not
used in live policies.
  Lucas.

On 1/29/2011 1:11 AM, gaz Heyes wrote:
> On 28 January 2011 23:34, Brandon Sterne <bsterne@mozilla.com
> <mailto:bsterne@mozilla.com>> wrote:
>
>     Your point has become muddled, unfortunately.  It started as an
>     argument
>     against using headers to deliver the policy.  To me, that seems to
>     be an
>     orthogonal issue to the policy syntax.  Are you saying "I don't
>     understand how to use this syntax to express a policy" or "I don't
>     understand how to send HTTP headers"?
>
>
> Ok grrrr I know how to set HTTP header but the syntax is confusing for
> example:-
> header("X-Content-Security-Policy: allow 'self'; img-src
> www.gmodules.com <http://www.gmodules.com>; script-src
> *.businessinfo.co.uk <http://businessinfo.co.uk>;");
>
> In particular the semi colon, it seems to indicate next statement yet
> how are they related to the "allow" statement. They don't seem to be
> grouped in any way, quoted string is confusing why do we need it for
> allow when we have protocols? I assume it means allow self for img-src
> and script-src but how do I know I'm right? I can see people typing
> the following: allow 'self; img-src www.gmodules.com
> <http://www.gmodules.com> or  allow 'self' img-src www.gmodules.com
> <http://www.gmodules.com>, because this is all on one line and name
> and value are separated by spaces. So in summary a) Policy syntax is
> unnecessarily tricky b) No validation of http headers c) Having one
> big long line of command is definitely going to introduce errors
Received on Monday, 31 January 2011 00:20:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 31 January 2011 00:20:40 GMT