W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

Re: CSP syntax ABNF

From: Brandon Sterne <bsterne@mozilla.com>
Date: Tue, 01 Mar 2011 14:52:28 -0800
Message-ID: <4D6D78AC.9010503@mozilla.com>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
Quick update: I have an "unofficial draft" ready to share and I'm only
waiting on account access to be able to push the draft to dev.w3.org.
I'm very excited to share the draft with you all and look forward to our
continued discussion.

Just as a preview of what to expect, in addition to reordering some of
the sections and making the text more normative, I made the following

1. renamed allow to default-src
2. made all directives optional
3. added the SecurityViolation DOM event
4. added script-nonce and sandbox under "proposed directives"
5. added policy via <meta> element
6. renamed inline-script options value to disable-xss-protection

There are still unresolved issues that the the WG (can I call us that
yet?) has identified and I've called those out in "Issue" sections.


On 02/25/2011 07:48 PM, Brandon Sterne wrote:
> I'm basically done with the reformatting, which has mostly consisted of
> reordering the sections to closer match existing specs (CORS was
> especially modeled after) and to be more normative where possible.  I've
> also made changes and additions based on what I've taken as consensus
> points reached on the WG mailing list thus far.  I'll summarize those
> changes when I make the submission.
> Just to provide an update to the group, I have the document ready to be
> submitted and I am waiting to make sure I have the correct procedure to
> follow in order to submit it to the group.
> I'll be back in touch before the end of the weekend.
> Cheers,
> Brandon
Received on Tuesday, 1 March 2011 22:51:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC