Re: Syntax presentation (was Re: Unofficial Draft of Content Security Policy) from Adam Barth on 2011-03-03 (public-web-security@w3.org from March 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 3 Mar 2011 14:00:59 -0800
To: Brandon Sterne <bsterne@mozilla.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <AANLkTimFRU55jKGiCuk0+c0nAKKimLN1j8ea9LKF1WU3@mail.gmail.com>

On Thu, Mar 3, 2011 at 1:56 PM, Brandon Sterne <bsterne@mozilla.com> wrote:
> On 03/03/2011 01:33 PM, Adam Barth wrote:
>> Yay!  Thanks Brandon.
>>
>> Would it be possible to change the presentation of the syntax in two ways:
>>
>> 1) Can we switch to the more usually ABNF used by most modern spec.
>> For example, as in
>> <http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-12#section-3.2>
>> ?
>
> Yes, I see no reason not to switch over to ABNF.  I'll make that happen
> for the next revision.
>
>> 2) Can we separate the grammar to two pieces: (A) the general syntax
>> of the Content-Security-Policy header field and (B) the syntax of the
>> particular directives.
>
> (B) sounds good, and useful in the two-phase policy parsing exercise you
> mentioned below.  I will work on restructuring the grammar to facilitate
> that.
>
> Regarding (A), my understanding was that IETF WEBSEC was going to be
> responsible for standardizing the CSP header, hence my statements about
> this document "assuming a header structure of XYZ".  I don't think it's
> a big deal in practical terms, because many of us (myself included)
> subscribe to both lists and the groups plan to work in concert.  I just
> didn't want to specify something that wasn't in "our jurisdiction".
> Maybe others can weigh in.  If people don't think it's a problem, I'm
> happy to add a definition of the header in our document.

Oh, I didn't realize that.  Maybe it would make sense to put it in
this document for now with a note that it might get moved elsewhere at
some point?  Alternatively, you could upload an Internet-Draft to the
IETF web site with the information and then reference that draft.

Adam


>> w.r.t. (2), I'd like to implement parsing in two phases.  First, the
>> top-level phase that extracts the list of directive-name /
>> directive-value pairs, and second that process the individual
>> directive-values according to the rules for the directive-name.  For
>> example, here's a possible grammar for a CSP policy:
>>
>> policy          = directive-list
>> directive-list  = directive *( ";" directive )
>> directive       = *LWS directive-name [ LWS directive-value ]
>> directive-name  = 1*<OCTET, except LWS and ";">
>> directive-value = *<OCTET, except ";">
>>
>> (Of course, the above might not be correct---it's just an example.)
>>
>> This approach follows how, for example, HTTP header fields work.
>> There's a general grammar for HTTP header fields in general, and then
>> a more specific grammar for particular header fields.
>>
>> Thanks,
>> Adam
>

Received on Thursday, 3 March 2011 22:02:06 UTC