W3C home > Mailing lists > Public > public-web-security@w3.org > April 2012

Re: CSP syntax

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 1 Apr 2012 16:47:46 -0700
Message-ID: <CAJE5ia_grV+RuMVLN==WrgiwLorr9xg=qhUiHD5UhpyZjMVxLg@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: public-web-security@w3.org
On Thu, Mar 29, 2012 at 4:51 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 2011-02-01 19:59, Adam Barth wrote:
>>
>> We've been talking a lot about policy semantics, but we haven't talked
>> much about syntax.  It seems like the two main things we'd like to get
>> out of the syntax are:
>>
>> 1) Compactness.  Policies should be short.
>> 2) Legibility.  It should be easy for humans to read and author policies.
>> 3) Extensibility.  We'd like a flexible syntax that we can extend for
>> many years to come.
>>
>> The current syntax seems to be something like the following:
>>
>> policy = directive *( ";" directive )
>> directive = *LWS directive-name 1*LWS directive-value
>> directive-name =<CHAR, except LWS and ";">
>> directive-value =<CHAR, except ";">
>>
>> Is that right?
>> ...
>
> Please have a look at
> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#considerations.for.creating.header.fields>.
>
> In particular:
>
> - if you do want multiple header field instances, use HTTP list syntax, thus
> "," as separator
>
> - if you don't then disallow "," in field content so you can detect when
> somebody else *has* combined headers
>
> It might be appealing to re-use the syntax of an existing header, such as
> "Expect":
> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#header.expect>

Fixed:

http://dvcs.w3.org/hg/content-security-policy/rev/f2c203c7331f

Thanks,
Adam
Received on Sunday, 1 April 2012 23:48:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 1 April 2012 23:48:50 GMT