W3C home > Mailing lists > Public > public-web-security@w3.org > March 2012

Re: CSP syntax

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 29 Mar 2012 13:51:20 +0200
Message-ID: <4F744CB8.6000205@gmx.de>
To: Adam Barth <w3c@adambarth.com>
CC: public-web-security@w3.org
On 2011-02-01 19:59, Adam Barth wrote:
> We've been talking a lot about policy semantics, but we haven't talked
> much about syntax.  It seems like the two main things we'd like to get
> out of the syntax are:
>
> 1) Compactness.  Policies should be short.
> 2) Legibility.  It should be easy for humans to read and author policies.
> 3) Extensibility.  We'd like a flexible syntax that we can extend for
> many years to come.
>
> The current syntax seems to be something like the following:
>
> policy = directive *( ";" directive )
> directive = *LWS directive-name 1*LWS directive-value
> directive-name =<CHAR, except LWS and ";">
> directive-value =<CHAR, except ";">
>
> Is that right?
> ...

Please have a look at 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#considerations.for.creating.header.fields>.

In particular:

- if you do want multiple header field instances, use HTTP list syntax, 
thus "," as separator

- if you don't then disallow "," in field content so you can detect when 
somebody else *has* combined headers

It might be appealing to re-use the syntax of an existing header, such 
as "Expect": 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#header.expect>

Best regards, Julian
Received on Thursday, 29 March 2012 11:51:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 29 March 2012 11:51:59 GMT