Re: JSON representation of CSP policies from Mike West on 2015-08-17 (public-webappsec@w3.org from August 2015)

From: Mike West <mkwst@google.com>
Date: Mon, 17 Aug 2015 06:48:08 -0700
To: "Nottingham, Mark" <mnotting@akamai.com>
Cc: Jonathan Kingston <jonathan@jooped.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=cOJ-yMN7GE2DNfgdUgyRcK=wTZ_980xLfrS27FLkOoYQ@mail.gmail.com>

On Sun, Aug 16, 2015 at 11:13 PM, Nottingham, Mark <mnotting@akamai.com>
wrote:

> Just an aside - if we did a new version of CSP, we could use JSON directly
> for the header syntax:
>   https://tools.ietf.org/html/draft-reschke-http-jfv-01
>
> One of the ideas behind that is that — for headers which use JSON for
> their data model — we could use an alternative binary representation in
> HTTP/3.
>

Yeah, I was thinking about this as well. It seems more justifiable for CSP
to use a JSON-based syntax given its complexity, and it might be an
interesting opportunity for a clean break with the existing CSP behaviors.
If there are things that we'd like to do in CSP3 that end up being
backwards incompatible with CSP2 (and I'm not entirely sure there are,
yet), changing the syntax entirely might be a good way to do it.

FIled https://github.com/w3c/webappsec/issues/457 to track this.

-mike

Received on Monday, 17 August 2015 13:48:56 UTC