Re: CSP syntax

Adam Barth wrote:
> The main benefit of JSON is that its familiar to web developers 

Actually, if we're looking for a syntax that is maximally familiar to 
web developers, wouldn't it make more sense to use CSS?

Content-Security-Policy: {
	script-src: example.com, paypalobjects.com;
}

There might have to be a little tweaking to get the sort of extensible 
syntax you get in JSON:

Content-Security-Policy: {
	script-src: example.com, *.paypalobjects.com;
         object-type: {
		"application/java": *.sun.com;
		"application/pdf: *.amazonaws.com, assets.example.com;
	}
}

And in the end it's not *that* different syntax-wise, but I'm relatively 
certain knowledge of CSS is much more common among developers and site 
maintainers than knowledge of JSON, so it'll be more accessible for a 
wider range of people.

Received on Thursday, 3 February 2011 06:18:50 UTC