- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 2 Feb 2011 22:22:14 -0800
- To: Terri Oda <terri@zone12.com>
- Cc: public-web-security@w3.org
On Wed, Feb 2, 2011 at 10:18 PM, Terri Oda <terri@zone12.com> wrote: > Adam Barth wrote: >> >> The main benefit of JSON is that its familiar to web developers > > Actually, if we're looking for a syntax that is maximally familiar to web > developers, wouldn't it make more sense to use CSS? > > Content-Security-Policy: { > script-src: example.com, paypalobjects.com; > } > > There might have to be a little tweaking to get the sort of extensible > syntax you get in JSON: > > Content-Security-Policy: { > script-src: example.com, *.paypalobjects.com; > object-type: { > "application/java": *.sun.com; > "application/pdf: *.amazonaws.com, assets.example.com; > } > } > > And in the end it's not *that* different syntax-wise, but I'm relatively > certain knowledge of CSS is much more common among developers and site > maintainers than knowledge of JSON, so it'll be more accessible for a wider > range of people. The above don't look very much like CSS... CSS also has the problem of not having a precise spec for how to parse it (which is why everyone's CSS parser is slightly different). Adam
Received on Thursday, 3 February 2011 06:23:22 UTC