- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Thu, 03 Feb 2011 13:33:58 -0800
- To: W3C Web Security Interest Group <public-web-security@w3.org>
> Yes, the downside of using a CSS-based syntax is that there's a distinct > trade off of potentially more difficult work for browser developers in > exchange for a more familiar syntax for end-user web developers. ... but I > don't think that having to define it more precisely will necessarily negate > the benefits of a highly familiar syntax. Hi, You're assuming that the folks providing some web application/site that would be configuring security policy are "web developers". This isn't the case in a non-trivial percentage of cases (e.g. "large" sites, such as ours (PayPal)). Info-sec / site operations folks will be ones managing site sec policy in such cases and one can't necessarily assume such folk are experienced web devs. I don't think any particular syntax is easily justifiable as "the most widely understood/used" syntax for the breadth of types of folks who'll end up trying to understand/wield CSP et al. Making the choice will be the typical trade-off exercise between human palatability & wieldability, expressability, parseability, and http header-field manglement robustness. =JeffH
Received on Thursday, 3 February 2011 21:34:28 UTC