- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Thu, 3 Feb 2011 14:36:58 -0800
- To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
- Cc: W3C Web Security Interest Group <public-web-security@w3.org>
> While JSON (RFC4627) has some attractiveness (to me) in its simplicity and
> expressivity, I wonder about whether there's any other presently-deployed
> and browser-supported HTTP header field that's expressed in JSON-based
> syntax?
Yeah, I don't understand the appeal of going there; JSON is out of
place in HTTP headers, follows different semantics, and actually
requires a fairly complex parser; some HTTP clients happen to have it
already (and amusingly, implement generally incompatible supersets of
the rather dodgy JSON RFC); some other other user agents may want to
obey CSP, but are not so fortunate.
If we think there is a benefit of having finer-grained policies, this
does not have to be implemented as an object hierarchy; for example,
Adam's case:
{ ... "object-type": {"application/java": ["*.sun.com"],
"application/pdf: ["*.amazonaws.com", "assets.example.com"]}}
...can be far more legibly written as:
object-src["foo/bar"] = "*.example1.com *.example2.com"
object-src["bar/baz"] = "..."
...without the need for excess nesting, etc.
/mz
PS. We started with "in general, I'm more interested in feedback that
leads to simplification rather than feedback that leads to more
complexity" ;-)
Received on Thursday, 3 February 2011 22:37:52 UTC