Re: CSP syntax from gaz Heyes on 2011-02-04 (public-web-security@w3.org from February 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 4 Feb 2011 13:13:06 +0000
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: "=JeffH" <Jeff.Hodges@kingsmountain.com>, W3C Web Security Interest Group <public-web-security@w3.org>
Message-ID: <AANLkTimLXYus3hPwqJbCkLDrcVDUVP=oJRvJxb1f0LfM@mail.gmail.com>

On 4 February 2011 12:31, gaz Heyes <gazheyes@gmail.com> wrote:

> The trouble is the method of sending a policy is conflicting with the
> usability of implementing it. I know why it's being sent via http headers..
> speed. Because of that it will have to be compressed but what is the bloody
> point of having a nice fast policy if nobody uses it apart from Facebook?
> How about a compromise between a lighter policy syntax within HTTP headers
> with a option to specify a policy link which has a more familiar syntax like
> CSS/JSON?
>

Actually I have a better idea, a compiler. Write the policy in CSS/JSON,
verify it then it compiles into a compact http header that is very
lightweight.

Received on Friday, 4 February 2011 13:13:38 UTC