CSP syntax ABNF from Adam Barth on 2011-02-19 (public-web-security@w3.org from February 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 19 Feb 2011 01:53:37 -0800
To: public-web-security@w3.org
Message-ID: <AANLkTinZw1UJyLnM-nmJjp4O4tujMNpFa5VL-Wnf1U9c@mail.gmail.com>

I've been working on implementing a CSP policy parser for WebKit (see
https://bugs.webkit.org/show_bug.cgi?id=54799), and I've got a few
nits with the grammar in
https://wiki.mozilla.org/Security/CSP/Specification#Formal_Policy_Syntax.
 In no particular order:

1) The grammar written in a non-standard formalism.
2) The syntax deviates from RFC 3968 in somewhat odd ways.  For
example, the syntax for port is slightly more restrictive than in RFC
3968.
3) The presentation doesn't cleanly separate the general gramatical
form of policies from the specific syntax of directives that exist
today, making it hard to know how we can extend the syntax in the
future.

I've taken the liberty of translating the grammar into ABNF (the
standard gramatical formalism used by the IETF).  I've also cleaned up
some of the details to match normal syntax of URIs:

http://www.w3.org/Security/wiki/Content_Security_Policies#Syntax

As part of the translation, I've factored out the "general" syntax
that applies to all directives from the syntax for each given
directive.  The text there is very rough (and certainly doesn't cover
all the directives yet).  I'd also like to separate out conformance
requirements for policy authors and for user agents, but I haven't
gotten there yet.

Thoughts?

Adam

Received on Saturday, 19 February 2011 09:54:42 UTC