- From: gaz Heyes <gazheyes@gmail.com>
- Date: Sat, 29 Jan 2011 09:11:58 +0000
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: public-web-security@w3.org
- Message-ID: <AANLkTik=CtbUnbQnnGnQ87DngUNmazBS5KhqODbbwFA9@mail.gmail.com>
On 28 January 2011 23:34, Brandon Sterne <bsterne@mozilla.com> wrote: > Your point has become muddled, unfortunately. It started as an argument > against using headers to deliver the policy. To me, that seems to be an > orthogonal issue to the policy syntax. Are you saying "I don't > understand how to use this syntax to express a policy" or "I don't > understand how to send HTTP headers"? > Ok grrrr I know how to set HTTP header but the syntax is confusing for example:- header("X-Content-Security-Policy: allow 'self'; img-src www.gmodules.com; script-src *.businessinfo.co.uk;"); In particular the semi colon, it seems to indicate next statement yet how are they related to the "allow" statement. They don't seem to be grouped in any way, quoted string is confusing why do we need it for allow when we have protocols? I assume it means allow self for img-src and script-src but how do I know I'm right? I can see people typing the following: allow 'self; img-src www.gmodules.com or allow 'self' img-src www.gmodules.com, because this is all on one line and name and value are separated by spaces. So in summary a) Policy syntax is unnecessarily tricky b) No validation of http headers c) Having one big long line of command is definitely going to introduce errors
Received on Saturday, 29 January 2011 09:12:31 UTC