- From: gaz Heyes <gazheyes@gmail.com>
- Date: Sat, 29 Jan 2011 09:11:58 +0000
- To: Brandon Sterne <bsterne@mozilla.com>
- Cc: public-web-security@w3.org
- Message-ID: <AANLkTik=CtbUnbQnnGnQ87DngUNmazBS5KhqODbbwFA9@mail.gmail.com>
On 28 January 2011 23:34, Brandon Sterne <bsterne@mozilla.com> wrote:
> Your point has become muddled, unfortunately. It started as an argument
> against using headers to deliver the policy. To me, that seems to be an
> orthogonal issue to the policy syntax. Are you saying "I don't
> understand how to use this syntax to express a policy" or "I don't
> understand how to send HTTP headers"?
>
Ok grrrr I know how to set HTTP header but the syntax is confusing for
example:-
header("X-Content-Security-Policy: allow 'self'; img-src www.gmodules.com;
script-src *.businessinfo.co.uk;");
In particular the semi colon, it seems to indicate next statement yet how
are they related to the "allow" statement. They don't seem to be grouped in
any way, quoted string is confusing why do we need it for allow when we have
protocols? I assume it means allow self for img-src and script-src but how
do I know I'm right? I can see people typing the following: allow 'self;
img-src www.gmodules.com or allow 'self' img-src www.gmodules.com, because
this is all on one line and name and value are separated by spaces. So in
summary a) Policy syntax is unnecessarily tricky b) No validation of http
headers c) Having one big long line of command is definitely going to
introduce errors
Received on Saturday, 29 January 2011 09:12:31 UTC