Re: [Content Security Policy] Proposal to move the debate forward

The syntax is similar to many policy languages (like firewalls, etc). 
The "allow" directive enforces the default policy except where
overridden by more specific directives; semicolons separate directives; \
is simply a way of escaping the end of the line (I think familiar to
anyone who's ever done PHP, etc).. mostly for readability, probably not
used in live policies.
  Lucas.

On 1/29/2011 1:11 AM, gaz Heyes wrote:
> On 28 January 2011 23:34, Brandon Sterne <bsterne@mozilla.com
> <mailto:bsterne@mozilla.com>> wrote:
>
>     Your point has become muddled, unfortunately.  It started as an
>     argument
>     against using headers to deliver the policy.  To me, that seems to
>     be an
>     orthogonal issue to the policy syntax.  Are you saying "I don't
>     understand how to use this syntax to express a policy" or "I don't
>     understand how to send HTTP headers"?
>
>
> Ok grrrr I know how to set HTTP header but the syntax is confusing for
> example:-
> header("X-Content-Security-Policy: allow 'self'; img-src
> www.gmodules.com <http://www.gmodules.com>; script-src
> *.businessinfo.co.uk <http://businessinfo.co.uk>;");
>
> In particular the semi colon, it seems to indicate next statement yet
> how are they related to the "allow" statement. They don't seem to be
> grouped in any way, quoted string is confusing why do we need it for
> allow when we have protocols? I assume it means allow self for img-src
> and script-src but how do I know I'm right? I can see people typing
> the following: allow 'self; img-src www.gmodules.com
> <http://www.gmodules.com> or  allow 'self' img-src www.gmodules.com
> <http://www.gmodules.com>, because this is all on one line and name
> and value are separated by spaces. So in summary a) Policy syntax is
> unnecessarily tricky b) No validation of http headers c) Having one
> big long line of command is definitely going to introduce errors