Re: Syntax presentation (was Re: Unofficial Draft of Content Security Policy) from Brandon Sterne on 2011-03-03 (public-web-security@w3.org from March 2011)

From: Brandon Sterne <bsterne@mozilla.com>
Date: Thu, 03 Mar 2011 13:56:37 -0800
To: Adam Barth <w3c@adambarth.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <4D700E95.5050209@mozilla.com>

On 03/03/2011 01:33 PM, Adam Barth wrote:
> Yay!  Thanks Brandon.
> 
> Would it be possible to change the presentation of the syntax in two ways:
> 
> 1) Can we switch to the more usually ABNF used by most modern spec.
> For example, as in
> <http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-12#section-3.2>
> ?

Yes, I see no reason not to switch over to ABNF.  I'll make that happen
for the next revision.

> 2) Can we separate the grammar to two pieces: (A) the general syntax
> of the Content-Security-Policy header field and (B) the syntax of the
> particular directives.

(B) sounds good, and useful in the two-phase policy parsing exercise you
mentioned below.  I will work on restructuring the grammar to facilitate
that.

Regarding (A), my understanding was that IETF WEBSEC was going to be
responsible for standardizing the CSP header, hence my statements about
this document "assuming a header structure of XYZ".  I don't think it's
a big deal in practical terms, because many of us (myself included)
subscribe to both lists and the groups plan to work in concert.  I just
didn't want to specify something that wasn't in "our jurisdiction".
Maybe others can weigh in.  If people don't think it's a problem, I'm
happy to add a definition of the header in our document.

> w.r.t. (2), I'd like to implement parsing in two phases.  First, the
> top-level phase that extracts the list of directive-name /
> directive-value pairs, and second that process the individual
> directive-values according to the rules for the directive-name.  For
> example, here's a possible grammar for a CSP policy:
> 
> policy          = directive-list
> directive-list  = directive *( ";" directive )
> directive       = *LWS directive-name [ LWS directive-value ]
> directive-name  = 1*<OCTET, except LWS and ";">
> directive-value = *<OCTET, except ";">
> 
> (Of course, the above might not be correct---it's just an example.)
> 
> This approach follows how, for example, HTTP header fields work.
> There's a general grammar for HTTP header fields in general, and then
> a more specific grammar for particular header fields.
> 
> Thanks,
> Adam

Received on Thursday, 3 March 2011 21:55:43 UTC