- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Tue, 08 Mar 2011 16:34:04 -0800
- To: W3C Web Security Interest Group <public-web-security@w3.org>
[catching up on threads here..] Brandon Sterne <bsterne@mozilla.com> repliced: > > On 03/03/2011 01:33 PM, Adam Barth wrote: > >> 2) Can we separate the grammar to two pieces: (A) the general syntax >> of the Content-Security-Policy header field and (B) the syntax of the >> particular directives. > > (B) sounds good, and useful in the two-phase policy parsing exercise you > mentioned below. I will work on restructuring the grammar to facilitate > that. cool. > Regarding (A), my understanding was that IETF WEBSEC was going to be > responsible for standardizing the CSP header, hence my statements about > this document "assuming a header structure of XYZ". yes, in various discussions we've postulated that we could possibly come up with some generalized extensible web sec policy header as a part of an overall generalized web app sec framework (this.. http://tools.ietf.org/html/draft-hodges-websec-framework-reqs ..being an initial shot at requirements for such) such that various policies that are now expressed using individual header fields could be mapped to it. Thus the vision is nominally more general than "standardizing the CSP header" :) for example, we could have something similar to .. Web-Sec-Policy-Header = "Web-Sec-Policy" ":" policy-list policy-list = policy *( policy-sep policy) policy-sep = <the hard thing to figure out> ..where "policy" roughly maps to Adam's initial suggested ABNF.. > policy = directive-list > directive-list = directive *( ";" directive ) > directive = *LWS directive-name [ LWS directive-value ] > directive-name = 1*<OCTET, except LWS and ";"> > directive-value = *<OCTET, except ";"> Of course, all the above is certainly not "correct" -- it's an example) HTH, I'll comment further on the later msgs in this thread. =JeffH
Received on Wednesday, 9 March 2011 00:34:35 UTC