JSON representation of CSP policies from Jonathan Kingston on 2015-08-14 (public-webappsec@w3.org from August 2015)

From: Jonathan Kingston <jonathan@jooped.com>
Date: Fri, 14 Aug 2015 22:20:24 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKrjaaUKEKCzLs+cMBxgKdwFwFGxOcgbv3zUDeWb8kNf0qcY2w@mail.gmail.com>

Hi WebAppSec,

I have been thinking recently about how a subresource/external library
could declare what their policy was.

My current thinking is that this would be best served by a JSON
representation of CSP policies which would aid the publisher in being able
to merge several policies together without having to do a full audit of a
third party code.

The developer could simply merge in the new policy whilst still remaining
with the most stringent policy possible. Currently this step is manual and
I hope that this would allow it to become much more automated.

Here is my super draft proposal:
https://gist.github.com/jonathanKingston/5699b440f608960dc089

Kind regards
Jonathan

Received on Friday, 14 August 2015 22:21:04 UTC