Re: JSON representation of CSP policies from Brad Hill on 2015-08-14 (public-webappsec@w3.org from August 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 14 Aug 2015 23:25:59 +0000
To: Jonathan Kingston <jonathan@jooped.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8iv+=bXKoBmNQMOG=BFyJ6Hw8H6CYWrtPSOGHOePuuwrQ@mail.gmail.com>

I like this idea a lot.

On Fri, Aug 14, 2015 at 3:22 PM Jonathan Kingston <jonathan@jooped.com>
wrote:

> Hi WebAppSec,
>
> I have been thinking recently about how a subresource/external library
> could declare what their policy was.
>
> My current thinking is that this would be best served by a JSON
> representation of CSP policies which would aid the publisher in being able
> to merge several policies together without having to do a full audit of a
> third party code.
>
> The developer could simply merge in the new policy whilst still remaining
> with the most stringent policy possible. Currently this step is manual and
> I hope that this would allow it to become much more automated.
>
> Here is my super draft proposal:
> https://gist.github.com/jonathanKingston/5699b440f608960dc089
>
> Kind regards
> Jonathan
>

Received on Friday, 14 August 2015 23:26:36 UTC