W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: JSON representation of CSP policies

From: Nottingham, Mark <mnotting@akamai.com>
Date: Mon, 17 Aug 2015 06:13:12 +0000
To: Jonathan Kingston <jonathan@jooped.com>
CC: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <F0DC3DA4-8F6B-43B8-8792-DB0E1599DC38@akamai.com>
Just an aside - if we did a new version of CSP, we could use JSON directly for the header syntax:
  https://tools.ietf.org/html/draft-reschke-http-jfv-01


One of the ideas behind that is that — for headers which use JSON for their data model — we could use an alternative binary representation in HTTP/3.

Cheers,


> On 15 Aug 2015, at 12:25 pm, Jonathan Kingston <jonathan@jooped.com> wrote:
> 
> Great!
> 
> I have also submitted a proposal for Ember to start using this for their applications and addons which would give an implementation:
> https://github.com/ember-cli/rfcs/pull/22

> 
> I'm not sure if browsers would initially have to do anything with this proposal at all (However I have ideas where it could be utilised certainly). However it would be great if we could agree on an external representation mostly so each framework ecosystem doesn't go implementing their own.
> 
> My underlying goal is that most of the implementation of the Ember checking and the merging would be implemented in a stand alone package that any library could consume.
> 
> On Sat, Aug 15, 2015 at 12:26 AM Brad Hill <hillbrad@gmail.com> wrote:
> I like this idea a lot.
> 
> On Fri, Aug 14, 2015 at 3:22 PM Jonathan Kingston <jonathan@jooped.com> wrote:
> Hi WebAppSec,
> 
> I have been thinking recently about how a subresource/external library could declare what their policy was.
> 
> My current thinking is that this would be best served by a JSON representation of CSP policies which would aid the publisher in being able to merge several policies together without having to do a full audit of a third party code.
> 
> The developer could simply merge in the new policy whilst still remaining with the most stringent policy possible. Currently this step is manual and I hope that this would allow it to become much more automated.
> 
> Here is my super draft proposal:
> https://gist.github.com/jonathanKingston/5699b440f608960dc089

> 
> Kind regards
> Jonathan

--
Mark Nottingham    mnot@akamai.com    https://www.mnot.net/





Received on Monday, 17 August 2015 06:13:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC