W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: JSON representation of CSP policies

From: Mike West <mkwst@google.com>
Date: Mon, 17 Aug 2015 06:48:08 -0700
Message-ID: <CAKXHy=cOJ-yMN7GE2DNfgdUgyRcK=wTZ_980xLfrS27FLkOoYQ@mail.gmail.com>
To: "Nottingham, Mark" <mnotting@akamai.com>
Cc: Jonathan Kingston <jonathan@jooped.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Aug 16, 2015 at 11:13 PM, Nottingham, Mark <mnotting@akamai.com>

> Just an aside - if we did a new version of CSP, we could use JSON directly
> for the header syntax:
>   https://tools.ietf.org/html/draft-reschke-http-jfv-01
> One of the ideas behind that is that — for headers which use JSON for
> their data model — we could use an alternative binary representation in
> HTTP/3.

Yeah, I was thinking about this as well. It seems more justifiable for CSP
to use a JSON-based syntax given its complexity, and it might be an
interesting opportunity for a clean break with the existing CSP behaviors.
If there are things that we'd like to do in CSP3 that end up being
backwards incompatible with CSP2 (and I'm not entirely sure there are,
yet), changing the syntax entirely might be a good way to do it.

FIled https://github.com/w3c/webappsec/issues/457 to track this.

Received on Monday, 17 August 2015 13:48:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC