Making CSP shareable with JSON CSP


#1

JSON CSP is an idea I had for a shareable format that developers could include in their library. This would be similar to package.json and allow application developers to merge in another libraries policy. CSP headers don’t really lend themselves to being a shareable format in this way. The CSP setup doesn’t make it immediately possible to merge even with two JSON files either (sandbox overrides certain directives - this can be resolved with tooling I think).

JSON CSP proposal

So I have raised this with the WebAppSec WG however I would like this to be a shareable format that potentially isn’t related to the header/meta format at all. So I thought I would re-raise this here too and I will manage the communication of the WG with this group. I was thinking there are a lot more developers here so getting a developer friendly format would help here.