W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP : inline functions ?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 25 Feb 2011 08:44:45 -0800
Message-ID: <4D67DC7D.6080306@mozilla.com>
To: "sird@rckc.at" <sird@rckc.at>
CC: Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org
On 2/24/11 5:38 PM, sird@rckc.at wrote:
>> - "script-keys" (nonce)
> Is that really being considered? At what level? <script key="XXXX"> or
> <anything key="XXXX">?

I think the group has moved on from that proposal, but it was
discussed seriously for a few days. It's a more workable proposal
than "allow calls to user-defined functions in inline scripts, but
not other statements". I still don't like it, but if we "must do
something" I'd rather talk about script-keys again than try to make
fine-grained distinctions within a highly dynamic scripting language
like JavaScript.

-Dan Veditz
Received on Friday, 25 February 2011 16:45:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 25 February 2011 16:45:33 GMT