W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 27 Jan 2011 17:46:38 +0000
Message-ID: <AANLkTinXCJ-UQ71FFBm=c4kZju7=Mf9GpUz17tWmnJdd@mail.gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 27 January 2011 17:11, Gervase Markham <gerv@mozilla.org> wrote:

> Also, I'm not sure "nonce" is the right word.
> http://en.wikipedia.org/wiki/Cryptographic_nonce
> suggests that it's "number used once". As the above document discusses, I
> can see various sites making various trade-offs about how often they change
> the key, based on caching concerns.
>
> So I would suggest "script-key" as a better name.
>

The key should change on every request! We can inject a lot of into HTML
Received on Thursday, 27 January 2011 17:47:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 27 January 2011 17:47:11 GMT