W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Thu, 27 Jan 2011 14:42:31 -0800
Message-ID: <AANLkTim1DVYQYwxDgmBRqiR2JG557-GGiLRbc+tdbz9s@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
> Have we discussed the danger of false sense of security this could
> impart. In particular, I am concerned about people just marking all
> scripts going out of their server with the correct nonce.

That's possible, although seems unlikely; in a typical design of a web
app framework, adding nonces would be done in the same pass as
inserting attacker-controlled strings. A warning about two-pass
scenarios can be included, but it's probably not a show-stopper (not
anymore that the possibility of incorrectly placing <meta> directives
is).

> And if we are using nonces, why not just use nonces to demarcate the
> start and end of untrusted content

Many people proposed this, and it's a superior alternative on many
counts, but I think that nobody figured out a nice way to do this that
would be at least sort-of XML-compatible - and that's a
deal-breaker...

/mz
Received on Thursday, 27 January 2011 22:43:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 27 January 2011 22:43:25 GMT