On 10 December 2012 20:52, Mike West <mkwst@google.com> wrote: > The goal of the `script-nonce` directive is to handle at least some of > this use-case: > https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental > > Rather than altering the behavior of `innerHTML`, it asks developers to > tag inline script blocks that are intentionally included with a unique key, > generated on the fly for each request. Bad for caching, not particularly > useful for static sites, but useful for the (many?) applications that can't > kill inline scripts. > I think just providing a script-nonce is flawed as I've mentioned before on this list. Since you can inject inside protected scripts and discover the key by using <img> requests or non script executing "XSS" vectors. The protection must apply to all elements or at the very least most of them. Using this method you can identify user input from site code too.
Received on Tuesday, 11 December 2012 11:15:49 UTC