W3C home > Mailing lists > Public > public-web-security@w3.org > November 2012

Script-nonce policies

From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 2 Nov 2012 10:42:49 +0100
Message-ID: <CABcZeBMBjf5Vih8JdnG-9D7g+C_R9cB7FNvH0_EH8rQm_dszFA@mail.gmail.com>
To: public-web-security <public-web-security@w3.org>
As I mentioned in the meeting, script-nonce seems like it would be
more useful if there was a way to restrict its applicability to inline scripts,
so I can have a site with a static security policy and a small number of inline
scripts without having to rewrite every page that loads jQuery.

Concrete suggestion: augment script nonce with a "policy" parameter
such as:

script-nonce <nonce>,<policy> where <policy> == "all" or "inline"
to mean that the nonce applies to both scripts or just inline scripts.

-Ekr
Received on Friday, 2 November 2012 09:43:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 2 November 2012 09:43:58 GMT