- From: Florian Lasinger <florian@lasinger.org>
- Date: Wed, 12 Dec 2012 12:51:04 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Thursday, 13 December 2012 10:45:54 UTC
@chapter "4.12.2 Interaction with the script-src directive" The document contains one example for the case "nonce provided and correct / src not allowed by script-src directive". There should be an example for the inverse case "no nonce provided / src allowed by script-src directive". As it currently stands, the second case script would be rejected because it doesn't have a nonce. Intuitively I would assume the script to be safe because it comes from a whitelisted origin. Therefore I would propose to restrict the relevant enforcing rule to only script tags with content. Sincerely, Flo
Received on Thursday, 13 December 2012 10:45:54 UTC