W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

Comment on Content Security Policy 1.1, Draft of Dec 12 2012

From: Florian Lasinger <florian@lasinger.org>
Date: Wed, 12 Dec 2012 12:51:04 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <DE67438F98AE434BAFB603C607B62F16B9052AE5@mbx02.lansolnet.com>
@chapter "4.12.2 Interaction with the script-src directive"

The document contains one example for the case
"nonce provided and correct / src not allowed by script-src directive".

There should be an example for the inverse case
"no nonce provided / src allowed by script-src directive".

As it currently stands, the second case script would be rejected because it doesn't have a nonce.
Intuitively I would assume the script to be safe because it comes from a whitelisted origin.

Therefore I would propose to restrict the relevant enforcing rule to only script tags with content.


Sincerely,
Flo
Received on Thursday, 13 December 2012 10:45:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 December 2012 10:45:54 GMT