- From: Mike West <mkwst@google.com>
- Date: Wed, 18 Jul 2012 21:38:58 -0500
- To: public-webappsec@w3.org
- Message-ID: <CAKXHy=eQEiOQ-WA4SpM9CEDPAjkchH4KpsMwymX6EN1HZw0iLw@mail.gmail.com>
Hello!
Over the past week or two, Adam has helped me make a few changes to the CSP
1.1 editor's draft. I think they're worth flagging here for comment.
* `script-nonce` has been cleaned up a bit, adding a non-normative "Usage"
section that attempts to explain the core functionality to web developers,
and making two things clear that confused me while experimenting with a
WebKit implementation. First, invalid nonces now fail loudly, blocking all
script execution on a page. Second, `script-nonce` is now explicitly a
check on script execution in _addition to_ `script-src`. If both directives
are defined, both restrictions must be met in order for a script to
execute. This, of course, was already the case, it's simply more clearly
stated.
See https://dvcs.w3.org/hg/content-security-policy/rev/b60168c4306f,
https://dvcs.w3.org/hg/content-security-policy/rev/ae736514341a, and
https://dvcs.w3.org/hg/content-security-policy/rev/b574fbf95a50 for details.
* The experimental script interface is no longer a super-method that does
everything, but a set of specific methods for each bit of information that
can be queried. This has a variety of advantages, not least of which that
it reads better ("Does the document's security policy allow eval?" ->
`document.securityPolicy.allowsEval()`). A non-normative "Usage" section
gives a high-level set of scenarios that the API is meant to service, and
usage examples for each.
See https://dvcs.w3.org/hg/content-security-policy/rev/bff58d373917 for
details.
Thanks! Comments are welcome.
--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Thursday, 19 July 2012 02:39:47 UTC