W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: CSP 1.1: `script-nonce` and script interface edits.

From: Eric Chen <eric.chen@sv.cmu.edu>
Date: Wed, 18 Jul 2012 20:57:00 -0700
Message-ID: <CAF8haawLi4CtCnnLdL7hSDbTuRGEk38+HBmhmL+-nWPF75m79w@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: public-webappsec@w3.org
Hi Mike:


> * `script-nonce` has been cleaned up a bit, adding a non-normative "Usage"
> section that attempts to explain the core functionality to web developers,
> and making two things clear that confused me while experimenting with a
> WebKit implementation. First, invalid nonces now fail loudly, blocking all
> script execution on a page.
>
Is there a particular motivation for this? (i.e., is there an attack that
would break the soft-fail case?)


-- 
-Eric
Received on Thursday, 19 July 2012 03:57:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 03:57:28 GMT