W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: Script-nonce policies

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 2 Nov 2012 10:41:56 -0700
Message-ID: <CAJE5ia8U8e826epM7gNivQZFr7HdNSjgWJKfCt0PjQmogGNY3w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
[-public-web-security, +public-webappsec]

Maybe we should make script-nonce apply only to inline script elements?

Adam


On Fri, Nov 2, 2012 at 2:42 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> As I mentioned in the meeting, script-nonce seems like it would be
> more useful if there was a way to restrict its applicability to inline scripts,
> so I can have a site with a static security policy and a small number of inline
> scripts without having to rewrite every page that loads jQuery.
>
> Concrete suggestion: augment script nonce with a "policy" parameter
> such as:
>
> script-nonce <nonce>,<policy> where <policy> == "all" or "inline"
> to mean that the nonce applies to both scripts or just inline scripts.
>
> -Ekr
>
Received on Friday, 2 November 2012 17:42:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 2 November 2012 17:42:55 GMT