- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 2 Nov 2012 10:41:56 -0700
- To: Eric Rescorla <ekr@rtfm.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
[-public-web-security, +public-webappsec] Maybe we should make script-nonce apply only to inline script elements? Adam On Fri, Nov 2, 2012 at 2:42 AM, Eric Rescorla <ekr@rtfm.com> wrote: > As I mentioned in the meeting, script-nonce seems like it would be > more useful if there was a way to restrict its applicability to inline scripts, > so I can have a site with a static security policy and a small number of inline > scripts without having to rewrite every page that loads jQuery. > > Concrete suggestion: augment script nonce with a "policy" parameter > such as: > > script-nonce <nonce>,<policy> where <policy> == "all" or "inline" > to mean that the nonce applies to both scripts or just inline scripts. > > -Ekr >
Received on Friday, 2 November 2012 17:42:55 UTC