W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: Script-nonce policies

From: Joel Howard Willis Weinberger <jww@cs.berkeley.edu>
Date: Fri, 2 Nov 2012 11:14:29 -0700
Message-ID: <CAB8E7fcu1T8wsCO1jiivjn61bfCA0aqUC6b0iXcgBAgatkeRNw@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Perhaps I've missed this in previous conversations, but why is script-nonce
restricted only to scripts? Why not allow other (potentially arbitrary)
uses of the nonces for forms, for example? If one is worried about any
particular type of element injection, couldn't the nonce attribute be
useful? Why not have a more general 'nonce policy' that allows directives
of not just 'all' or 'inline', but also 'forms,' 'input', etc?
--Joel


On Fri, Nov 2, 2012 at 10:41 AM, Adam Barth <w3c@adambarth.com> wrote:

> [-public-web-security, +public-webappsec]
>
> Maybe we should make script-nonce apply only to inline script elements?
>
> Adam
>
>
> On Fri, Nov 2, 2012 at 2:42 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> > As I mentioned in the meeting, script-nonce seems like it would be
> > more useful if there was a way to restrict its applicability to inline
> scripts,
> > so I can have a site with a static security policy and a small number of
> inline
> > scripts without having to rewrite every page that loads jQuery.
> >
> > Concrete suggestion: augment script nonce with a "policy" parameter
> > such as:
> >
> > script-nonce <nonce>,<policy> where <policy> == "all" or "inline"
> > to mean that the nonce applies to both scripts or just inline scripts.
> >
> > -Ekr
> >
>
>
Received on Friday, 2 November 2012 18:14:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 2 November 2012 18:14:55 GMT