W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Supporting base64 in nonce-value

From: Mike West <mkwst@google.com>
Date: Mon, 5 Aug 2013 16:03:26 +0200
Message-ID: <CAKXHy=c=Wr5TpeNty2USS1OkX6uE2A9hea443MrisuxyK6X_ww@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: Garrett Robinson <grobinson@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I've made this change in the draft:
https://dvcs.w3.org/hg/content-security-policy/rev/ddb92226c9dc

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores


On Thu, Jul 4, 2013 at 12:12 AM, Joel Weinberger <jww@chromium.org> wrote:

> Also in agreement on both accounts.
>
>
> On Mon, Jul 1, 2013 at 4:43 PM, Garrett Robinson <grobinson@mozilla.com>wrote:
>
>> On 06/28/2013 07:06 PM, Adam Barth wrote:
>> > Currently we specify nonce-value as follows:
>> >
>> > nonce-value       = *( ALPHA / DIGIT )
>> >
>> > Some folks who've been experimenting with nonce-source have requested
>> > that we expand the set of allowed characters in nonce-value to include
>> > '+' and '/'.  That way the set of allowed characters will match the
>> > characters used by base64.
>> >
>>
>> I don't see any problems with this.
>>
>> > Also, I wonder if should require at minimum number of characters in
>> > the nonce.  Maybe at least 1 character?  Having zero seems like an
>> > error.
>> >
>>
>> We just noticed this while I was working on script-nonce for Firefox
>> (https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c16). I would also
>> advocate changing the * to a + so at least 1 character is required in a
>> valid nonce.
>>
>> > Thoughts?
>> > Adam
>> >
>>
>>
>>
>>
>
Received on Monday, 5 August 2013 14:04:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC