- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Fri, 13 Dec 2013 13:33:47 -0800
- To: Pete Freitag <pete@foundeo.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Are you suggesting that the behavior should be to allow inline event > handlers, and only allow script tags with a valid nonce to execute when both > unsafe-inline and a nonce are present? I prefer the backwards compatible > route. yes! > The huge > advantage to this approach is that developers don't need to specify > different Content-Security-Policy headers to clients that only support CSP > 1.0 to be able to use the nonce or hash. This seems to be the argument behind the change. My concern is that it assumes that nonce is only used for inline scripts. But a nonce source can also be used for external resources, something that is completely separate from inline scripts. -- Dev
Received on Friday, 13 December 2013 21:34:33 UTC