- From: Dionysis Zindros <dionyziz@gmail.com>
- Date: Fri, 13 Dec 2013 13:47:55 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Dec 13, 2013 at 1:33 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >> Are you suggesting that the behavior should be to allow inline event >> handlers, and only allow script tags with a valid nonce to execute when both >> unsafe-inline and a nonce are present? I prefer the backwards compatible >> route. > > yes! > >> The huge >> advantage to this approach is that developers don't need to specify >> different Content-Security-Policy headers to clients that only support CSP >> 1.0 to be able to use the nonce or hash. > > This seems to be the argument behind the change. My concern is that it > assumes that nonce is only used for inline scripts. But a nonce source > can also be used for external resources, something that is completely > separate from inline scripts. The current spec is explicit about allowing nonces and hashes for only inline script use: "The script-src directive lets developers specify exactly which script elements on a page were intentionally included for execution. Ideally, developers would avoid inline script entirely and whitelist scripts by URL. However, in some cases, removing inline scripts can be difficult or impossible. For those cases, developers can whitelist scripts using a randomly generated nonce." External scripts can only be allowed by URL. Do you suggest we change that? > > -- Dev >
Received on Friday, 13 December 2013 21:48:42 UTC