W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: Hashes/Nonce Source and unsafe-inline

From: Pete Freitag <pete@foundeo.com>
Date: Mon, 16 Dec 2013 13:28:35 -0500
Message-ID: <CAADZ8V6=6OoSK5KZwFNBDxCyr5KgJZqiCWWHk4NP7Hu07NBThA@mail.gmail.com>
To: Dionysis Zindros <dionyziz@gmail.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Dec 13, 2013 at 4:47 PM, Dionysis Zindros <dionyziz@gmail.com>wrote:

> The current spec is explicit about allowing nonces and hashes for only
>  inline script use


The current spec mentions hashes and nonce in the style-src section, but in
the Valid Hashes section,
https://dvcs.w3.org/hg/content-security-policy/raw-file/8db37e53da82/csp-specification.dev.html#valid-hashesit
only mentions script. I would expect them to work in style-src as well
as script-src does the valid-hashes section need to be updated or is the
style-src section wrong?

Also wouldn't it be possible in theory to solve Dev's problem by allowing
hashes of inline event handers? This could also potentially help ease
adoption in legacy applications. I don't know what kind of challenges that
would present for the browser vendors to implement, obviously not anything
I would want holding up CSP1.1.

--
Pete Freitag
http://foundeo.com
http://content-security-policy.com/ - CSP Quick Reference
Received on Monday, 16 December 2013 18:29:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC