W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: Hashes/Nonce Source and unsafe-inline

From: Neil Matatall <neilm@twitter.com>
Date: Mon, 16 Dec 2013 10:42:13 -0800
Message-ID: <CAOFLtbhq+C5GtNuQKhQV5ubeHJYqOBWV3Rt7fC2=nCJH-SepfQ@mail.gmail.com>
To: Pete Freitag <pete@foundeo.com>
Cc: Dionysis Zindros <dionyziz@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> I would expect them to work in style-src as well as script-src does the valid-hashes section need to be updated or is the style-src section wrong?

Pete, yeah same should apply to inline script tags.

Had a chat with Dev, and as Pete mentions, this would be definitely
help increase adoption. Seems like another source-expression would be
the clearest.



On Mon, Dec 16, 2013 at 10:28 AM, Pete Freitag <pete@foundeo.com> wrote:
> On Fri, Dec 13, 2013 at 4:47 PM, Dionysis Zindros <dionyziz@gmail.com>
> wrote:
>>
>> The current spec is explicit about allowing nonces and hashes for only
>> inline script use
>
>
> The current spec mentions hashes and nonce in the style-src section, but in
> the Valid Hashes section,
> https://dvcs.w3.org/hg/content-security-policy/raw-file/8db37e53da82/csp-specification.dev.html#valid-hashes
> it only mentions script. I would expect them to work in style-src as well as
> script-src does the valid-hashes section need to be updated or is the
> style-src section wrong?
>
> Also wouldn't it be possible in theory to solve Dev's problem by allowing
> hashes of inline event handers? This could also potentially help ease
> adoption in legacy applications. I don't know what kind of challenges that
> would present for the browser vendors to implement, obviously not anything I
> would want holding up CSP1.1.
>
> --
> Pete Freitag
> http://foundeo.com
> http://content-security-policy.com/ - CSP Quick Reference
Received on Monday, 16 December 2013 18:42:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC