W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2013

Re: Supporting base64 in nonce-value

From: Garrett Robinson <grobinson@mozilla.com>
Date: Mon, 01 Jul 2013 16:43:30 -0700
Message-ID: <51D21422.6000407@mozilla.com>
To: public-webappsec@w3.org
On 06/28/2013 07:06 PM, Adam Barth wrote:
> Currently we specify nonce-value as follows:
> 
> nonce-value       = *( ALPHA / DIGIT )
> 
> Some folks who've been experimenting with nonce-source have requested
> that we expand the set of allowed characters in nonce-value to include
> '+' and '/'.  That way the set of allowed characters will match the
> characters used by base64.
> 

I don't see any problems with this.

> Also, I wonder if should require at minimum number of characters in
> the nonce.  Maybe at least 1 character?  Having zero seems like an
> error.
> 

We just noticed this while I was working on script-nonce for Firefox
(https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c16). I would also
advocate changing the * to a + so at least 1 character is required in a
valid nonce.

> Thoughts?
> Adam
> 
Received on Monday, 1 July 2013 23:43:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC