W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2013

Re: Supporting base64 in nonce-value

From: Joel Weinberger <jww@chromium.org>
Date: Wed, 3 Jul 2013 15:12:50 -0700
Message-ID: <CAHQV2K=zwLtPtZx4PE7KAnPvvEJhQyeaxt3==_ngZLCD5qx2xg@mail.gmail.com>
To: Garrett Robinson <grobinson@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Also in agreement on both accounts.


On Mon, Jul 1, 2013 at 4:43 PM, Garrett Robinson <grobinson@mozilla.com>wrote:

> On 06/28/2013 07:06 PM, Adam Barth wrote:
> > Currently we specify nonce-value as follows:
> >
> > nonce-value       = *( ALPHA / DIGIT )
> >
> > Some folks who've been experimenting with nonce-source have requested
> > that we expand the set of allowed characters in nonce-value to include
> > '+' and '/'.  That way the set of allowed characters will match the
> > characters used by base64.
> >
>
> I don't see any problems with this.
>
> > Also, I wonder if should require at minimum number of characters in
> > the nonce.  Maybe at least 1 character?  Having zero seems like an
> > error.
> >
>
> We just noticed this while I was working on script-nonce for Firefox
> (https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c16). I would also
> advocate changing the * to a + so at least 1 character is required in a
> valid nonce.
>
> > Thoughts?
> > Adam
> >
>
>
>
>
Received on Wednesday, 3 July 2013 22:13:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC