W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2013

CSP 1.1: Nonce-source and unsafe-inline

From: Danesh Irani <danesh@google.com>
Date: Wed, 17 Jul 2013 15:12:36 -0700
Message-ID: <CAPDPM2a+aqaFA04VJ4YXU1Dzv8agovA48Tc2yQAC15LxOY4Wtg@mail.gmail.com>
To: public-webappsec@w3.org
Hi all,

In the CSP 1.1 spec, a directive that has both nonce-source and
unsafe-inline buys the user no additional protection as the browser will
just allow all inline scripts. Previous CSP 1.1 versions of the spec
indicated that when both directive values were specified the unsafe-inline
would be ignored and nonce-source would be enforced (
http://www.w3.org/TR/2012/WD-CSP11-20121213/#interaction-with-the-script-src-directive
).

>From a web app deployment perspective it would be great if having a valid
nonce-source invalidated an 'unsafe-inline', as this would allow having a
single CSP 1.1 header which provides addition security for new browsers,
but also works for old browsers (sort of like providing a
backward-compatible policy and avoiding the unpleasantness of user-agent
specific CSP). Only the CSP 1.1 spec would have to be modified to specify
that new browsers ignore 'unsafe-inline' if a nonce-source is present.

Any thoughts?

Thanks,
Danesh
Received on Thursday, 18 July 2013 11:58:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC