W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

About script-nonce

From: David Bruant <bruant.d@gmail.com>
Date: Tue, 05 Mar 2013 20:24:01 +0100
Message-ID: <51364651.3020302@gmail.com>
To: public-webappsec@w3.org
Hi,

I feel that the kind of use cases script-nonce enables ("strictly 
specify exactly which script elements on a page were intentionally 
included for execution") could be accomplished by doing the following:
1) Send CSP directive with script-src forbidding inline scripts (but 
allowing unsafe-eval)
2) Send some inline <script>s in the HTML anyway but identify the 
trusted ones by a given id/class/data/type attribute (possibly randomly 
generated)
3) Have some code that reads HTMLScriptElements.textContent and eval it. 
"eval it" here could also mean using the ES6 Loader API [1].

Which gets me wondering, how will CSP/unsafe-eval interact with the ES6 
Loader API?

David

[1] http://wiki.ecmascript.org/doku.php?id=harmony:module_loaders
Received on Tuesday, 5 March 2013 19:24:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 March 2013 19:24:32 GMT