W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

RE: Nonces/hashes in source expressions.

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 18 Mar 2013 16:19:22 +0000
To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "dveditz@mozilla.com" <dveditz@mozilla.com>, "Adam Barth" <w3c@adambarth.com>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27969080@DEN-EXDDA-S12.corp.ebay.com>
<hat type="individual"> 

I like it.  

</hat>

<hat type="chair"> 

This draft is relevant to consider vs. inventing a new identifier syntax, though it is less compact than what you suggest:

http://tools.ietf.org/html/draft-farrell-decade-ni-10

</hat>

Brad Hill

-------------------------
From: Mike West [mailto:mkwst@google.com] 
Sent: Monday, March 18, 2013 10:04 AM
To: public-webappsec@w3.org; dveditz@mozilla.com; Adam Barth
Subject: Nonces/hashes in source expressions.

Before I copy/paste a bunch of text to stub out a 'style-nonce' directive for CSP 1.1, I'd like to run something by you lovely folks that I think we've talked about once or twice on the calls. It seems like it could reduce repetition and confusion if we fold nonces or hashes into the existing directives as another type of source expression.

As a strawman, how would you feel about rewriting 'script-nonce ABCDEFG' as 'script-src nonce:ABCDEFG'? This would make an "or" relationship with 'script-src' clear on the one hand, and make room for something like 'script-src sha1:...' on the other. I think it would simplify the structure in a nice way, and seems more comprehensible and reusable in general.

I'm sure others of you will have ideas about syntax (perhaps it's a bad idea to replicate scheme-like structures... maybe '#' would be a better separator, since it's sometimes read as "hash" anyway), but I'm hoping the general idea is reasonable. 


--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 18 March 2013 16:19:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC