W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

RE: Nonces/hashes in source expressions.

From: Mike West <mkwst@google.com>
Date: Mon, 18 Mar 2013 17:35:16 +0100
Message-ID: <CAKXHy=dNn_DCXzxq+TPZ-0QvxqR5nmKWkKdWDuNwk+35GxSNmg@mail.gmail.com>
To: Brad Hill <bhill@paypal-inc.com>
Cc: dveditz@mozilla.com, public-webappsec@w3.org, Adam Barth <w3c@adambarth.com>
One more observation: we can currently safely assume that ';' separates
directives. We could no longer make that assumption with this format, which
would make parsing slightly more complicated.

-mike
On Mar 18, 2013 5:31 PM, "Mike West" <mkwst@google.com> wrote:

> Thanks for the link, it's very informative. The only reservation I have is
> that it seems to imply a 1:1 relationship between the URL and the resource
> being described (modulo collisions). Nonces are meant to collide, probably
> multiple times on a single page.
>
> That said, I don't feel strongly about the format. I'd be happy to adopt
> that format wholesale, assuming the general idea (which, the more I think
> about, the more strongly I favor) is acceptable.
>
> -mike
> On Mar 18, 2013 5:19 PM, "Hill, Brad" <bhill@paypal-inc.com> wrote:
>
>> <hat type="individual">
>>
>> I like it.
>>
>> </hat>
>>
>> <hat type="chair">
>>
>> This draft is relevant to consider vs. inventing a new identifier syntax,
>> though it is less compact than what you suggest:
>>
>> http://tools.ietf.org/html/draft-farrell-decade-ni-10
>>
>> </hat>
>>
>> Brad Hill
>>
>> -------------------------
>> From: Mike West [mailto:mkwst@google.com]
>> Sent: Monday, March 18, 2013 10:04 AM
>> To: public-webappsec@w3.org; dveditz@mozilla.com; Adam Barth
>> Subject: Nonces/hashes in source expressions.
>>
>> Before I copy/paste a bunch of text to stub out a 'style-nonce' directive
>> for CSP 1.1, I'd like to run something by you lovely folks that I think
>> we've talked about once or twice on the calls. It seems like it could
>> reduce repetition and confusion if we fold nonces or hashes into the
>> existing directives as another type of source expression.
>>
>> As a strawman, how would you feel about rewriting 'script-nonce ABCDEFG'
>> as 'script-src nonce:ABCDEFG'? This would make an "or" relationship with
>> 'script-src' clear on the one hand, and make room for something like
>> 'script-src sha1:...' on the other. I think it would simplify the structure
>> in a nice way, and seems more comprehensible and reusable in general.
>>
>> I'm sure others of you will have ideas about syntax (perhaps it's a bad
>> idea to replicate scheme-like structures... maybe '#' would be a better
>> separator, since it's sometimes read as "hash" anyway), but I'm hoping the
>> general idea is reasonable.
>>
>>
>> --
>> Mike West <mkwst@google.com>, Developer Advocate
>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>>
>
Received on Monday, 18 March 2013 16:35:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC