W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

RE: Nonces/hashes in source expressions.

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 18 Mar 2013 16:38:51 +0000
To: Mike West <mkwst@google.com>
CC: "dveditz@mozilla.com" <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E279691F4@DEN-EXDDA-S12.corp.ebay.com>
Eww.. yes.   But that does point out a potential problem more generally in CSP:

According to RFC3986 section 2.2, ';' is a reserved character as a subcomponent delimiter. 

Is this going to bite us elsewhere?

:(

-Brad Hill

---------------------
From: Mike West [mailto:mkwst@google.com] 
Sent: Monday, March 18, 2013 10:35 AM
To: Hill, Brad
Cc: dveditz@mozilla.com; public-webappsec@w3.org; Adam Barth
Subject: RE: Nonces/hashes in source expressions.

One more observation: we can currently safely assume that ';' separates directives. We could no longer make that assumption with this format, which would make parsing slightly more complicated.
-mike
On Mar 18, 2013 5:31 PM, "Mike West" <mkwst@google.com> wrote:
Thanks for the link, it's very informative. The only reservation I have is that it seems to imply a 1:1 relationship between the URL and the resource being described (modulo collisions). Nonces are meant to collide, probably multiple times on a single page.
That said, I don't feel strongly about the format. I'd be happy to adopt that format wholesale, assuming the general idea (which, the more I think about, the more strongly I favor) is acceptable.
-mike
On Mar 18, 2013 5:19 PM, "Hill, Brad" <bhill@paypal-inc.com> wrote:
<hat type="individual">

I like it.

</hat>

<hat type="chair">

This draft is relevant to consider vs. inventing a new identifier syntax, though it is less compact than what you suggest:

http://tools.ietf.org/html/draft-farrell-decade-ni-10

</hat>

Brad Hill

-------------------------
From: Mike West [mailto:mkwst@google.com]
Sent: Monday, March 18, 2013 10:04 AM
To: public-webappsec@w3.org; dveditz@mozilla.com; Adam Barth
Subject: Nonces/hashes in source expressions.

Before I copy/paste a bunch of text to stub out a 'style-nonce' directive for CSP 1.1, I'd like to run something by you lovely folks that I think we've talked about once or twice on the calls. It seems like it could reduce repetition and confusion if we fold nonces or hashes into the existing directives as another type of source expression.

As a strawman, how would you feel about rewriting 'script-nonce ABCDEFG' as 'script-src nonce:ABCDEFG'? This would make an "or" relationship with 'script-src' clear on the one hand, and make room for something like 'script-src sha1:...' on the other. I think it would simplify the structure in a nice way, and seems more comprehensible and reusable in general.

I'm sure others of you will have ideas about syntax (perhaps it's a bad idea to replicate scheme-like structures... maybe '#' would be a better separator, since it's sometimes read as "hash" anyway), but I'm hoping the general idea is reasonable. 


--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 18 March 2013 16:39:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC