- From: Hatter Jiang OWS <hatter@openwebsecurity.org>
- Date: Sat, 13 Sep 2014 07:24:48 +0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Friday, 12 September 2014 23:25:15 UTC
CSP2 introduced `nonce-`, I really love this feature,
I'm thinking about to using this this feature on our website after the
release of CSP2,
But if I want to use `nonce-`, I will add 'nonce-$RANDOM' to
`Content-Security-Policy` head,
then I will never add `unsafe-inline` to `CSP` header, like:
Content-Security-Policy: default-src 'self';
script-src 'self' https://example.com
'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3'
<script>
alert("Blocked because the policy doesn’t have 'unsafe-inline'.")
</script>
<script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3">
alert("Allowed because nonce is valid.")
</script>
But in CSP1.1 only supported browser, without `unsafe-inline` placed, and
the browser doesn't
know `nonce-`'s meaning, so the browser will not run any inline scripts.
So my question is how can I introduce `nonce-` to our website without risk
on CSP1.1 only browsers?
Received on Friday, 12 September 2014 23:25:15 UTC