Re: [CSP] compatibility between CSP1.1 and CSP2 from Hatter Jiang on 2014-09-13 (public-webappsec@w3.org from September 2014)

From: Hatter Jiang <jht5945@gmail.com>
Date: Sat, 13 Sep 2014 10:36:20 +0800
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Hatter Jiang OWS <hatter@openwebsecurity.org>, WebApp Sec <public-webappsec@w3.org>
Message-ID: <CABp3Ti2uRmXsOew1730ercU0Wv6atTm0vhOLYa7ktPs0wGOn3g@mail.gmail.com>

cool, thanks
2014年9月13日 上午7:47于 "Devdatta Akhawe" <dev.akhawe@gmail.com>写道：

> You can just add unsafe-inline; a browser supporting nonce will ignore
> the unsafe-inline directive and insist on a nonce.
>
> On 12 September 2014 16:24, Hatter Jiang OWS <hatter@openwebsecurity.org>
> wrote:
> > CSP2 introduced `nonce-`, I really love this feature,
> > I'm thinking about to using this this feature on our website after the
> > release of CSP2,
> > But if I want to use `nonce-`, I will add 'nonce-$RANDOM' to
> > `Content-Security-Policy` head,
> > then I will never add `unsafe-inline` to `CSP` header, like:
> >
> > Content-Security-Policy: default-src 'self';
> >                          script-src 'self' https://example.com
> > 'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3'
> >
> >
> > <script>
> > alert("Blocked because the policy doesn’t have 'unsafe-inline'.")
> > </script>
> > <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3">
> > alert("Allowed because nonce is valid.")
> > </script>
> >
> > But in CSP1.1 only supported browser, without `unsafe-inline` placed, and
> > the browser doesn't
> > know `nonce-`'s meaning, so the browser will not run any inline scripts.
> >
> > So my question is how can I introduce `nonce-` to our website without
> risk
> > on CSP1.1 only browsers?
>

Received on Saturday, 13 September 2014 02:36:48 UTC