When reviewing Firefox patches for strict-dynamic I considered a few cases how someone could write a CSP policy using strict-dynamic. Let's have a look: 1) default-src 'strict-dynamic' foo.com; script-src 'nonce-asdf' 2) default-src 'strict-dynamic' foo.com In order to craft a valid or somehow useful CSP policy relying on 'strict-dynamic' one has to at least specify a valid nonce, right? The first case does that and it seems somehow intuitive. The second case however misses to specify a nonce. In that case foo.com needs to be invalidated for script loads but not for image loads, which seems counter intuitive. Since one needs to define a valid nonce anyway (which is only allowed within script-src), why do we also allow strict-dynamic to also appear within default-src? In my opinion it would be clearer to only allow strict-dynamic to appear within script-src, or am I missing something? Thoughts? On Wed, Sep 14, 2016 at 7:35 AM, Daniel Veditz <dveditz@mozilla.com> wrote: > On Tue, Sep 13, 2016 at 12:27 PM, Mike West <mkwst@google.com> wrote: > >> Friendly ping. :) >> > > Sorry for the delay, we're arguing amongst ourselves to come up with a > "Mozilla" opinion we agree with because we fear anything we say as > individuals will be interpreted as "The Mozilla opinion" anyway. > > I do appreciate Artur's argument and examples. > > > - > Dan Veditz > >
Received on Friday, 28 October 2016 10:37:13 UTC