On 22 January 2011 08:29, Gervase Markham <gerv@mozilla.org> wrote:
> On 21/01/11 22:44, Michal Zalewski wrote:
>
>> 3) Allowing inline scripts guarded by policy-specified nonce tokens
>> (<meta> says "inline-script-token=$random", inline scripts have
>> <script token="$previously_specified_random">...</script>). This
>> eliminates one of the most significant issues with deploying CSP or
>> this proposal on sites that are extremely concerned about the overhead
>> of extra HTTP requests; for example, much of *.google.com is subject
>> to such concerns.
>>
>
> http://www.gerv.net/security/script-keys/
>
Both this and meta tag are vulnerable to any sort of html attribute
injection, this is why I suggested using both a opening and closing
randomized tag. e.g. <meta nothankyou=' would enclose any existing tags
until the next ' and > which would either disable the intended restriction
or even worse allow you to use the key.