- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Thu, 27 Jan 2011 14:42:31 -0800
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
> Have we discussed the danger of false sense of security this could > impart. In particular, I am concerned about people just marking all > scripts going out of their server with the correct nonce. That's possible, although seems unlikely; in a typical design of a web app framework, adding nonces would be done in the same pass as inserting attacker-controlled strings. A warning about two-pass scenarios can be included, but it's probably not a show-stopper (not anymore that the possibility of incorrectly placing <meta> directives is). > And if we are using nonces, why not just use nonces to demarcate the > start and end of untrusted content Many people proposed this, and it's a superior alternative on many counts, but I think that nobody figured out a nice way to do this that would be at least sort-of XML-compatible - and that's a deal-breaker... /mz
Received on Thursday, 27 January 2011 22:43:23 UTC