Script-nonce policies from Eric Rescorla on 2012-11-02 (public-web-security@w3.org from November 2012)

From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 2 Nov 2012 10:42:49 +0100
To: public-web-security <public-web-security@w3.org>
Message-ID: <CABcZeBMBjf5Vih8JdnG-9D7g+C_R9cB7FNvH0_EH8rQm_dszFA@mail.gmail.com>

As I mentioned in the meeting, script-nonce seems like it would be
more useful if there was a way to restrict its applicability to inline scripts,
so I can have a site with a static security policy and a small number of inline
scripts without having to rewrite every page that loads jQuery.

Concrete suggestion: augment script nonce with a "policy" parameter
such as:

script-nonce <nonce>,<policy> where <policy> == "all" or "inline"
to mean that the nonce applies to both scripts or just inline scripts.

-Ekr

Received on Friday, 2 November 2012 09:43:58 UTC