- From: Mike West <notifications@github.com>
- Date: Mon, 04 Apr 2016 05:46:15 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Monday, 4 April 2016 12:46:45 UTC
> And the reason we don't set nonce on request is because we want to do the check for inline and external scripts at the same time? We could set the nonce on request and do the whole check there, I suppose. I guess that could be a better layering... > It seems a little weird that if you can specify a nonce, you can suddenly make cross-origin requests. Isn't that a security issue? As implemented, nonces are basically capability tokens: if you have the token, you can execute script. This turns out to be a super-useful model that I'm actually interested in expanding (see `'unsafe-dynamic'` and https://lists.w3.org/Archives/Public/public-webappsec/2016Mar/0080.html). --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/269#issuecomment-205282273
Received on Monday, 4 April 2016 12:46:45 UTC