Comment on Content Security Policy 1.1, Draft of Dec 12 2012

@chapter "4.12.2 Interaction with the script-src directive"

The document contains one example for the case
"nonce provided and correct / src not allowed by script-src directive".

There should be an example for the inverse case
"no nonce provided / src allowed by script-src directive".

As it currently stands, the second case script would be rejected because it doesn't have a nonce.
Intuitively I would assume the script to be safe because it comes from a whitelisted origin.

Therefore I would propose to restrict the relevant enforcing rule to only script tags with content.


Sincerely,
Flo

Received on Thursday, 13 December 2012 10:45:54 UTC