CSP 1.1: `script-nonce` and script interface edits.


Over the past week or two, Adam has helped me make a few changes to the CSP
1.1 editor's draft. I think they're worth flagging here for comment.

* `script-nonce` has been cleaned up a bit, adding a non-normative "Usage"
section that attempts to explain the core functionality to web developers,
and making two things clear that confused me while experimenting with a
WebKit implementation. First, invalid nonces now fail loudly, blocking all
script execution on a page. Second, `script-nonce` is now explicitly a
check on script execution in _addition to_ `script-src`. If both directives
are defined, both restrictions must be met in order for a script to
execute. This, of course, was already the case, it's simply more clearly

See https://dvcs.w3.org/hg/content-security-policy/rev/b60168c4306f,
https://dvcs.w3.org/hg/content-security-policy/rev/ae736514341a, and
https://dvcs.w3.org/hg/content-security-policy/rev/b574fbf95a50 for details.

* The experimental script interface is no longer a super-method that does
everything, but a set of specific methods for each bit of information that
can be queried. This has a variety of advantages, not least of which that
it reads better ("Does the document's security policy allow eval?" ->
`document.securityPolicy.allowsEval()`). A non-normative "Usage" section
gives a high-level set of scenarios that the API is meant to service, and
usage examples for each.

See https://dvcs.w3.org/hg/content-security-policy/rev/bff58d373917 for

Thanks! Comments are welcome.

Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Received on Thursday, 19 July 2012 02:39:47 UTC