- From: Mike West <mkwst@google.com>
- Date: Wed, 18 Jul 2012 21:38:58 -0500
- To: public-webappsec@w3.org
- Message-ID: <CAKXHy=eQEiOQ-WA4SpM9CEDPAjkchH4KpsMwymX6EN1HZw0iLw@mail.gmail.com>
Hello! Over the past week or two, Adam has helped me make a few changes to the CSP 1.1 editor's draft. I think they're worth flagging here for comment. * `script-nonce` has been cleaned up a bit, adding a non-normative "Usage" section that attempts to explain the core functionality to web developers, and making two things clear that confused me while experimenting with a WebKit implementation. First, invalid nonces now fail loudly, blocking all script execution on a page. Second, `script-nonce` is now explicitly a check on script execution in _addition to_ `script-src`. If both directives are defined, both restrictions must be met in order for a script to execute. This, of course, was already the case, it's simply more clearly stated. See https://dvcs.w3.org/hg/content-security-policy/rev/b60168c4306f, https://dvcs.w3.org/hg/content-security-policy/rev/ae736514341a, and https://dvcs.w3.org/hg/content-security-policy/rev/b574fbf95a50 for details. * The experimental script interface is no longer a super-method that does everything, but a set of specific methods for each bit of information that can be queried. This has a variety of advantages, not least of which that it reads better ("Does the document's security policy allow eval?" -> `document.securityPolicy.allowsEval()`). A non-normative "Usage" section gives a high-level set of scenarios that the API is meant to service, and usage examples for each. See https://dvcs.w3.org/hg/content-security-policy/rev/bff58d373917 for details. Thanks! Comments are welcome. -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Thursday, 19 July 2012 02:39:47 UTC