Re: CSP 1.1: `script-nonce` and script interface edits.

I don't know of an attack that could specifically exploit the soft-fail
case; the change was made more in order to correctly set developers'
expectations about the effect of their policy. If I send `script-nonce this
is my awesome nonce;`, I might believe that my site is well protected, when
in actuality the whole directive is being thrown away since the nonce isn't
a valid token.

We need to do something in response to an invalid nonce. Failing in such a
way that's sure to be noticed seems the most secure option.


Mike West <>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

On Wed, Jul 18, 2012 at 10:57 PM, Eric Chen <> wrote:

> Hi Mike:
>> * `script-nonce` has been cleaned up a bit, adding a non-normative
>> "Usage" section that attempts to explain the core functionality to web
>> developers, and making two things clear that confused me while
>> experimenting with a WebKit implementation. First, invalid nonces now fail
>> loudly, blocking all script execution on a page.
> Is there a particular motivation for this? (i.e., is there an attack that
> would break the soft-fail case?)
> --
> -Eric

Received on Thursday, 19 July 2012 04:17:29 UTC