- From: Mike West <mkwst@google.com>
- Date: Wed, 18 Jul 2012 23:16:39 -0500
- To: Eric Chen <eric.chen@sv.cmu.edu>
- Cc: public-webappsec@w3.org
- Message-ID: <CAKXHy=cVozW0foM-z79nJDbCbX6GW2ZAtCM1YqVzEUGpzKWeQg@mail.gmail.com>
I don't know of an attack that could specifically exploit the soft-fail case; the change was made more in order to correctly set developers' expectations about the effect of their policy. If I send `script-nonce this is my awesome nonce;`, I might believe that my site is well protected, when in actuality the whole directive is being thrown away since the nonce isn't a valid token. We need to do something in response to an invalid nonce. Failing in such a way that's sure to be noticed seems the most secure option. -mike -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 On Wed, Jul 18, 2012 at 10:57 PM, Eric Chen <eric.chen@sv.cmu.edu> wrote: > Hi Mike: > > >> * `script-nonce` has been cleaned up a bit, adding a non-normative >> "Usage" section that attempts to explain the core functionality to web >> developers, and making two things clear that confused me while >> experimenting with a WebKit implementation. First, invalid nonces now fail >> loudly, blocking all script execution on a page. >> > Is there a particular motivation for this? (i.e., is there an attack that > would break the soft-fail case?) > > > -- > -Eric > >
Received on Thursday, 19 July 2012 04:17:29 UTC