Oh, you are talking about the case when the script-nonce directive is invalid, not when the script-nonce attribute is invalid. In that case, I agree it makes sense to hard-fail. On Wed, Jul 18, 2012 at 9:16 PM, Mike West <mkwst@google.com> wrote: > I don't know of an attack that could specifically exploit the soft-fail > case; the change was made more in order to correctly set developers' > expectations about the effect of their policy. If I send `script-nonce this > is my awesome nonce;`, I might believe that my site is well protected, when > in actuality the whole directive is being thrown away since the nonce isn't > a valid token. > > We need to do something in response to an invalid nonce. Failing in such a > way that's sure to be noticed seems the most secure option. > > -mike > > -- > Mike West <mkwst@google.com>, Developer Advocate > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > > On Wed, Jul 18, 2012 at 10:57 PM, Eric Chen <eric.chen@sv.cmu.edu> wrote: > >> Hi Mike: >> >> >>> * `script-nonce` has been cleaned up a bit, adding a non-normative >>> "Usage" section that attempts to explain the core functionality to web >>> developers, and making two things clear that confused me while >>> experimenting with a WebKit implementation. First, invalid nonces now fail >>> loudly, blocking all script execution on a page. >>> >> Is there a particular motivation for this? (i.e., is there an attack that >> would break the soft-fail case?) >> >> >> -- >> -Eric >> >> > -- -EricReceived on Thursday, 19 July 2012 04:43:07 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:53:59 UTC