Perhaps I've missed this in previous conversations, but why is script-nonce
restricted only to scripts? Why not allow other (potentially arbitrary)
uses of the nonces for forms, for example? If one is worried about any
particular type of element injection, couldn't the nonce attribute be
useful? Why not have a more general 'nonce policy' that allows directives
of not just 'all' or 'inline', but also 'forms,' 'input', etc?
--Joel
On Fri, Nov 2, 2012 at 10:41 AM, Adam Barth <w3c@adambarth.com> wrote:
> [-public-web-security, +public-webappsec]
>
> Maybe we should make script-nonce apply only to inline script elements?
>
> Adam
>
>
> On Fri, Nov 2, 2012 at 2:42 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> > As I mentioned in the meeting, script-nonce seems like it would be
> > more useful if there was a way to restrict its applicability to inline
> scripts,
> > so I can have a site with a static security policy and a small number of
> inline
> > scripts without having to rewrite every page that loads jQuery.
> >
> > Concrete suggestion: augment script nonce with a "policy" parameter
> > such as:
> >
> > script-nonce <nonce>,<policy> where <policy> == "all" or "inline"
> > to mean that the nonce applies to both scripts or just inline scripts.
> >
> > -Ekr
> >
>
>