- From: Dan Veditz <dveditz@mozilla.com>
- Date: Sun, 18 Nov 2012 17:19:43 -0800
- To: Mountie Lee <mountie.lee@mw2.or.kr>
- CC: webcrypto-comments@w3.org, public-webappsec@w3.org, public-sysapps@w3.org
On 11/18/12 4:49 PM, Mountie Lee wrote: > could you guide me the discussion thread for script nonce or > fingerprint/hash ? https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental May or may not be adopted as part of CSP 1.1 (CSP 1.0 isn't final yet!) but discussion was favorable enough to include as a discussion point. It does not directly address your issue -- it attempts to ensure that each <script> tag was created by the page author and wasn't injected, but does nothing to ensure the received content was the intended content. -Dan Veditz
Received on Monday, 19 November 2012 01:20:11 UTC