I've made this change in the draft: https://dvcs.w3.org/hg/content-security-policy/rev/ddb92226c9dc -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores On Thu, Jul 4, 2013 at 12:12 AM, Joel Weinberger <jww@chromium.org> wrote: > Also in agreement on both accounts. > > > On Mon, Jul 1, 2013 at 4:43 PM, Garrett Robinson <grobinson@mozilla.com>wrote: > >> On 06/28/2013 07:06 PM, Adam Barth wrote: >> > Currently we specify nonce-value as follows: >> > >> > nonce-value = *( ALPHA / DIGIT ) >> > >> > Some folks who've been experimenting with nonce-source have requested >> > that we expand the set of allowed characters in nonce-value to include >> > '+' and '/'. That way the set of allowed characters will match the >> > characters used by base64. >> > >> >> I don't see any problems with this. >> >> > Also, I wonder if should require at minimum number of characters in >> > the nonce. Maybe at least 1 character? Having zero seems like an >> > error. >> > >> >> We just noticed this while I was working on script-nonce for Firefox >> (https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c16). I would also >> advocate changing the * to a + so at least 1 character is required in a >> valid nonce. >> >> > Thoughts? >> > Adam >> > >> >> >> >> >
Received on Monday, 5 August 2013 14:04:15 UTC