- From: Garrett Robinson <grobinson@mozilla.com>
- Date: Tue, 06 Aug 2013 23:18:17 -0700
- To: Mike West <mkwst@google.com>
- CC: Joel Weinberger <jww@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 08/05/2013 07:03 AM, Mike West wrote: > I've made this change in the > draft: https://dvcs.w3.org/hg/content-security-policy/rev/ddb92226c9dc > > -mike > > -- > Mike West <mkwst@google.com <mailto:mkwst@google.com>> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > > > On Thu, Jul 4, 2013 at 12:12 AM, Joel Weinberger <jww@chromium.org > <mailto:jww@chromium.org>> wrote: > > Also in agreement on both accounts. > > > On Mon, Jul 1, 2013 at 4:43 PM, Garrett Robinson > <grobinson@mozilla.com <mailto:grobinson@mozilla.com>> wrote: > > On 06/28/2013 07:06 PM, Adam Barth wrote: > > Currently we specify nonce-value as follows: > > > > nonce-value = *( ALPHA / DIGIT ) > > > > Some folks who've been experimenting with nonce-source have > requested > > that we expand the set of allowed characters in nonce-value to > include > > '+' and '/'. That way the set of allowed characters will > match the > > characters used by base64. > > > > I don't see any problems with this. > > > Also, I wonder if should require at minimum number of > characters in > > the nonce. Maybe at least 1 character? Having zero seems like an > > error. > > > > We just noticed this while I was working on script-nonce for Firefox > (https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c16). I > would also > advocate changing the * to a + so at least 1 character is > required in a > valid nonce. > > > Thoughts? > > Adam > > > > > > > This is supported in the latest WIP patch for nonce-source in Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c41
Received on Wednesday, 7 August 2013 06:18:45 UTC