- From: Garrett Robinson <grobinson@mozilla.com>
- Date: Wed, 07 Aug 2013 08:47:05 -0700
- To: Neil Matatall <neilm@twitter.com>
- CC: Danesh Irani <danesh@google.com>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Nicholas Green <ngreen@twitter.com>
On 07/23/2013 10:37 AM, Neil Matatall wrote: > Nick and I were discussing this while writing up the script-hash spec > text. The two should probably behave the same way in regards to > version boundaries. The terse (draft) text is: > >> The script-src directive will accept hash-sources as source-expressions. Regardless of whether or not unsafe-line is present, if any hash-sources are present in the source-list of the script-src directive inline scripts MUST not be executed unless any hash-source or nonce-source expression matches the inline script block. > Given the comments on this thread, and this language in the script-hash draft, I have changed the WIP patch for script-nonce in Firefox to allow nonce-source to override unsafe-inline on scripts and styles. That is, if a nonce-source is specified, inline scripts/styles will not run unless they have a valid nonce, even if script-src or style-src also has the 'unsafe-inline' keyword. Link to the patch: https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c41 I think the next steps we should take to resolve this decisively are: 1. Decide if we want to use nonce-source/hash-source on inline scripts/styles only, or if it should also be allowed on external scripts and/or styles as well. 2. Update the spec to reflect these decisions. 3. Make sure Chrome and Firefox's implementations agree Thoughts?
Received on Wednesday, 7 August 2013 15:47:33 UTC