Re: CSP 1.1: Nonce-source and unsafe-inline

On 07/23/2013 10:37 AM, Neil Matatall wrote:
> Nick and I were discussing this while writing up the script-hash spec
> text. The two should probably behave the same way in regards to
> version boundaries. The terse (draft) text is:
> 
>> The script-src directive will accept hash-sources as source-expressions. Regardless of whether or not unsafe-line is present, if any hash-sources are present in the source-list of the script-src directive inline scripts MUST not be executed unless any hash-source or nonce-source expression matches the inline script block.
> 

Given the comments on this thread, and this language in the script-hash
draft, I have changed the WIP patch for script-nonce in Firefox to allow
nonce-source to override unsafe-inline on scripts and styles. That is,
if a nonce-source is specified, inline scripts/styles will not run
unless they have a valid nonce, even if script-src or style-src also has
the 'unsafe-inline' keyword.

Link to the patch: https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c41

I think the next steps we should take to resolve this decisively are:

1. Decide if we want to use nonce-source/hash-source on inline
scripts/styles only, or if it should also be allowed on external scripts
and/or styles as well.
2. Update the spec to reflect these decisions.
3. Make sure Chrome and Firefox's implementations agree

Thoughts?

Received on Wednesday, 7 August 2013 15:47:33 UTC