W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: CSP 1.1: Nonce-source and unsafe-inline

From: Garrett Robinson <grobinson@mozilla.com>
Date: Wed, 07 Aug 2013 08:47:05 -0700
Message-ID: <52026BF9.5000405@mozilla.com>
To: Neil Matatall <neilm@twitter.com>
CC: Danesh Irani <danesh@google.com>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Nicholas Green <ngreen@twitter.com>
On 07/23/2013 10:37 AM, Neil Matatall wrote:
> Nick and I were discussing this while writing up the script-hash spec
> text. The two should probably behave the same way in regards to
> version boundaries. The terse (draft) text is:
> 
>> The script-src directive will accept hash-sources as source-expressions. Regardless of whether or not unsafe-line is present, if any hash-sources are present in the source-list of the script-src directive inline scripts MUST not be executed unless any hash-source or nonce-source expression matches the inline script block.
> 

Given the comments on this thread, and this language in the script-hash
draft, I have changed the WIP patch for script-nonce in Firefox to allow
nonce-source to override unsafe-inline on scripts and styles. That is,
if a nonce-source is specified, inline scripts/styles will not run
unless they have a valid nonce, even if script-src or style-src also has
the 'unsafe-inline' keyword.

Link to the patch: https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c41

I think the next steps we should take to resolve this decisively are:

1. Decide if we want to use nonce-source/hash-source on inline
scripts/styles only, or if it should also be allowed on external scripts
and/or styles as well.
2. Update the spec to reflect these decisions.
3. Make sure Chrome and Firefox's implementations agree

Thoughts?
Received on Wednesday, 7 August 2013 15:47:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC