W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Supporting base64 in nonce-value

From: Joel Weinberger <jww@chromium.org>
Date: Wed, 7 Aug 2013 14:29:27 -0700
Message-ID: <CAHQV2Kke1zLsHPSGRgo4wKwUK+r5mZQNW+a=iDOATe=Xrz5opQ@mail.gmail.com>
To: Garrett Robinson <grobinson@mozilla.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike has also committed it to the tip of the tree Blink. Thanks, Mike!
--Joel


On Tue, Aug 6, 2013 at 11:18 PM, Garrett Robinson <grobinson@mozilla.com>wrote:

> On 08/05/2013 07:03 AM, Mike West wrote:
> > I've made this change in the
> > draft: https://dvcs.w3.org/hg/content-security-policy/rev/ddb92226c9dc
> >
> > -mike
> >
> > --
> > Mike West <mkwst@google.com <mailto:mkwst@google.com>>
> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> >
> > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> > Registergericht und -nummer: Hamburg, HRB 86891
> > Sitz der Gesellschaft: Hamburg
> > Geschäftsführer: Graham Law, Christine Elizabeth Flores
> >
> >
> > On Thu, Jul 4, 2013 at 12:12 AM, Joel Weinberger <jww@chromium.org
> > <mailto:jww@chromium.org>> wrote:
> >
> >     Also in agreement on both accounts.
> >
> >
> >     On Mon, Jul 1, 2013 at 4:43 PM, Garrett Robinson
> >     <grobinson@mozilla.com <mailto:grobinson@mozilla.com>> wrote:
> >
> >         On 06/28/2013 07:06 PM, Adam Barth wrote:
> >         > Currently we specify nonce-value as follows:
> >         >
> >         > nonce-value       = *( ALPHA / DIGIT )
> >         >
> >         > Some folks who've been experimenting with nonce-source have
> >         requested
> >         > that we expand the set of allowed characters in nonce-value to
> >         include
> >         > '+' and '/'.  That way the set of allowed characters will
> >         match the
> >         > characters used by base64.
> >         >
> >
> >         I don't see any problems with this.
> >
> >         > Also, I wonder if should require at minimum number of
> >         characters in
> >         > the nonce.  Maybe at least 1 character?  Having zero seems
> like an
> >         > error.
> >         >
> >
> >         We just noticed this while I was working on script-nonce for
> Firefox
> >         (https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c16). I
> >         would also
> >         advocate changing the * to a + so at least 1 character is
> >         required in a
> >         valid nonce.
> >
> >         > Thoughts?
> >         > Adam
> >         >
> >
> >
> >
> >
> >
>
> This is supported in the latest WIP patch for nonce-source in Firefox:
> https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c41
>
Received on Wednesday, 7 August 2013 21:29:53 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC