I've taken a stab at wrapping up the various threads on script hashes into
some spec text that I hope addresses most concerns, and just added [1],
[2], and [3] to the spec for discussion.
In particular:
0. I think we want both hashes and nonces. The spec reflects that.
1. I'm deferring to the HTML spec for the definition of the script block's
source, which I think gives us good chances of both understanding how the
script block is parsed and understood, and interoperating on that
understanding. Adam, your input would be particularly valued here: is that
definition enough, or do we need to more explicitly talk about encodings
and canonicalization?
2. 'unsafe-inline' is disabled if either a hash or nonce is present.
3. I'm running with Garrett's suggestion that we support only SHA-2
algorithms. I think there's value in supporting SHA-1 (number of bits on
the wire, if nothing else), and I'd like to add it in. Moreover, there
might be value in writing the spec such that future algorithms can be
supported if browser vendors choose. I'm not sure we need to be explicit
about the supported algorithms (other than to specify something like
SHA-256 as mandatory to support, to ensure we have a common baseline).
Opinions welcome. :)
[1]: https://dvcs.w3.org/hg/content-security-policy/rev/20f1d3204a37
[2]: https://dvcs.w3.org/hg/content-security-policy/rev/053e1cf7c388
[3]: https://dvcs.w3.org/hg/content-security-policy/rev/8db37e53da82
Thanks (and apologies for the delay/my absence; I've been buried in non-CSP
work recently)!
--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)