I've taken a stab at wrapping up the various threads on script hashes into some spec text that I hope addresses most concerns, and just added [1], [2], and [3] to the spec for discussion. In particular: 0. I think we want both hashes and nonces. The spec reflects that. 1. I'm deferring to the HTML spec for the definition of the script block's source, which I think gives us good chances of both understanding how the script block is parsed and understood, and interoperating on that understanding. Adam, your input would be particularly valued here: is that definition enough, or do we need to more explicitly talk about encodings and canonicalization? 2. 'unsafe-inline' is disabled if either a hash or nonce is present. 3. I'm running with Garrett's suggestion that we support only SHA-2 algorithms. I think there's value in supporting SHA-1 (number of bits on the wire, if nothing else), and I'd like to add it in. Moreover, there might be value in writing the spec such that future algorithms can be supported if browser vendors choose. I'm not sure we need to be explicit about the supported algorithms (other than to specify something like SHA-256 as mandatory to support, to ensure we have a common baseline). Opinions welcome. :) [1]: https://dvcs.w3.org/hg/content-security-policy/rev/20f1d3204a37 [2]: https://dvcs.w3.org/hg/content-security-policy/rev/053e1cf7c388 [3]: https://dvcs.w3.org/hg/content-security-policy/rev/8db37e53da82 Thanks (and apologies for the delay/my absence; I've been buried in non-CSP work recently)! -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 11 December 2013 11:05:42 UTC