W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: Hashes/Nonce Source and unsafe-inline

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 12 Dec 2013 15:34:02 -0800
Message-ID: <CAPfop_2=ZVw26DHq-9VKe-maWObjPjrepT5_1UgktpdK+j=yew@mail.gmail.com>
To: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Dan Veditz <dveditz@mozilla.com>

[creating a separate thread since there were other discussions ongoing
in the other]

> 2. 'unsafe-inline' is disabled if either a hash or nonce is present.
>      [3] https://dvcs.w3.org/hg/content-security-policy/rev/8db37e53da82

Imagine a website that wants to control what external scripts are
loaded. The website uses inline  event handlers too. The hosts for
external scripts can be dynamic (e.g., it is on a CDN) and thus it
uses nonces to load them at runtime. In the new design, all the event
handlers would stop working. I am not sure this is what we want.

Received on Thursday, 12 December 2013 23:34:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC