Re: Hashes/Nonce Source and unsafe-inline


[creating a separate thread since there were other discussions ongoing
in the other]

> 2. 'unsafe-inline' is disabled if either a hash or nonce is present.
>      [3]

Imagine a website that wants to control what external scripts are
loaded. The website uses inline  event handlers too. The hosts for
external scripts can be dynamic (e.g., it is on a CDN) and thus it
uses nonces to load them at runtime. In the new design, all the event
handlers would stop working. I am not sure this is what we want.


Received on Thursday, 12 December 2013 23:34:49 UTC