Re: Hashes/Nonce Source and unsafe-inline

For example, has a policy that includes
'unsafe-inline' and the page uses inline event handlers. Seemingly,
the aim of the policy is to control what external scripts are loaded
and not just XSS mitigation.

Imagine a website that wants to do get finer-grained control and uses
nonces for this. So, for example, the policy could include "script-src
'unsafe-inline' nonce-longrandomvalue" and some trusted code on the
page knows the longrandomvalue and only that code can add external
scripts to the page by creating a script element with longrandomvalue
as the nonce attribute. With the change that Mike pushed, inline event
handlers for this page would stop working. This does not look right to


On 13 December 2013 00:13, Dionysis Zindros <> wrote:
> I'm not really sure what you mean by this, could you elaborate, maybe
> with an example?
> Thank you.
> On Thu, Dec 12, 2013 at 6:01 PM, Devdatta Akhawe <> wrote:
>> I agree with you on hash sources. I don't believe this is true for
>> nonce sources, since one of the use cases nonces support is including
>> scripts from URLs that you only know at runtime.
>> --dev
>> On 12 December 2013 16:00, Dionysis Zindros <> wrote:
>>> On Thu, Dec 12, 2013 at 3:34 PM, Devdatta Akhawe <> wrote:
>>>> Hi
>>>> [creating a separate thread since there were other discussions ongoing
>>>> in the other]
>>>>> 2. 'unsafe-inline' is disabled if either a hash or nonce is present.
>>>>>      [3]
>>>> Imagine a website that wants to control what external scripts are
>>>> loaded. The website uses inline  event handlers too. The hosts for
>>>> external scripts can be dynamic (e.g., it is on a CDN) and thus it
>>>> uses nonces to load them at runtime. In the new design, all the event
>>>> handlers would stop working. I am not sure this is what we want.
>>> Inline event handlers are insecure and prone to XSS, so we want to
>>> block them. There's no point in enabling both unsafe-inline and (hash
>>> or nonce) at the same time. The point of a hash or a nonce is to block
>>> all inline scripts except the ones whitelisted. Allowing inline
>>> scripts completely defeats the purpose of having hashes or nonces.
>>>> Thanks
>>>> Dev

Received on Friday, 13 December 2013 19:27:01 UTC