Re: Hashes/Nonce Source and unsafe-inline

> Are you suggesting that the behavior should be to allow inline event
> handlers, and only allow script tags with a valid nonce to execute when both
> unsafe-inline and a nonce are present? I prefer the backwards compatible
> route.

yes!

> The huge
> advantage to this approach is that developers don't need to specify
> different Content-Security-Policy headers to clients that only support CSP
> 1.0 to be able to use the nonce or hash.

This seems to be the argument behind the change. My concern is that it
assumes that nonce is only used for inline scripts. But a nonce source
can also be used for external resources, something that is completely
separate from inline scripts.

-- Dev

Received on Friday, 13 December 2013 21:34:33 UTC