W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: Hashes/Nonce Source and unsafe-inline

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 13 Dec 2013 13:33:47 -0800
Message-ID: <CAPfop_2ovdzZLY1eOZZK44DpQAd+Z_9LXoqQJ=FTDm5Pif3GJQ@mail.gmail.com>
To: Pete Freitag <pete@foundeo.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Are you suggesting that the behavior should be to allow inline event
> handlers, and only allow script tags with a valid nonce to execute when both
> unsafe-inline and a nonce are present? I prefer the backwards compatible
> route.

yes!

> The huge
> advantage to this approach is that developers don't need to specify
> different Content-Security-Policy headers to clients that only support CSP
> 1.0 to be able to use the nonce or hash.

This seems to be the argument behind the change. My concern is that it
assumes that nonce is only used for inline scripts. But a nonce source
can also be used for external resources, something that is completely
separate from inline scripts.

-- Dev
Received on Friday, 13 December 2013 21:34:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC