W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: Hashes/Nonce Source and unsafe-inline

From: Dionysis Zindros <dionyziz@gmail.com>
Date: Fri, 13 Dec 2013 13:47:55 -0800
Message-ID: <CAE-c3mcdxZV7cfd35nseh1FaRzz+UB-Fmdq=hTEF-1nKgfFXcw@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Dec 13, 2013 at 1:33 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>> Are you suggesting that the behavior should be to allow inline event
>> handlers, and only allow script tags with a valid nonce to execute when both
>> unsafe-inline and a nonce are present? I prefer the backwards compatible
>> route.
> yes!
>> The huge
>> advantage to this approach is that developers don't need to specify
>> different Content-Security-Policy headers to clients that only support CSP
>> 1.0 to be able to use the nonce or hash.
> This seems to be the argument behind the change. My concern is that it
> assumes that nonce is only used for inline scripts. But a nonce source
> can also be used for external resources, something that is completely
> separate from inline scripts.

The current spec is explicit about allowing nonces and hashes for only
inline script use:

"The script-src directive lets developers specify exactly which script
elements on a page were intentionally included for execution. Ideally,
developers would avoid inline script entirely and whitelist scripts by
URL. However, in some cases, removing inline scripts can be difficult
or impossible. For those cases, developers can whitelist scripts using
a randomly generated nonce."

External scripts can only be allowed by URL. Do you suggest we change that?

> -- Dev
Received on Friday, 13 December 2013 21:48:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC