- From: Garrett Robinson <grobinson@mozilla.com>
- Date: Fri, 13 Dec 2013 13:52:39 -0800
- To: public-webappsec@w3.org
You can also whitelist external scripts with a nonce, and that's what Dev is talking about. Section 3.3.10 On 12/13/2013 01:47 PM, Dionysis Zindros wrote: > On Fri, Dec 13, 2013 at 1:33 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >>> Are you suggesting that the behavior should be to allow inline event >>> handlers, and only allow script tags with a valid nonce to execute when both >>> unsafe-inline and a nonce are present? I prefer the backwards compatible >>> route. >> >> yes! >> >>> The huge >>> advantage to this approach is that developers don't need to specify >>> different Content-Security-Policy headers to clients that only support CSP >>> 1.0 to be able to use the nonce or hash. >> >> This seems to be the argument behind the change. My concern is that it >> assumes that nonce is only used for inline scripts. But a nonce source >> can also be used for external resources, something that is completely >> separate from inline scripts. > > The current spec is explicit about allowing nonces and hashes for only > inline script use: > > "The script-src directive lets developers specify exactly which script > elements on a page were intentionally included for execution. Ideally, > developers would avoid inline script entirely and whitelist scripts by > URL. However, in some cases, removing inline scripts can be difficult > or impossible. For those cases, developers can whitelist scripts using > a randomly generated nonce." > > External scripts can only be allowed by URL. Do you suggest we change that? > >> >> -- Dev >> >
Received on Friday, 13 December 2013 21:53:06 UTC