W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: Hashes/Nonce Source and unsafe-inline

From: Garrett Robinson <grobinson@mozilla.com>
Date: Fri, 13 Dec 2013 13:52:39 -0800
Message-ID: <52AB81A7.9000909@mozilla.com>
To: public-webappsec@w3.org
You can also whitelist external scripts with a nonce, and that's what
Dev is talking about. Section 3.3.10

On 12/13/2013 01:47 PM, Dionysis Zindros wrote:
> On Fri, Dec 13, 2013 at 1:33 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>> Are you suggesting that the behavior should be to allow inline event
>>> handlers, and only allow script tags with a valid nonce to execute when both
>>> unsafe-inline and a nonce are present? I prefer the backwards compatible
>>> route.
>>
>> yes!
>>
>>> The huge
>>> advantage to this approach is that developers don't need to specify
>>> different Content-Security-Policy headers to clients that only support CSP
>>> 1.0 to be able to use the nonce or hash.
>>
>> This seems to be the argument behind the change. My concern is that it
>> assumes that nonce is only used for inline scripts. But a nonce source
>> can also be used for external resources, something that is completely
>> separate from inline scripts.
> 
> The current spec is explicit about allowing nonces and hashes for only
> inline script use:
> 
> "The script-src directive lets developers specify exactly which script
> elements on a page were intentionally included for execution. Ideally,
> developers would avoid inline script entirely and whitelist scripts by
> URL. However, in some cases, removing inline scripts can be difficult
> or impossible. For those cases, developers can whitelist scripts using
> a randomly generated nonce."
> 
> External scripts can only be allowed by URL. Do you suggest we change that?
> 
>>
>> -- Dev
>>
> 
Received on Friday, 13 December 2013 21:53:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC