Re: Hashes/Nonce Source and unsafe-inline

On Fri, Dec 13, 2013 at 4:47 PM, Dionysis Zindros <dionyziz@gmail.com>wrote:

> The current spec is explicit about allowing nonces and hashes for only
>  inline script use


The current spec mentions hashes and nonce in the style-src section, but in
the Valid Hashes section,
https://dvcs.w3.org/hg/content-security-policy/raw-file/8db37e53da82/csp-specification.dev.html#valid-hashesit
only mentions script. I would expect them to work in style-src as well
as script-src does the valid-hashes section need to be updated or is the
style-src section wrong?

Also wouldn't it be possible in theory to solve Dev's problem by allowing
hashes of inline event handers? This could also potentially help ease
adoption in legacy applications. I don't know what kind of challenges that
would present for the browser vendors to implement, obviously not anything
I would want holding up CSP1.1.

--
Pete Freitag
http://foundeo.com
http://content-security-policy.com/ - CSP Quick Reference

Received on Monday, 16 December 2013 18:29:24 UTC