Re: Hashes/Nonce Source and unsafe-inline

> I would expect them to work in style-src as well as script-src does the valid-hashes section need to be updated or is the style-src section wrong?

Pete, yeah same should apply to inline script tags.

Had a chat with Dev, and as Pete mentions, this would be definitely
help increase adoption. Seems like another source-expression would be
the clearest.



On Mon, Dec 16, 2013 at 10:28 AM, Pete Freitag <pete@foundeo.com> wrote:
> On Fri, Dec 13, 2013 at 4:47 PM, Dionysis Zindros <dionyziz@gmail.com>
> wrote:
>>
>> The current spec is explicit about allowing nonces and hashes for only
>> inline script use
>
>
> The current spec mentions hashes and nonce in the style-src section, but in
> the Valid Hashes section,
> https://dvcs.w3.org/hg/content-security-policy/raw-file/8db37e53da82/csp-specification.dev.html#valid-hashes
> it only mentions script. I would expect them to work in style-src as well as
> script-src does the valid-hashes section need to be updated or is the
> style-src section wrong?
>
> Also wouldn't it be possible in theory to solve Dev's problem by allowing
> hashes of inline event handers? This could also potentially help ease
> adoption in legacy applications. I don't know what kind of challenges that
> would present for the browser vendors to implement, obviously not anything I
> would want holding up CSP1.1.
>
> --
> Pete Freitag
> http://foundeo.com
> http://content-security-policy.com/ - CSP Quick Reference

Received on Monday, 16 December 2013 18:42:41 UTC