- From: Neil Matatall <neilm@twitter.com>
- Date: Mon, 16 Dec 2013 10:42:13 -0800
- To: Pete Freitag <pete@foundeo.com>
- Cc: Dionysis Zindros <dionyziz@gmail.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> I would expect them to work in style-src as well as script-src does the valid-hashes section need to be updated or is the style-src section wrong? Pete, yeah same should apply to inline script tags. Had a chat with Dev, and as Pete mentions, this would be definitely help increase adoption. Seems like another source-expression would be the clearest. On Mon, Dec 16, 2013 at 10:28 AM, Pete Freitag <pete@foundeo.com> wrote: > On Fri, Dec 13, 2013 at 4:47 PM, Dionysis Zindros <dionyziz@gmail.com> > wrote: >> >> The current spec is explicit about allowing nonces and hashes for only >> inline script use > > > The current spec mentions hashes and nonce in the style-src section, but in > the Valid Hashes section, > https://dvcs.w3.org/hg/content-security-policy/raw-file/8db37e53da82/csp-specification.dev.html#valid-hashes > it only mentions script. I would expect them to work in style-src as well as > script-src does the valid-hashes section need to be updated or is the > style-src section wrong? > > Also wouldn't it be possible in theory to solve Dev's problem by allowing > hashes of inline event handers? This could also potentially help ease > adoption in legacy applications. I don't know what kind of challenges that > would present for the browser vendors to implement, obviously not anything I > would want holding up CSP1.1. > > -- > Pete Freitag > http://foundeo.com > http://content-security-policy.com/ - CSP Quick Reference
Received on Monday, 16 December 2013 18:42:41 UTC