I support moving forward with hashes to allow inline styles and scripts. I believe they'd be much easier to deploy than nonces in many scenarios, which will eventually mean increased security. What about having a single inline-hash that is a digest of all allowed > inline content in the document, including both styles and scripts? The > browser would maintain a running digest as it encounters each style or > script tag. Once the digest matches the allowed inline-hash the browser > would execute the content immediately, or would report a violation upon > reaching the end of the document without ever matching the hash. > > This makes it harder to deploy pages that dynamically include from > multiple sources, but keeps things simple and saves bytes. > > That would mean the browser cannot start executing inline scripts & styles until the entire HTML has been downloaded (or at the very least, the last inlined resource). Even for static HTMLs with multiple inlined resources, this can result in a significant slowdown of the page load without any benefit. (saving 30 bytes on the response headers doesn't seem like a significant benefit) Yoav
Received on Tuesday, 12 February 2013 09:17:43 UTC