- From: Garrett Robinson <grobinson@mozilla.com>
- Date: Mon, 01 Jul 2013 16:43:30 -0700
- To: public-webappsec@w3.org
On 06/28/2013 07:06 PM, Adam Barth wrote: > Currently we specify nonce-value as follows: > > nonce-value = *( ALPHA / DIGIT ) > > Some folks who've been experimenting with nonce-source have requested > that we expand the set of allowed characters in nonce-value to include > '+' and '/'. That way the set of allowed characters will match the > characters used by base64. > I don't see any problems with this. > Also, I wonder if should require at minimum number of characters in > the nonce. Maybe at least 1 character? Having zero seems like an > error. > We just noticed this while I was working on script-nonce for Firefox (https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c16). I would also advocate changing the * to a + so at least 1 character is required in a valid nonce. > Thoughts? > Adam >
Received on Monday, 1 July 2013 23:43:58 UTC