Re: Supporting base64 in nonce-value from Joel Weinberger on 2013-07-03 (public-webappsec@w3.org from July 2013)

From: Joel Weinberger <jww@chromium.org>
Date: Wed, 3 Jul 2013 15:12:50 -0700
To: Garrett Robinson <grobinson@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAHQV2K=zwLtPtZx4PE7KAnPvvEJhQyeaxt3==_ngZLCD5qx2xg@mail.gmail.com>

Also in agreement on both accounts.


On Mon, Jul 1, 2013 at 4:43 PM, Garrett Robinson <grobinson@mozilla.com>wrote:

> On 06/28/2013 07:06 PM, Adam Barth wrote:
> > Currently we specify nonce-value as follows:
> >
> > nonce-value       = *( ALPHA / DIGIT )
> >
> > Some folks who've been experimenting with nonce-source have requested
> > that we expand the set of allowed characters in nonce-value to include
> > '+' and '/'.  That way the set of allowed characters will match the
> > characters used by base64.
> >
>
> I don't see any problems with this.
>
> > Also, I wonder if should require at minimum number of characters in
> > the nonce.  Maybe at least 1 character?  Having zero seems like an
> > error.
> >
>
> We just noticed this while I was working on script-nonce for Firefox
> (https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c16). I would also
> advocate changing the * to a + so at least 1 character is required in a
> valid nonce.
>
> > Thoughts?
> > Adam
> >
>
>
>
>

Received on Wednesday, 3 July 2013 22:13:17 UTC