CSP 1.1: Nonce-source and unsafe-inline from Danesh Irani on 2013-07-17 (public-webappsec@w3.org from July 2013)

From: Danesh Irani <danesh@google.com>
Date: Wed, 17 Jul 2013 15:12:36 -0700
To: public-webappsec@w3.org
Message-ID: <CAPDPM2a+aqaFA04VJ4YXU1Dzv8agovA48Tc2yQAC15LxOY4Wtg@mail.gmail.com>

Hi all,

In the CSP 1.1 spec, a directive that has both nonce-source and
unsafe-inline buys the user no additional protection as the browser will
just allow all inline scripts. Previous CSP 1.1 versions of the spec
indicated that when both directive values were specified the unsafe-inline
would be ignored and nonce-source would be enforced (
http://www.w3.org/TR/2012/WD-CSP11-20121213/#interaction-with-the-script-src-directive
).

>From a web app deployment perspective it would be great if having a valid
nonce-source invalidated an 'unsafe-inline', as this would allow having a
single CSP 1.1 header which provides addition security for new browsers,
but also works for old browsers (sort of like providing a
backward-compatible policy and avoiding the unpleasantness of user-agent
specific CSP). Only the CSP 1.1 spec would have to be modified to specify
that new browsers ignore 'unsafe-inline' if a nonce-source is present.

Any thoughts?

Thanks,
Danesh

Received on Thursday, 18 July 2013 11:58:46 UTC