W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Specifying nonce-source for every directive

From: Garrett Robinson <grobinson@mozilla.com>
Date: Fri, 31 May 2013 08:50:24 -0700
Message-ID: <51A8C6C0.4050004@mozilla.com>
To: public-webappsec@w3.org
At the moment, Blink supports using the nonce-src source (behind a flag) 
for the script-src and style-src directives. Support in Firefox for 
these directives is a WIP 
(https://bugzilla.mozilla.org/show_bug.cgi?id=855326). While satisfying 
this use case was the primary motivation for creating nonce-source, the 
current spec also implicitly supports using it for all of the other CSP 
directives. This flexibility has been explicitly mentioned as the 
motivation behind specifying nonce as a source (rather than a specific 
directive). See 

I propose that we precisely define this behavior in the spec. At the 
moment nonce-source is only specifically mentioned in the subsections on 
script-src and style-src. Most of the directives would be amenable to 
nonce-source, although in some cases the utility is questionable. A few 
of the directives (connect-src, font-src, sandbox) cannot use 
nonce-source at all AFAICT and this should be explicit.

Personally I would be happy limiting the use of nonce-source to 
script-src and style-src - even just inline scripts and styles. While it 
is possible to use it in conjunction with other directives, I believe 
the corresponding use cases are far less compelling.

Received on Sunday, 2 June 2013 17:20:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC