- From: Garrett Robinson <grobinson@mozilla.com>
- Date: Fri, 31 May 2013 08:50:24 -0700
- To: public-webappsec@w3.org
At the moment, Blink supports using the nonce-src source (behind a flag) for the script-src and style-src directives. Support in Firefox for these directives is a WIP (https://bugzilla.mozilla.org/show_bug.cgi?id=855326). While satisfying this use case was the primary motivation for creating nonce-source, the current spec also implicitly supports using it for all of the other CSP directives. This flexibility has been explicitly mentioned as the motivation behind specifying nonce as a source (rather than a specific directive). See http://lists.w3.org/Archives/Public/public-webappsec/2013Apr/0094.html. I propose that we precisely define this behavior in the spec. At the moment nonce-source is only specifically mentioned in the subsections on script-src and style-src. Most of the directives would be amenable to nonce-source, although in some cases the utility is questionable. A few of the directives (connect-src, font-src, sandbox) cannot use nonce-source at all AFAICT and this should be explicit. Personally I would be happy limiting the use of nonce-source to script-src and style-src - even just inline scripts and styles. While it is possible to use it in conjunction with other directives, I believe the corresponding use cases are far less compelling. Cheers, Garrett
Received on Sunday, 2 June 2013 17:20:43 UTC