- From: Adam Barth <w3c@adambarth.com>
- Date: Sun, 2 Jun 2013 10:48:14 -0700
- To: Garrett Robinson <grobinson@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, May 31, 2013 at 8:50 AM, Garrett Robinson <grobinson@mozilla.com> wrote: > At the moment, Blink supports using the nonce-src source (behind a flag) for > the script-src and style-src directives. Support in Firefox for these > directives is a WIP (https://bugzilla.mozilla.org/show_bug.cgi?id=855326). > While satisfying this use case was the primary motivation for creating > nonce-source, the current spec also implicitly supports using it for all of > the other CSP directives. This flexibility has been explicitly mentioned as > the motivation behind specifying nonce as a source (rather than a specific > directive). See > http://lists.w3.org/Archives/Public/public-webappsec/2013Apr/0094.html. > > I propose that we precisely define this behavior in the spec. At the moment > nonce-source is only specifically mentioned in the subsections on script-src > and style-src. Most of the directives would be amenable to nonce-source, > although in some cases the utility is questionable. A few of the directives > (connect-src, font-src, sandbox) cannot use nonce-source at all AFAICT and > this should be explicit. > > Personally I would be happy limiting the use of nonce-source to script-src > and style-src - even just inline scripts and styles. While it is possible to > use it in conjunction with other directives, I believe the corresponding use > cases are far less compelling. Yeah, I would be inclined to limit nonce-source to script-src and style-src because those are the two directives that deal with inline content. The main use case I see for nonce-source is to whitelist inline content that is difficult to move out-of-line. Adam
Received on Sunday, 2 June 2013 17:49:14 UTC