W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: Specifying nonce-source for every directive

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 2 Jun 2013 10:48:14 -0700
Message-ID: <CAJE5ia8LgyF5J0HnnFYoze8Gov4g+qQYb8=4uq=WkuMBkm8gCg@mail.gmail.com>
To: Garrett Robinson <grobinson@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, May 31, 2013 at 8:50 AM, Garrett Robinson <grobinson@mozilla.com> wrote:
> At the moment, Blink supports using the nonce-src source (behind a flag) for
> the script-src and style-src directives. Support in Firefox for these
> directives is a WIP (https://bugzilla.mozilla.org/show_bug.cgi?id=855326).
> While satisfying this use case was the primary motivation for creating
> nonce-source, the current spec also implicitly supports using it for all of
> the other CSP directives. This flexibility has been explicitly mentioned as
> the motivation behind specifying nonce as a source (rather than a specific
> directive). See
> http://lists.w3.org/Archives/Public/public-webappsec/2013Apr/0094.html.
> I propose that we precisely define this behavior in the spec. At the moment
> nonce-source is only specifically mentioned in the subsections on script-src
> and style-src. Most of the directives would be amenable to nonce-source,
> although in some cases the utility is questionable. A few of the directives
> (connect-src, font-src, sandbox) cannot use nonce-source at all AFAICT and
> this should be explicit.
> Personally I would be happy limiting the use of nonce-source to script-src
> and style-src - even just inline scripts and styles. While it is possible to
> use it in conjunction with other directives, I believe the corresponding use
> cases are far less compelling.

Yeah, I would be inclined to limit nonce-source to script-src and
style-src because those are the two directives that deal with inline
content.  The main use case I see for nonce-source is to whitelist
inline content that is difficult to move out-of-line.

Received on Sunday, 2 June 2013 17:49:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:33 UTC