Re: Specifying nonce-source for every directive from Devdatta Akhawe on 2013-06-02 (public-webappsec@w3.org from June 2013)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sun, 2 Jun 2013 10:59:19 -0700
To: Adam Barth <w3c@adambarth.com>
Cc: Garrett Robinson <grobinson@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_0xVxbHU4qPov0uLK0VfDTKixA79GdooV2aMcDYxvbDXw@mail.gmail.com>

>The main use case I see for nonce-source is to whitelist
> inline content that is difficult to move out-of-line.

On the other hand, for scripts and styles, the nonce overrides src
directives even for external content.

Dev

Received on Sunday, 2 June 2013 18:00:07 UTC