W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2013

Re: Specifying nonce-source for every directive

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 2 Jun 2013 11:37:55 -0700
Message-ID: <CAJE5ia9GuTKYPBxTqpBZcsykp276Y+nG-d5xz2VxBziwsBPu=w@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Garrett Robinson <grobinson@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Jun 2, 2013 at 10:59 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>The main use case I see for nonce-source is to whitelist
>> inline content that is difficult to move out-of-line.
>
> On the other hand, for scripts and styles, the nonce overrides src
> directives even for external content.

I wouldn't say it "overrides" src directives.  It's just a
source-expression, and it works in the same way as other
source-expressions.

Adam
Received on Sunday, 2 June 2013 18:38:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC