Re: Specifying nonce-source for every directive

On 06/02/2013 11:37 AM, Adam Barth wrote:
> On Sun, Jun 2, 2013 at 10:59 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
>>> The main use case I see for nonce-source is to whitelist
>>> inline content that is difficult to move out-of-line.
>>
>> On the other hand, for scripts and styles, the nonce overrides src
>> directives even for external content.
>
> I wouldn't say it "overrides" src directives.  It's just a
> source-expression, and it works in the same way as other
> source-expressions.

Yes - it functions in addition to the other components of the relevant 
src directives, rather than overriding them.

>
> Adam
>

Especially given the new path matching in CSP 1.1, I would advocate for 
limiting nonce-source to whitelisting specific inline scripts and inline 
styles.

Received on Tuesday, 11 June 2013 22:28:25 UTC