- From: Garrett Robinson <grobinson@mozilla.com>
- Date: Tue, 11 Jun 2013 15:27:56 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: Devdatta Akhawe <dev.akhawe@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 06/02/2013 11:37 AM, Adam Barth wrote: > On Sun, Jun 2, 2013 at 10:59 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >>> The main use case I see for nonce-source is to whitelist >>> inline content that is difficult to move out-of-line. >> >> On the other hand, for scripts and styles, the nonce overrides src >> directives even for external content. > > I wouldn't say it "overrides" src directives. It's just a > source-expression, and it works in the same way as other > source-expressions. Yes - it functions in addition to the other components of the relevant src directives, rather than overriding them. > > Adam > Especially given the new path matching in CSP 1.1, I would advocate for limiting nonce-source to whitelisting specific inline scripts and inline styles.
Received on Tuesday, 11 June 2013 22:28:25 UTC