- From: Brad Hill <hillbrad@gmail.com>
- Date: Mon, 17 Jun 2013 10:40:35 -0700
- To: Bryan McQuade <bmcquade@google.com>
- Cc: Joel Weinberger <jww@chromium.org>, Yoav Weiss <yoav@yoav.ws>, Neil Matatall <neilm@twitter.com>, Евнгений Яременко <w3techplayground@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8iHDu1JXFAC=Z_qGPL9eR9PpVpQmF7fH3L2Fs=gr2EVDQ@mail.gmail.com>
Just to play devil's advocate, if the HTML is truly being served in a completely static manner, is "unsafe-inline" actually unsafe? (there should be no inline-content injection vulnerabilities in such a resource) On Mon, Jun 17, 2013 at 10:36 AM, Bryan McQuade <bmcquade@google.com> wrote: > Does CSP support inline scripts and styles in statically served HTML > files? My impression was that nonce only works for dynamic serving. If > that's the case then IMO hashes are warranted to support the static case > alone. > > > > On Mon, Jun 17, 2013 at 1:22 PM, Joel Weinberger <jww@chromium.org> wrote: > >> I'm not particularly against, hashes, but I'm naturally hesitant to add >> more constructs to CSP, especially since the use of nonces seem to >> completely overlap with the use cases for hashes. I think the concern about >> nonce abuse as Yoav pointed out are valid concerns, but I'd be hesitant to >> add a new construct just to cover that particular concern. Put differently, >> I don't see any dramatically different uses for hashes from nonces. >> --Joel >> >> >> On Mon, Jun 17, 2013 at 4:09 AM, Yoav Weiss <yoav@yoav.ws> wrote: >> >>> +1 for discussing it further. >>> >>> The advantages I see: >>> * The author is authorizing a *specific* script/style and can do so >>> using static configuration >>> - No need for a dynamic backend that changes the nonce for each >>> request.. >>> - This can simplify deployment, resulting in more people using it >>> * I'm afraid of authors abusing nonces, sending the same nonce over and >>> over as means to "bypass" CSP >>> - Offering an alternative to nonce can reduce that risk >>> >>> The complications I can think of: >>> * Make sure that either hashes don't break with small white-spaces >>> removals, text encoding changes, etc. >>> - An alternative is tools that can give authors the resulting hash for >>> a specific script/style. (e.g. inside the Web inspector tools). That may be >>> more fragile, though. >>> >>> All in all, I think hashes can make it easier for "copy&paste" authors >>> to integrate CSP. They can also make deployment of third party scripts >>> easier. >>> >>> >>> On Sat, Jun 15, 2013 at 8:00 AM, Neil Matatall <neilm@twitter.com>wrote: >>> >>>> This is the script-hash proposal. I would love it if we discussed this >>>> more as it has numerous benefits over a nonce as well as complications :) >>>> On Jun 15, 2013 1:11 AM, "Евнгений Яременко" < >>>> w3techplayground@gmail.com> wrote: >>>> >>>>> Is it possible to verify(whitelist) inline script block via checksum >>>>> of its logic(uniform) as alternative to "Nonce"? ie send checksum of the >>>>> allowed script via header and if inlined script checksum is the same it's >>>>> allowed to execute. >>>>> >>>> >>> >> >
Received on Monday, 17 June 2013 17:41:03 UTC