- From: Olivier Jaquemet <olivier.jaquemet@gmail.com>
- Date: Tue, 18 Jun 2013 16:39:57 +0200
- To: public-webappsec@w3.org
- Message-ID: <CAHC_=r8UH1Co7H7hTNR9ReHTqnSV7knEJkr-Y8zSQDfE=Gjn_g@mail.gmail.com>
Hi all, First, my apologies for starting a new thread, I was not yet subscribed to the list and could not answer to the original discussion. Regarding the request for comment on script-nonce or script-hash, if I correctly understood the proposal : - the scrip-hash would requires that the developer computes the hash of its inline script and add it as an attribute so it is checked by the browser for script content integrity. - the script-nonce is a random generated string sent by the server in the HTTP headers and used as attribute of inline script attribute, they are verified by the browser before running the script * scrip-hash pros : - simple development without HTTP header modification, nice alternative for "simple static site" * scrip-hash cons : - requires precise computation of the hash, with a common algorithm on all side, including every characters, spaces, coma, etc I see this requirement as a high probability of malfunction, specially when integrated in many network/software layer with html cleanup or content injection (eg apache mod_rewrite, whitespace trim in app server, ...) - without performing premature optimization, this approach requires two computations : 1 the server side, 2 on the client side, to ensure both match, maybe this is not the most efficient way as it adds client side computation on each request ? * script-nonce pros : - very simple and efficient to generate a random string on each request, - cannot be impacted by network/software layer mentioned previously * scrip-hash cons : - no guarantee of the inline script integrity if it was generated from a compromised server side content Of course they could be used altogether for different site target (static content vs dynamic). But applying the KISS principle, I would not propose both as they would add confusion and solve the same problem. That said, I certainly have a bias since I mostly work with dynamically generated content. As far as I can see things for now, I am mostly in favor of the script-nonce approach, no script-hash. Regards, Olivier
Received on Tuesday, 18 June 2013 15:25:40 UTC