About script-nonce from David Bruant on 2013-03-05 (public-webappsec@w3.org from March 2013)

From: David Bruant <bruant.d@gmail.com>
Date: Tue, 05 Mar 2013 20:24:01 +0100
To: public-webappsec@w3.org
Message-ID: <51364651.3020302@gmail.com>

Hi,

I feel that the kind of use cases script-nonce enables ("strictly 
specify exactly which script elements on a page were intentionally 
included for execution") could be accomplished by doing the following:
1) Send CSP directive with script-src forbidding inline scripts (but 
allowing unsafe-eval)
2) Send some inline <script>s in the HTML anyway but identify the 
trusted ones by a given id/class/data/type attribute (possibly randomly 
generated)
3) Have some code that reads HTMLScriptElements.textContent and eval it. 
"eval it" here could also mean using the ES6 Loader API [1].

Which gets me wondering, how will CSP/unsafe-eval interact with the ES6 
Loader API?

David

[1] http://wiki.ecmascript.org/doku.php?id=harmony:module_loaders

Received on Tuesday, 5 March 2013 19:24:31 UTC