Nonces/hashes in source expressions. from Mike West on 2013-03-18 (public-webappsec@w3.org from March 2013)

From: Mike West <mkwst@google.com>
Date: Mon, 18 Mar 2013 17:04:17 +0100
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, "dveditz@mozilla.com" <dveditz@mozilla.com>, Adam Barth <w3c@adambarth.com>
Message-ID: <CAKXHy=c11tE40qHrAKnKOfOr86s5C8kDUjU9s_nWQ=HWxxXiOQ@mail.gmail.com>

Before I copy/paste a bunch of text to stub out a 'style-nonce' directive
for CSP 1.1, I'd like to run something by you lovely folks that I think
we've talked about once or twice on the calls. It seems like it could
reduce repetition and confusion if we fold nonces or hashes into the
existing directives as another type of source expression.

As a strawman, how would you feel about rewriting 'script-nonce ABCDEFG' as
'script-src nonce:ABCDEFG'? This would make an "or" relationship with
'script-src' clear on the one hand, and make room for something like
'script-src sha1:...' on the other. I think it would simplify the structure
in a nice way, and seems more comprehensible and reusable in general.

I'm sure others of you will have ideas about syntax (perhaps it's a bad
idea to replicate scheme-like structures... maybe '#' would be a better
separator, since it's sometimes read as "hash" anyway), but I'm hoping the
general idea is reasonable.

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Received on Monday, 18 March 2013 16:05:12 UTC