- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Mon, 18 Mar 2013 16:43:36 +0000
- To: "Hill, Brad" <bhill@paypal-inc.com>, Mike West <mkwst@google.com>
- CC: "dveditz@mozilla.com" <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>
I seem to recall that Tomcat uses the ';' to do URL rewriting for session management. Not a secure practice, but certainly popular in the 90's. > -----Original Message----- > From: Hill, Brad [mailto:bhill@paypal-inc.com] > Sent: Monday, March 18, 2013 10:39 AM > To: Mike West > Cc: dveditz@mozilla.com; public-webappsec@w3.org; Adam Barth > Subject: RE: Nonces/hashes in source expressions. > > Eww.. yes. But that does point out a potential problem more generally in CSP: > > According to RFC3986 section 2.2, ';' is a reserved character as a > subcomponent delimiter. > > Is this going to bite us elsewhere? > > :( > > -Brad Hill > > --------------------- > From: Mike West [mailto:mkwst@google.com] > Sent: Monday, March 18, 2013 10:35 AM > To: Hill, Brad > Cc: dveditz@mozilla.com; public-webappsec@w3.org; Adam Barth > Subject: RE: Nonces/hashes in source expressions. > > One more observation: we can currently safely assume that ';' separates > directives. We could no longer make that assumption with this format, which > would make parsing slightly more complicated. > -mike > On Mar 18, 2013 5:31 PM, "Mike West" <mkwst@google.com> wrote: > Thanks for the link, it's very informative. The only reservation I have is that it > seems to imply a 1:1 relationship between the URL and the resource being > described (modulo collisions). Nonces are meant to collide, probably multiple > times on a single page. > That said, I don't feel strongly about the format. I'd be happy to adopt that > format wholesale, assuming the general idea (which, the more I think about, > the more strongly I favor) is acceptable. > -mike > On Mar 18, 2013 5:19 PM, "Hill, Brad" <bhill@paypal-inc.com> wrote: > <hat type="individual"> > > I like it. > > </hat> > > <hat type="chair"> > > This draft is relevant to consider vs. inventing a new identifier syntax, though it > is less compact than what you suggest: > > http://tools.ietf.org/html/draft-farrell-decade-ni-10 > > </hat> > > Brad Hill > > ------------------------- > From: Mike West [mailto:mkwst@google.com] > Sent: Monday, March 18, 2013 10:04 AM > To: public-webappsec@w3.org; dveditz@mozilla.com; Adam Barth > Subject: Nonces/hashes in source expressions. > > Before I copy/paste a bunch of text to stub out a 'style-nonce' directive for CSP > 1.1, I'd like to run something by you lovely folks that I think we've talked about > once or twice on the calls. It seems like it could reduce repetition and confusion > if we fold nonces or hashes into the existing directives as another type of > source expression. > > As a strawman, how would you feel about rewriting 'script-nonce ABCDEFG' as > 'script-src nonce:ABCDEFG'? This would make an "or" relationship with 'script- > src' clear on the one hand, and make room for something like 'script-src > sha1:...' on the other. I think it would simplify the structure in a nice way, and > seems more comprehensible and reusable in general. > > I'm sure others of you will have ideas about syntax (perhaps it's a bad idea to > replicate scheme-like structures... maybe '#' would be a better separator, since > it's sometimes read as "hash" anyway), but I'm hoping the general idea is > reasonable. > > > -- > Mike West <mkwst@google.com>, Developer Advocate Google Germany > GmbH, Dienerstrasse 12, 80331 München, Germany > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Monday, 18 March 2013 16:45:07 UTC