> Any inline script whose computed hash value > does not match a hash specified in the hash sources should not be > executed If the CSP policy specifies both nonce and hash sources, is the nonce source ignored for inline scripts? That is, an inline script with the right nonce value but wrong hash value will be ignored because a hash-src was given? This is probably the right behavior but does seem at odds with how the rest of the CSP src directives work. > If multiple hashing algorithms are specified in the CSP header, the > browser must compute all possible hashes for each inline script block. > If the computed hash matches any computed hash in the header with a > matching algorithm+digest length, the script should execute. There was > talk of limiting this to one algorithm per header, but CDNs complicate > things. Can you elaborate on that? What was the complication? I am curious. thanks DevReceived on Sunday, 20 October 2013 03:01:34 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC