- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Sat, 19 Oct 2013 20:00:47 -0700
- To: Neil Matatall <neilm@twitter.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Any inline script whose computed hash value > does not match a hash specified in the hash sources should not be > executed If the CSP policy specifies both nonce and hash sources, is the nonce source ignored for inline scripts? That is, an inline script with the right nonce value but wrong hash value will be ignored because a hash-src was given? This is probably the right behavior but does seem at odds with how the rest of the CSP src directives work. > If multiple hashing algorithms are specified in the CSP header, the > browser must compute all possible hashes for each inline script block. > If the computed hash matches any computed hash in the header with a > matching algorithm+digest length, the script should execute. There was > talk of limiting this to one algorithm per header, but CDNs complicate > things. Can you elaborate on that? What was the complication? I am curious. thanks Dev
Received on Sunday, 20 October 2013 03:01:34 UTC