W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: Updated script hash proposal (non spec text)

From: Frederik Braun <fbraun@mozilla.com>
Date: Mon, 23 Sep 2013 14:58:54 +0200
Message-ID: <52403B0E.7040204@mozilla.com>
To: public-webappsec@w3.org
On 20.09.2013 00:46, Neil Matatall wrote:
> If a script hash source is specified and the user agent understands
> it, the browser should ignore the 'unsafe-inline' directive for
> backwards compatibility. Any inline script whose computed hash value
> does not match a hash specified in the hash sources should not be
> executed and an informative error message should be displayed
> including the expected hash value.

What if I have to use 'unsafe-inline' but may still want to whitelist
some hashes explicitly? 'unsafe-inline-pretty-please'? ;)
Received on Monday, 23 September 2013 12:59:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC