- From: Neil Matatall <neilm@twitter.com>
- Date: Tue, 24 Sep 2013 10:09:45 -0700
- To: Frederik Braun <fbraun@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> What if I have to use 'unsafe-inline' but may still want to whitelist some hashes explicitly? 'unsafe-inline-pretty-please'? ;) I'm not sure I understand. If you have to use 'unsafe-inline' then hashes are redundant. But script hash/nonce removes the need to use 'unsafe-inline'. This bit of text is meant for backwards compatibility for browsers that don't understand script-hash/nonce. This whitelists all scripts rather than a select few so no functionality is broken. On Mon, Sep 23, 2013 at 5:58 AM, Frederik Braun <fbraun@mozilla.com> wrote: > On 20.09.2013 00:46, Neil Matatall wrote: >> If a script hash source is specified and the user agent understands >> it, the browser should ignore the 'unsafe-inline' directive for >> backwards compatibility. Any inline script whose computed hash value >> does not match a hash specified in the hash sources should not be >> executed and an informative error message should be displayed >> including the expected hash value. > > What if I have to use 'unsafe-inline' but may still want to whitelist > some hashes explicitly? 'unsafe-inline-pretty-please'? ;) >
Received on Tuesday, 24 September 2013 17:10:12 UTC