Re: Updated script hash proposal (non spec text)

> What if I have to use 'unsafe-inline' but may still want to whitelist some hashes explicitly? 'unsafe-inline-pretty-please'? ;)

I'm not sure I understand. If you have to use 'unsafe-inline' then
hashes are redundant. But script hash/nonce removes the need to use
'unsafe-inline'. This bit of text is meant for backwards compatibility
for browsers that don't understand script-hash/nonce. This whitelists
all scripts rather than a select few so no functionality is broken.

On Mon, Sep 23, 2013 at 5:58 AM, Frederik Braun <fbraun@mozilla.com> wrote:
> On 20.09.2013 00:46, Neil Matatall wrote:
>> If a script hash source is specified and the user agent understands
>> it, the browser should ignore the 'unsafe-inline' directive for
>> backwards compatibility. Any inline script whose computed hash value
>> does not match a hash specified in the hash sources should not be
>> executed and an informative error message should be displayed
>> including the expected hash value.
>
> What if I have to use 'unsafe-inline' but may still want to whitelist
> some hashes explicitly? 'unsafe-inline-pretty-please'? ;)
>

Received on Tuesday, 24 September 2013 17:10:12 UTC