W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: Updated script hash proposal (non spec text)

From: Neil Matatall <neilm@twitter.com>
Date: Tue, 24 Sep 2013 10:09:45 -0700
Message-ID: <CAOFLtbhupQyh_pgmG1PLW6v6FWq9vD64KWBzju4_OGCRPaGuuQ@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> What if I have to use 'unsafe-inline' but may still want to whitelist some hashes explicitly? 'unsafe-inline-pretty-please'? ;)

I'm not sure I understand. If you have to use 'unsafe-inline' then
hashes are redundant. But script hash/nonce removes the need to use
'unsafe-inline'. This bit of text is meant for backwards compatibility
for browsers that don't understand script-hash/nonce. This whitelists
all scripts rather than a select few so no functionality is broken.

On Mon, Sep 23, 2013 at 5:58 AM, Frederik Braun <fbraun@mozilla.com> wrote:
> On 20.09.2013 00:46, Neil Matatall wrote:
>> If a script hash source is specified and the user agent understands
>> it, the browser should ignore the 'unsafe-inline' directive for
>> backwards compatibility. Any inline script whose computed hash value
>> does not match a hash specified in the hash sources should not be
>> executed and an informative error message should be displayed
>> including the expected hash value.
>
> What if I have to use 'unsafe-inline' but may still want to whitelist
> some hashes explicitly? 'unsafe-inline-pretty-please'? ;)
>
Received on Tuesday, 24 September 2013 17:10:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC