1. In [1], I've explicitly made caching an optional bit of the spec, by
using the magic word "OPTIONAL". Hooray for RFC 2119.
2. Also in [1], I've added the nonce bit discussed here for `script` and
`style`. The attribute isn't defined in CSP for any other elements.
Personally, I'm not sure it needs to be, but we can certainly add it if
there's demand.
[1]:
https://github.com/w3c/webappsec/commit/b0213618fc8cadd773f1f89b743451d6b743295a
On Fri, Jan 10, 2014 at 6:46 PM, Pete Freitag <pete@foundeo.com> wrote:
> On Fri, Jan 10, 2014 at 12:30 PM, Ben Toews <btoews@github.com> wrote:
>
>> It doesn’t seem like you would need to provide the nonce in style.css
>> because the integrity hash of cat.gif is already incorporated into the
>> integrity hash of style.css.
>>
>
> I agree it is probably not a problem for CSS because all of the resources
> it will load are explicitly defined and hashed. I'm just not sure about
> resources loaded dynamically from a script - what do you guys think?
>
As Ben suggests, I think that validating the CSS file transitively
validates the resources it contains (assuming that we have agreed-upon
syntax for integrity metadata contained in CSS (see the other thread)).
-mike