1. In [1], I've explicitly made caching an optional bit of the spec, by using the magic word "OPTIONAL". Hooray for RFC 2119. 2. Also in [1], I've added the nonce bit discussed here for `script` and `style`. The attribute isn't defined in CSP for any other elements. Personally, I'm not sure it needs to be, but we can certainly add it if there's demand. [1]: https://github.com/w3c/webappsec/commit/b0213618fc8cadd773f1f89b743451d6b743295a On Fri, Jan 10, 2014 at 6:46 PM, Pete Freitag <pete@foundeo.com> wrote: > On Fri, Jan 10, 2014 at 12:30 PM, Ben Toews <btoews@github.com> wrote: > >> It doesn’t seem like you would need to provide the nonce in style.css >> because the integrity hash of cat.gif is already incorporated into the >> integrity hash of style.css. >> > > I agree it is probably not a problem for CSS because all of the resources > it will load are explicitly defined and hashed. I'm just not sure about > resources loaded dynamically from a script - what do you guys think? > As Ben suggests, I think that validating the CSS file transitively validates the resources it contains (assuming that we have agreed-upon syntax for integrity metadata contained in CSS (see the other thread)). -mike
Received on Thursday, 16 January 2014 14:24:02 UTC