- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Wed, 05 Nov 2014 20:24:32 -0800
- To: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 11/5/2014 6:48 PM, Brian Smith wrote: > Case 1. Imagine that the web page contains a CSP nonce of X. Further, > assume that the page uses XHR to retrieve HTML fragments from a server, > and then inserts those fragments into the document. Further, assume that > an attacker learns the value X (because CSP doesn't require X to be > secret), and then inserts <script nonce=X> into that fragment retrieved > via XHR. It seems like the attacker's XSS will succeed, despite CSP. If the nonce is indeed used only once the only way the attacker will learn of it is if they are running script within the document, and if that is the case then they've already won. Using nonce is weaker than not using it.; people should not design new sites around it. However if the alternative is for a legacy site to add 'unsafe-inline' then using a nonce is a lot safer. -Dan Veditz
Received on Thursday, 6 November 2014 04:24:59 UTC