W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Clarifications on nonces

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 05 Nov 2014 20:24:32 -0800
Message-ID: <545AF800.8080909@mozilla.com>
To: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 11/5/2014 6:48 PM, Brian Smith wrote:
> Case 1. Imagine that the web page contains a CSP nonce of X. Further,
> assume that the page uses XHR to retrieve HTML fragments from a server,
> and then inserts those fragments into the document. Further, assume that
> an attacker learns the value X (because CSP doesn't require X to be
> secret), and then inserts <script nonce=X> into that fragment retrieved
> via XHR. It seems like the attacker's XSS will succeed, despite CSP.

If the nonce is indeed used only once the only way the attacker will
learn of it is if they are running script within the document, and if
that is the case then they've already won.

Using nonce is weaker than not using it.; people should not design new
sites around it. However if the alternative is for a legacy site to add
'unsafe-inline' then using a nonce is a lot safer.

-Dan Veditz
Received on Thursday, 6 November 2014 04:24:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC