W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Clarifications on nonces

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 7 Nov 2014 14:50:29 -0800
Message-ID: <CAPfop_0kFXTfRyqGeVkYb14qAJb-A8T_-UZ=aYSFOmDQOHEiwA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> I agree, and I think this is maybe the key design point of the CSP
> hash and CSP nonce mechanisms: Maybe the goal isn't to create secure
> ways of doing inline script and inline CSS, but rather the goal is
> only to make them *less unsafe*. Perhaps this is something to note in
> the security considerations for both mechanisms.
>

+1


-dev
Received on Friday, 7 November 2014 22:51:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC