W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

[CSP] compatibility between CSP1.1 and CSP2

From: Hatter Jiang OWS <hatter@openwebsecurity.org>
Date: Sat, 13 Sep 2014 07:24:48 +0800
Message-ID: <CABm0mE6n1fWYKaWAiQWpqjVnLk75NqGey1_NfdJxp9Tk8edb3g@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
CSP2 introduced `nonce-`, I really love this feature,
I'm thinking about to using this this feature on our website after the
release of CSP2,
But if I want to use `nonce-`, I will add 'nonce-$RANDOM' to
`Content-Security-Policy` head,
then I will never add `unsafe-inline` to `CSP` header, like:

Content-Security-Policy: default-src 'self';
                         script-src 'self' https://example.com

alert("Blocked because the policy doesn’t have 'unsafe-inline'.")
<script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3">
alert("Allowed because nonce is valid.")

But in CSP1.1 only supported browser, without `unsafe-inline` placed, and
the browser doesn't
know `nonce-`'s meaning, so the browser will not run any inline scripts.

So my question is how can I introduce `nonce-` to our website without risk
on CSP1.1 only browsers?
Received on Friday, 12 September 2014 23:25:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:40 UTC