W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

[CSP] compatibility between CSP1.1 and CSP2

From: Hatter Jiang OWS <hatter@openwebsecurity.org>
Date: Sat, 13 Sep 2014 07:24:48 +0800
Message-ID: <CABm0mE6n1fWYKaWAiQWpqjVnLk75NqGey1_NfdJxp9Tk8edb3g@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
CSP2 introduced `nonce-`, I really love this feature,
I'm thinking about to using this this feature on our website after the
release of CSP2,
But if I want to use `nonce-`, I will add 'nonce-$RANDOM' to
`Content-Security-Policy` head,
then I will never add `unsafe-inline` to `CSP` header, like:

Content-Security-Policy: default-src 'self';
                         script-src 'self' https://example.com
'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3'


<script>
alert("Blocked because the policy doesn’t have 'unsafe-inline'.")
</script>
<script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3">
alert("Allowed because nonce is valid.")
</script>

But in CSP1.1 only supported browser, without `unsafe-inline` placed, and
the browser doesn't
know `nonce-`'s meaning, so the browser will not run any inline scripts.

So my question is how can I introduce `nonce-` to our website without risk
on CSP1.1 only browsers?
Received on Friday, 12 September 2014 23:25:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC