W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: [CSP] compatibility between CSP1.1 and CSP2

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 12 Sep 2014 16:46:51 -0700
Message-ID: <CAPfop_19yN6=u5tTFX+ttncpwbhPpndRdtcJF1qi_5zJtkYvGg@mail.gmail.com>
To: Hatter Jiang OWS <hatter@openwebsecurity.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
You can just add unsafe-inline; a browser supporting nonce will ignore
the unsafe-inline directive and insist on a nonce.

On 12 September 2014 16:24, Hatter Jiang OWS <hatter@openwebsecurity.org> wrote:
> CSP2 introduced `nonce-`, I really love this feature,
> I'm thinking about to using this this feature on our website after the
> release of CSP2,
> But if I want to use `nonce-`, I will add 'nonce-$RANDOM' to
> `Content-Security-Policy` head,
> then I will never add `unsafe-inline` to `CSP` header, like:
>
> Content-Security-Policy: default-src 'self';
>                          script-src 'self' https://example.com
> 'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3'
>
>
> <script>
> alert("Blocked because the policy doesn’t have 'unsafe-inline'.")
> </script>
> <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3">
> alert("Allowed because nonce is valid.")
> </script>
>
> But in CSP1.1 only supported browser, without `unsafe-inline` placed, and
> the browser doesn't
> know `nonce-`'s meaning, so the browser will not run any inline scripts.
>
> So my question is how can I introduce `nonce-` to our website without risk
> on CSP1.1 only browsers?
Received on Friday, 12 September 2014 23:47:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC