Re: [CSP] compatibility between CSP1.1 and CSP2

You can just add unsafe-inline; a browser supporting nonce will ignore
the unsafe-inline directive and insist on a nonce.

On 12 September 2014 16:24, Hatter Jiang OWS <hatter@openwebsecurity.org> wrote:
> CSP2 introduced `nonce-`, I really love this feature,
> I'm thinking about to using this this feature on our website after the
> release of CSP2,
> But if I want to use `nonce-`, I will add 'nonce-$RANDOM' to
> `Content-Security-Policy` head,
> then I will never add `unsafe-inline` to `CSP` header, like:
>
> Content-Security-Policy: default-src 'self';
>                          script-src 'self' https://example.com
> 'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3'
>
>
> <script>
> alert("Blocked because the policy doesn’t have 'unsafe-inline'.")
> </script>
> <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3">
> alert("Allowed because nonce is valid.")
> </script>
>
> But in CSP1.1 only supported browser, without `unsafe-inline` placed, and
> the browser doesn't
> know `nonce-`'s meaning, so the browser will not run any inline scripts.
>
> So my question is how can I introduce `nonce-` to our website without risk
> on CSP1.1 only browsers?

Received on Friday, 12 September 2014 23:47:37 UTC