- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Fri, 12 Sep 2014 16:46:51 -0700
- To: Hatter Jiang OWS <hatter@openwebsecurity.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
You can just add unsafe-inline; a browser supporting nonce will ignore the unsafe-inline directive and insist on a nonce. On 12 September 2014 16:24, Hatter Jiang OWS <hatter@openwebsecurity.org> wrote: > CSP2 introduced `nonce-`, I really love this feature, > I'm thinking about to using this this feature on our website after the > release of CSP2, > But if I want to use `nonce-`, I will add 'nonce-$RANDOM' to > `Content-Security-Policy` head, > then I will never add `unsafe-inline` to `CSP` header, like: > > Content-Security-Policy: default-src 'self'; > script-src 'self' https://example.com > 'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3' > > > <script> > alert("Blocked because the policy doesn’t have 'unsafe-inline'.") > </script> > <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3"> > alert("Allowed because nonce is valid.") > </script> > > But in CSP1.1 only supported browser, without `unsafe-inline` placed, and > the browser doesn't > know `nonce-`'s meaning, so the browser will not run any inline scripts. > > So my question is how can I introduce `nonce-` to our website without risk > on CSP1.1 only browsers?
Received on Friday, 12 September 2014 23:47:37 UTC