Re: [CSP] Clarifications on nonces

On Fri, Nov 7, 2014 at 11:50 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> > I agree, and I think this is maybe the key design point of the CSP
> > hash and CSP nonce mechanisms: Maybe the goal isn't to create secure
> > ways of doing inline script and inline CSS, but rather the goal is
> > only to make them *less unsafe*. Perhaps this is something to note in
> > the security considerations for both mechanisms.
> >
>
> +1
>

Continuing my trend of resurrecting months-old posts that I somehow skipped
over in the past:

https://github.com/w3c/webappsec/commit/457db7f0596304073410f0791dfdf6329b33970f
addresses the specific concern +1'd here. WDYT?

This thread had a number of other concerns, mostly boiling down to the fact
that nonces are capability tokens for a page. That was actually one of the
driving considerations behind adding nonces: in short, it's a feature, not
a bug. :)

Consider a page that includes a third-party widget. Or an ad. It's quite
likely that the page doesn't actually know what's going to be loaded via
that widget, so constructing a CSP which would allow those things is
difficult. Nonces, being easily transferrable, allow such embedded content
to bring in whatever it requires.
https://lists.w3.org/Archives/Public/public-webappsec/2014Oct/0020.html is
an example of that kind of use case, which isn't at all uncommon.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Thursday, 22 January 2015 08:35:01 UTC