W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP] Clarifications on nonces

From: Mike West <mkwst@google.com>
Date: Thu, 22 Jan 2015 09:34:13 +0100
Message-ID: <CAKXHy=d6vyZS4HhoTCOtNHm5=6yuBC8THHfvXWQP5PyEaKHe5g@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Brian Smith <brian@briansmith.org>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Nov 7, 2014 at 11:50 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> > I agree, and I think this is maybe the key design point of the CSP
> > hash and CSP nonce mechanisms: Maybe the goal isn't to create secure
> > ways of doing inline script and inline CSS, but rather the goal is
> > only to make them *less unsafe*. Perhaps this is something to note in
> > the security considerations for both mechanisms.
> >
>
> +1
>

Continuing my trend of resurrecting months-old posts that I somehow skipped
over in the past:

https://github.com/w3c/webappsec/commit/457db7f0596304073410f0791dfdf6329b33970f
addresses the specific concern +1'd here. WDYT?

This thread had a number of other concerns, mostly boiling down to the fact
that nonces are capability tokens for a page. That was actually one of the
driving considerations behind adding nonces: in short, it's a feature, not
a bug. :)

Consider a page that includes a third-party widget. Or an ad. It's quite
likely that the page doesn't actually know what's going to be loaded via
that widget, so constructing a CSP which would allow those things is
difficult. Nonces, being easily transferrable, allow such embedded content
to bring in whatever it requires.
https://lists.w3.org/Archives/Public/public-webappsec/2014Oct/0020.html is
an example of that kind of use case, which isn't at all uncommon.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 22 January 2015 08:35:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC