Re: Making it easier to deploy CSP.

On Sat, Feb 13, 2016 at 4:47 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> Hey Mike
>
> I am probably confused but would we get something similar by just using a
> nonce- source and some UA detection to send the big whitelist for browsers
> that don't support nonces?
>

I'd prefer to avoid forcing folks into UA detection. I recognize that it's
important, given bugs in various UAs, but I'm reluctant to give up on
backwards compatibility entirely.


> Is 'unsafe-dynamic' needed only for backwards compatibility for browsers
> that don't support nonce source?
>

The new keyword would serve as an explicit opt-in to cascading the nonce's
capability down to scripts loaded by scripts you've chosen to trust. That
doesn't _actually_ add any new power to nonces, as any running script can
grab the nonce (as noted in the polyfill). It does add a little bit of
power to hashes (as that behavior can't be polyfilled). It's also a
significant win in terms of deployability, as very little code would
actually need to change. Again, anecdotally, a significant subset of the
Google properties that folks spot-checked could use this mechanism without
changing any JavaScript code at all, just by turning on a nonce-generator
in their templating library.

-mike

Received on Saturday, 13 February 2016 06:45:23 UTC