W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Making it easier to deploy CSP.

From: Mike West <mkwst@google.com>
Date: Sat, 13 Feb 2016 07:44:33 +0100
Message-ID: <CAKXHy=dVU=KQi-nHExyquVeSJA_RwfTXX-9mToJxTv4wy0hkJA@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Artur Janc <aaj@google.com>, Lukas Weichselbaum <lwe@google.com>, Michele Spagnuolo <mikispag@google.com>
On Sat, Feb 13, 2016 at 4:47 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> Hey Mike
>
> I am probably confused but would we get something similar by just using a
> nonce- source and some UA detection to send the big whitelist for browsers
> that don't support nonces?
>

I'd prefer to avoid forcing folks into UA detection. I recognize that it's
important, given bugs in various UAs, but I'm reluctant to give up on
backwards compatibility entirely.


> Is 'unsafe-dynamic' needed only for backwards compatibility for browsers
> that don't support nonce source?
>

The new keyword would serve as an explicit opt-in to cascading the nonce's
capability down to scripts loaded by scripts you've chosen to trust. That
doesn't _actually_ add any new power to nonces, as any running script can
grab the nonce (as noted in the polyfill). It does add a little bit of
power to hashes (as that behavior can't be polyfilled). It's also a
significant win in terms of deployability, as very little code would
actually need to change. Again, anecdotally, a significant subset of the
Google properties that folks spot-checked could use this mechanism without
changing any JavaScript code at all, just by turning on a nonce-generator
in their templating library.

-mike
Received on Saturday, 13 February 2016 06:45:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC