Re: Finalizing the shape of CSP ‘unsafe-dynamic’

>>>>>>>> I am a fan of #3 over #2. CSP is already pretty confusing and I
>> value anything that tries to make it simpler.
That the "allow-dynamic" doesn't implicitly drop the URI whitelist.

Are there use-cases for these separately? I'm all for adding things to the
> platform if they're useful, but I'm not convinced from this thread that
> these keywords add anything other than complexity. That is, Brad can
> accomplish the things he's interested in with two policies, which I think
> actually turns out to be a more powerful primitive than splitting the
> keywords.

hmm .. the use case I am interested in is script-src 'allow-dynamic'

Right now, this would force me to use a nonce. The nonce then is a leakable
token present in the HTML of the page. Not a huge risk, but still.

> Concretely, would Dropbox use one (or both?) of these keywords if we
> implemented them?

Not really sure yet. But, I am inclined towards the script-src example


Based on the experience Artur is sharing, the current behavior seems to
> meet most needs. I agree that it's complicated, but I think that's a
> fundamental critique of the whole project at this point. :)
> -mike

Received on Monday, 6 June 2016 14:46:20 UTC