Next Steps for Issue #375 from Ciara McMullin on 2025-03-18 (public-webappsec@w3.org from March 2025)

From: Ciara McMullin <ciaramcmullin@google.com>
Date: Tue, 18 Mar 2025 15:14:45 -0400
To: public-webappsec@w3.org
Cc: Daniel Veditz <dveditz@mozilla.com>, simone@w3.org
Message-ID: <CAHdeXPZBo3rcHbApbDyLkjYebNC8gNXBpbFBKynGbtQONNwzMA@mail.gmail.com>

Hi everyone,

I wanted to revisit issue #375
<https://github.com/w3c/webappsec-csp/issues/375> which has had some
discussion over the years.

TL;DR: JS APIs which allow the loading of external scripts do not provide a
way for developers to invoke them with a script nonce. As a result,
policies relying on script nonces for trust cannot use these APIs or are
forced to add strict-dynamic to their policies.

Based on the discussion, it seems like there are three possible paths
forward:
1. *Fail closed*: Require strict-dynamic with nonce-based policies if these
APIs are used.
2. *Introduce a new keyword*: Enable strict-dynamic-like behavior
specifically for these APIs.
3. *Do nothing*: Accept this as a limitation of nonce-based policies.

I’d appreciate feedback on these options to determine next steps and to
discuss with the broader group next month in the WebAppSec WG meeting.

Thank you,
Ciara

Received on Tuesday, 18 March 2025 19:15:47 UTC