ACTION-121: Email the list with the generic src-nonce proposal (i.e., not specifically for each thing that could be srced)

Email the list with the generic src-nonce proposal (i.e., not specifically for each thing that could be srced)

State:
closed
Person:
Mike West
Due on:
May 7, 2013
Created on:
February 12, 2013
Related emails:
No related emails

Related notes:

this replaces script-nonce with a new source expression of scheme nonce that generically allows inline content:

So e.g.:

default-src nonce:ABCD1234

<script nonce="ABCD1234">alert(1)</script>

possibly:

<img nonce="ABCD1234" src="data:b64:22234234234afasdf134"/>

Brad Hill, 25 Apr 2013, 17:37:31

should add non-normative guidelines to suggest the size of the nonce (e.g. should be at least 32 bits, or 120 bits, etc...)

Brad Hill, 25 Apr 2013, 17:40:11

Add security/usability considerations on interactions with nonce and http caching. This might break, or might it allow attacks if cache is effectively causing the nonce to be re-used?

Brad Hill, 25 Apr 2013, 17:41:19

Adam took care of this. :)

Mike West, 7 May 2013, 12:43:51

Display change log.

Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Chairs, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 121.html,v 1.1 2020/01/17 08:51:15 carcone Exp $