ACTION-121: Email the list with the generic src-nonce proposal (i.e., not specifically for each thing that could be srced)
Email the list with the generic src-nonce proposal (i.e., not specifically for each thing that could be srced)
- State:
- closed
- Person:
- Mike West
- Due on:
- May 7, 2013
- Created on:
- February 12, 2013
- Related emails:
- No related emails
Related notes:
this replaces script-nonce with a new source expression of scheme nonce that generically allows inline content:
So e.g.:
default-src nonce:ABCD1234
<script nonce="ABCD1234">alert(1)</script>
possibly:
<img nonce="ABCD1234" src="data:b64:22234234234afasdf134"/>
should add non-normative guidelines to suggest the size of the nonce (e.g. should be at least 32 bits, or 120 bits, etc...)
Add security/usability considerations on interactions with nonce and http caching. This might break, or might it allow attacks if cache is effectively causing the nonce to be re-used?
Adam took care of this. :)
Mike West, 7 May 2013, 12:43:51Display change log.