ISSUE-46: Does inclusion of things like nonce make CSP a sensitive header?

Does nonce make CSP header security-sensitive

Does inclusion of things like nonce make CSP a sensitive header?

State:
CLOSED
Product:
CSP Level 2
Raised by:
Daniel Veditz
Opened on:
2013-04-25
Description:
Should CSP be hidden from e.g. XHR as a security-sensitive header once it contains secrets like nonce.
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

The nonce will appear in both the body and header to be useful, so "hiding" it from script in the context of the page is not necessary or effective, unlike, e.g. a httpOnly cookie.

Brad Hill, 25 Apr 2013, 18:04:20

Display change log ATOM feed


Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Chairs, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 46.html,v 1.1 2020/01/17 08:52:34 carcone Exp $