On Fri, Nov 7, 2014 at 11:50 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > > I agree, and I think this is maybe the key design point of the CSP > > hash and CSP nonce mechanisms: Maybe the goal isn't to create secure > > ways of doing inline script and inline CSS, but rather the goal is > > only to make them *less unsafe*. Perhaps this is something to note in > > the security considerations for both mechanisms. > > > > +1 > Continuing my trend of resurrecting months-old posts that I somehow skipped over in the past: https://github.com/w3c/webappsec/commit/457db7f0596304073410f0791dfdf6329b33970f addresses the specific concern +1'd here. WDYT? This thread had a number of other concerns, mostly boiling down to the fact that nonces are capability tokens for a page. That was actually one of the driving considerations behind adding nonces: in short, it's a feature, not a bug. :) Consider a page that includes a third-party widget. Or an ad. It's quite likely that the page doesn't actually know what's going to be loaded via that widget, so constructing a CSP which would allow those things is difficult. Nonces, being easily transferrable, allow such embedded content to bring in whatever it requires. https://lists.w3.org/Archives/Public/public-webappsec/2014Oct/0020.html is an example of that kind of use case, which isn't at all uncommon. -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 22 January 2015 08:35:01 UTC