ISSUE-46: Does inclusion of things like nonce make CSP a sensitive header?
Does nonce make CSP header security-sensitive
Does inclusion of things like nonce make CSP a sensitive header?
- State:
- CLOSED
- Product:
- CSP Level 2
- Raised by:
- Daniel Veditz
- Opened on:
- 2013-04-25
- Description:
- Should CSP be hidden from e.g. XHR as a security-sensitive header once it contains secrets like nonce.
- Related Actions Items:
- No related actions
- Related emails:
- No related emails
Related notes:
The nonce will appear in both the body and header to be useful, so "hiding" it from script in the context of the page is not necessary or effective, unlike, e.g. a httpOnly cookie.
Brad Hill, 25 Apr 2013, 18:04:20Display change log