[Webkit-unassigned] [Bug 89577] New: Implement the script-nonce Content Security Policy directive.

Wed Jun 20 09:40:25 PDT 2012

https://bugs.webkit.org/show_bug.cgi?id=89577

           Summary: Implement the script-nonce Content Security Policy
                    directive.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mkwst at chromium.org
                CC: abarth at webkit.org
            Blocks: 85558

CSP 1.1 defines the (experimental) script-nonce directive[1] as a mechanism for allowing only specific inline scripts. We should experiment with it behind the newly-landed ENABLE_CSP_NEXT flag. I'll upload a WIP patch to give us something concrete to talk about: it doesn't yet hide the functionality behind the flag, and I'm not convinced that the interaction with `script-src` is correct.

I'll upload the patch and add specific questions inline.

[1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.