[Webkit-unassigned] [Bug 89577] New: Implement the script-nonce Content Security Policy directive.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 20 09:40:25 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=89577
Summary: Implement the script-nonce Content Security Policy
directive.
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: mkwst at chromium.org
CC: abarth at webkit.org
Blocks: 85558
CSP 1.1 defines the (experimental) script-nonce directive[1] as a mechanism for allowing only specific inline scripts. We should experiment with it behind the newly-landed ENABLE_CSP_NEXT flag. I'll upload a WIP patch to give us something concrete to talk about: it doesn't yet hide the functionality behind the flag, and I'm not convinced that the interaction with `script-src` is correct.
I'll upload the patch and add specific questions inline.
[1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list