Isn’t somebody working on a better solution for XSS that doesn’t require nonces/hashes? I vaguely remember an idea that uses JS modules + one <script src=loader.js> followed by <meta> CSP “script-src: none” to allow complex JS scenarios in a safe & easy way.
Conversation
Replying to
Hashes for external assets are very natural since you already need them as a robust approach to caching.
It's unfortunate that hash-source originally only supported it for inline scripts. It would be a great fit for static site generation if major browsers all supported that.
Nonces don't mix well with serving static content able to be cached. It's a mess like traditional CSRF tokens.
I like having only static HTML, JS and CSS (all 1st party) with JS only doing structured DOM manipulation. Can simply enable Trusted Types without any special code too.
1
I don't currently see a way to do better than script-src 'self' or listing out the specific scripts included in the page if you feel like having per-page web server configuration.
I don't really see much advantage to using hash-source rather than that but still wish I could.