I don't know if I've asked this before, but is the only way to require nonces AND matching hashes in script-src by serving multiple CSPs?
-
-
bah, are hashes for external scripts not in the CSP3 draft? I guess pure SRI would work as an AND with strict CSP.
-
ah here we go: https://w3c.github.io/webappsec-csp/#externalitygiveaway … So I may get my wish eventually.
@mikewest Do you know if anyone has implemented this? -
: Nope. We're still going back and forth about the backwards compatibility impacts. I think it'll happen, soonish.
@arturjanc -
: Will likely require a new hash format (or just looking at numbers and deciding that no one is using them today).
@arturjanc -
works for me!
@arturjanc -
Requiring both nonces *and* hashes isn't like using a belt and suspenders. It's like using a belt and a second, uglier belt.
-
So I would pick one of the two, probably nonces for dynamic apps using HTML templates, and hashes for static apps and SPAs.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.