I don't know if I've asked this before, but is the only way to require nonces AND matching hashes in script-src by serving multiple CSPs?
-
-
Replying to @durumcrustulum
I know that this is overkill, but it would be nice to have.
1 reply 0 retweets 0 likes -
Replying to @durumcrustulum
Two policies will work, but note that hashes don't work for external scripts - the hash policy would also need a whitelist.
1 reply 0 retweets 1 like -
Replying to @arturjanc
bah, are hashes for external scripts not in the CSP3 draft? I guess pure SRI would work as an AND with strict CSP.
1 reply 0 retweets 0 likes -
Replying to @durumcrustulum @arturjanc
ah here we go: https://w3c.github.io/webappsec-csp/#externalitygiveaway … So I may get my wish eventually.
@mikewest Do you know if anyone has implemented this?1 reply 0 retweets 0 likes -
Replying to @durumcrustulum
: Nope. We're still going back and forth about the backwards compatibility impacts. I think it'll happen, soonish.
@arturjanc1 reply 0 retweets 1 like -
Replying to @mikewest
: Will likely require a new hash format (or just looking at numbers and deciding that no one is using them today).
@arturjanc1 reply 0 retweets 1 like -
-
Replying to @durumcrustulum
Requiring both nonces *and* hashes isn't like using a belt and suspenders. It's like using a belt and a second, uglier belt.
1 reply 1 retweet 4 likes
So I would pick one of the two, probably nonces for dynamic apps using HTML templates, and hashes for static apps and SPAs.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.