I took some time to sketch out `Scripting-Policy` in a little more detail: https://mikewest.github.io/csp-next/scripting-policy.html …. I'm starting to think it might actually not be a terrible idea.https://twitter.com/mikewest/status/1150683169160663041 …
And I’ve not really given this any thought as to actually using this, but “If a policy sets requirements for both a nonce and some set of integrity, either will be sufficient to allow script execution” - I was initially hoping I could require both checks to pass.
-
-
You’re right for the default, I’m just wondering if there would be any advantage for a very strict system requiring both. I’m currently using (although browsers ignore) CSP require-sri-for, so I already have those hash values, but wonder if requiring a nonce might add something.
-
You can do this with CSP today by sending two policies: one with a nonce, one with hashes. I don't know of any sites doing that... I'd prefer to base the mechanism's capabilities on things we've learned are _actually_ useful, rather than our speculation about what might be.
- Još 8 drugih odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.