I took some time to sketch out `Scripting-Policy` in a little more detail: https://mikewest.github.io/csp-next/scripting-policy.html …. I'm starting to think it might actually not be a terrible idea.https://twitter.com/mikewest/status/1150683169160663041 …
You’re right for the default, I’m just wondering if there would be any advantage for a very strict system requiring both. I’m currently using (although browsers ignore) CSP require-sri-for, so I already have those hash values, but wonder if requiring a nonce might add something.
-
-
You can do this with CSP today by sending two policies: one with a nonce, one with hashes. I don't know of any sites doing that... I'd prefer to base the mechanism's capabilities on things we've learned are _actually_ useful, rather than our speculation about what might be.
-
I am tempted to try doing that (and could I issue 2 Scripting-Policy headers?), I’m just wondering what the extra checks would do... I find more restrictions do make things more secure (so long as they don’t cause issues), just incase there is a way to bypass one of them.
- Još 7 drugih odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.