Remove the CSP nonce from the CSP header #4
Closed
Commits on Aug 21, 2015
-
Remove the CSP nonce from the CSP header
Spec is here: http://www.w3.org/TR/CSP2/#directive-script-src "If 'unsafe-inline' is not in the list of allowed script sources, or if at least one nonce-source or hash-source is present in the list of allowed script sources:" The intention is to let sites start to lock things down with nonce and/or hashes while specifying unsafe-inline so CSP1.0-compliant browsers don't break on the site. It's a transition state. Note this means that if you use a nonce/hash it's not possible to use javascript: urls or inline event handlers. It's as if the policy didn't have unsafe-inline at all. Probably worth throwing a warning on the web console if we encounter both unsafe-inline and a hash/nonce. It's not an error, but it might be a mistake. ("warning, 'unsafe-inline' is ignored when hash or nonce also used") Further discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=1004703
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.