unconditionally send nonces and unsafe-inline when working with nonces #382
Conversation
|
|
|
I've tested the proposed changes and can confirm this does solve the issue 👍 Update: Now I see the following warnings in the latest Firefox 57 that may be confusing:
I've just checked that according to canisuse.com Chrome version 36+ should support nonces. |
| # | ||
| # While CSP is backward compatible in that a policy with a nonce will ignore | ||
| # unsafe-inline, this is more concise. | ||
| def append_nonce(source_list, nonce) |
There was a problem hiding this comment.
You may want to remove the "depending on browser" part from the method comments above.
UGH STOP DOING THIS BROWSERS |
I'm pretty sure someone else put a lot of thought into those warnings and they had good reason to do so. |
|
I think I'll ship this with #383 in v6.0 unless there are objections. My feeling is that the console will be noisy and it's not worth adding code/bugs for the sake of a clean console. Thinks are built to be backwards compatible when possible so I don't understand why the console has to be so noisy about legitimate use. |
|
Released in 6.0.0.alpha01 |
Fixes #381
/cc @jasssonpet can you see if this resolves your issue?
All PRs:
This pull request stops guessing whether or not a UA supports nonces and relies on the backwards-compatible behavior of sending
'unsafe-inline'with every'nonce-.The reason for sniffing was mostly because Safari < 9 would generate console messages about an unknown directive value (
nonce-*). Safari 9 is two versions behind so in theory fewer people are using it. Given the bugs UA sniffing like this has caused, I'm less sympathetic to those on unsupported browsers craving a clean console.