|
Mike West
@mikewest
|
8. sij |
|
I took some time to sketch out `Scripting-Policy` in a little more detail: mikewest.github.io/csp-next/scrip…. I'm starting to think it might actually not be a terrible idea. twitter.com/mikewest/statu…
|
||
|
|
||
|
Mike West
@mikewest
|
8. sij |
|
Feedback would be welcome, either here or as issues/PRs filed on the GitHub repository: github.com/mikewest/csp-n…. Thanks!
|
||
|
|
||
|
Craig Francis
@craigfrancis
|
8. sij |
|
And I’ve not really given this any thought as to actually using this, but “If a policy sets requirements for both a nonce and some set of integrity, either will be sufficient to allow script execution” - I was initially hoping I could require both checks to pass.
|
||
|
|
||
|
Craig Francis
@craigfrancis
|
8. sij |
|
You’re right for the default, I’m just wondering if there would be any advantage for a very strict system requiring both.
I’m currently using (although browsers ignore) CSP require-sri-for, so I already have those hash values, but wonder if requiring a nonce might add something.
|
||
|
|
||
|
Craig Francis
@craigfrancis
|
8. sij |
|
Initial reading looks good.
Quick question though, is there a reason why eval is set to "allow" by default? I would expect it to be “allow-trustedscript” to push developers away from this unsafe function, but also introduce them to TrustedTypes.
|
||
|
|
||
|
Mike West
@mikewest
|
8. sij |
|
Typo. It should have been `allow-trustedscript` to match the description in mikewest.github.io/csp-next/scrip…. I'll fix that up.
|
||
|
|
||
|
koto
@kkotowicz
|
8. sij |
|
1. Looks pretty good! 2. Why strict-dynamic for non-parser-inserted scripts? It feels like TT for such scripts would be a better fit here long term, especially if they appear already for eval.
|
||
|
|
||
|
Mike West
@mikewest
|
8. sij |
|
Two answers:
1. I didn't think about it, file an issue, let's chat!
2. My initial reaction is that I'd like to maintain behavior similar to CSP. The migration story is likely to be fraught as-is (github.com/mikewest/csp-n…); consistency seems valuable to mitigate confusion.
|
||
|
|
||