Closed Bug 1177074 Opened 9 years ago Closed 9 years ago

Make non-normative CSP policies selectable (pref them)

Categories

(Core :: DOM: Security, defect)

31 Branch
defect
Not set
major

Tracking

()

RESOLVED INVALID

People

(Reporter: mark, Unassigned)

References

(Blocks 1 open bug, )

Details

Nonce and hash are non-normative (even in the CSP2 RC) and as such experiments (no matter how long they've been in the Mozilla source). You should probably not un-pref them as you've done in bug 979580, and consider them not part of the standard until the W3C makes them actually normative instead - and make them user-selectable.

http://www.w3.org/TR/CSP2/#script-src-nonce-usage

7.15.1. Nonce usage for script elements
>> This section is not normative.

7.15.2. Hash usage for script elements
>> This section is not normative.
Blocks: csp-w3c-2
Depends on: 979580
The sections of the spec you reference are illustrative examples; I think that's why those subsections are non-normative.  

The parent section, 7.15, starts with a bunch of normative text that talks about how to treat nonces and hashes when present in the script-src directive and how to deal with script tags that have nonces and hashes.  That's all normative, and for certain a non-experimental part of the spec.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Ah. sure enough! My bad, I obviously misread the document and thought the 2 sections were the only ones mentioning nonce/hash; I was obviously mistaken.
You need to log in before you can comment on or make changes to this bug.