Closed
Bug 1177074
Opened 9 years ago
Closed 9 years ago
Make non-normative CSP policies selectable (pref them)
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: mark, Unassigned)
References
(Blocks 1 open bug, )
Details
Nonce and hash are non-normative (even in the CSP2 RC) and as such experiments (no matter how long they've been in the Mozilla source). You should probably not un-pref them as you've done in bug 979580, and consider them not part of the standard until the W3C makes them actually normative instead - and make them user-selectable. http://www.w3.org/TR/CSP2/#script-src-nonce-usage 7.15.1. Nonce usage for script elements >> This section is not normative. 7.15.2. Hash usage for script elements >> This section is not normative.
Reporter | ||
Updated•9 years ago
|
Comment 1•9 years ago
|
||
The sections of the spec you reference are illustrative examples; I think that's why those subsections are non-normative. The parent section, 7.15, starts with a bunch of normative text that talks about how to treat nonces and hashes when present in the script-src directive and how to deal with script tags that have nonces and hashes. That's all normative, and for certain a non-experimental part of the spec.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•9 years ago
|
||
Ah. sure enough! My bad, I obviously misread the document and thought the 2 sections were the only ones mentioning nonce/hash; I was obviously mistaken.
You need to log in
before you can comment on or make changes to this bug.
Description
•