Updating `script-nonce` section to clarify implementation.
authorMike West <mkwst@google.com>
Mon, 09 Jul 2012 10:30:10 -0700
changeset 134b60168c4306f
parent 133 e73785ee6c7a
child 135 ae736514341a
Updating `script-nonce` section to clarify implementation.

Wordsmithing, with three substantive changes:

1. Empty nonce values are ignored. That is, `script-nonce;` and
`script-nonce ;` are both noops.

2. Added a non-normative section explicitly noting that `script-src` and
`script-nonce` are additive in nature, and that both must be satisfied in
order to execute script. This was implicit in the description of
`script-nonce`'s enforcement, but confused me when implementing the
directive.

3. Added an example to demonstrate `script-nonce` usage.
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Wed Jul 04 23:55:04 2012 -0500
     1.2 +++ b/csp-specification.dev.html	Mon Jul 09 10:30:10 2012 -0700
     1.3 @@ -1177,8 +1177,8 @@
     1.4        <section>
     1.5          <h4><code>script-nonce</code> (Experimental)</h4>
     1.6  
     1.7 -        <p>The <code>script-nonce</code> directive prevents scripts from
     1.8 -        executing unless they contain a specified nonce.  The syntax for the
     1.9 +        <p>The <code>script-nonce</code> directive restricts script execution
    1.10 +        by requiring the presence of the specified nonce. The syntax for the
    1.11          name and value of the directive are described by the following ABNF
    1.12          grammar:</p>
    1.13  
    1.14 @@ -1188,8 +1188,9 @@
    1.15  nonce             = &lt;token from RFC 2616&gt;
    1.16  </pre>
    1.17  
    1.18 -        <p>Let the <var>script nonce</var> be the directive's value, <a
    1.19 -        href="http://www.whatwg.org/specs/web-apps/current-work/#strip-leading-and-trailing-whitespace">stripped
    1.20 +        <p>If the directive's value is empty, or consists solely of whitespace,
    1.21 +        ignore the directive. Otherwise, let the <var>script nonce</var> be the
    1.22 +        directive's value, <a href="http://www.whatwg.org/specs/web-apps/current-work/#strip-leading-and-trailing-whitespace">stripped
    1.23          of leading and trailing whitespace</a>.</p>
    1.24  
    1.25          <p>If the policy contains a <code>script-nonce</code> directive, the
    1.26 @@ -1200,20 +1201,30 @@
    1.27  
    1.28          <p>When enforcing the <code>script-nonce</code> directive:
    1.29          <ul>
    1.30 -            <li>Whenever the user agent would execute a script from an inline
    1.31 -            event handler, instead the user agent MUST NOT execute script.</li>
    1.32              <li>Whenever the user agent would execute a script from a
    1.33 -            <code>script</code> element, if that script element lacks a
    1.34 +            <code>script</code> element, the user agent MUST NOT execute
    1.35 +            the script unless that script element contains a
    1.36              <code>nonce</code> attribute whose value, after <a
    1.37              href="http://www.whatwg.org/specs/web-apps/current-work/#strip-leading-and-trailing-whitespace">stripping
    1.38 -            leading and trailing whitespace</a>, is not a case-sensitive match
    1.39 -            for the <var>script nonce</var>, instead the user agent MUST NOT
    1.40 -            execute the script.</li>
    1.41 +            leading and trailing whitespace</a>, is a case-sensitive match
    1.42 +            for the <var>script nonce</var>.</li>
    1.43 +            <li>Whenever the user agent would execute a script from an inline
    1.44 +            event handler, instead the user agent MUST NOT execute the
    1.45 +            script.</li>
    1.46              <li>Whenever the user agent would execute script contained in a
    1.47              javascript URI, instead the user agent MUST NOT execute the
    1.48              script.</li>
    1.49          </ul>
    1.50          </p>
    1.51 +  
    1.52 +        <p>Note: If both <code>script-nonce</code> and <code>script-src</code>
    1.53 +        directives are present, then script is required to satisfy <em>both</em>
    1.54 +        directives in order to be executed. If a nonce is required, then inline
    1.55 +        event handlers and javascript URIs will not execute, even if
    1.56 +        <code>'unsafe-inline'</code> is an accepted source of script. Likewise,
    1.57 +        a <code>script</code> element will not execute if the script's source is
    1.58 +        not allowed, even if it contains a matching <code>nonce</code>
    1.59 +        attribute.</p>
    1.60        </section>
    1.61  
    1.62        <section>
    1.63 @@ -1362,7 +1373,20 @@
    1.64  
    1.65          <p>This policy allows inline content (such as inline <code>script</code> elements), use of
    1.66          <code>eval</code>, and loading resources over <code>https</code>.  Note: This policy does
    1.67 -        not provide any protection from cross-site scripting vulnerabilities.
    1.68 +        not provide any protection from cross-site scripting vulnerabilities.</p>
    1.69 +
    1.70 +        <p><strong>Example 4:</strong> A website that relies on inline
    1.71 +        <code>script</code> elements wishes to ensure that script is only
    1.72 +        executed from its own origin, and those elements it intentionally
    1.73 +        inserted inline:</p>
    1.74 +
    1.75 +        <pre>Content-Security-Policy: script-src 'self' 'unsafe-inline';
    1.76 +                         script-nonce: <em>nonce_value</em>;</pre>
    1.77 +
    1.78 +        <p>The inline <code>script</code> elements would then only execute if
    1.79 +        they contained a matching <code>nonce</code> attribute:</p>
    1.80 +
    1.81 +        <pre>&lt;script nonce="<em>nonce_value</em>"&gt;...&lt;/script&gt;</pre>
    1.82        </section>
    1.83  
    1.84        <section class="informative">