Are nonces allowed/supported in frame-src? #433
Comments
|
Speaking as an outside observer, my understanding is that such nonces are allowed in the sense of matching the grammar, but they don't actually do anything. (See also #431, which points out a similar discrepancies.) |
|
Nonces are only checked for script or style. These are called out in the pre- and post- check algorithms for those types, but also the global "match element to source list" algorithm only checks nonces if the element is style or script. Interesting. I don't think anyone has brought up the possibility of it being a generic whitelisting mechanism. I suppose it could be useful for "infinite scroll" type pages where you don't know what the content is going to be when you're setting up the page's CSP, but you know you want embedding of various user content. |
|
FTR, my use case was a bit different. Application so large that keeping a list, getting everyone trained, etc is challenging. Banning |
|
I generally like the idea of nonces as a generic mechanism to allow the loading of arbitrary elements, not just This has been proposed as a "web ASLR" a long time ago, see: I'm not entirely sure there's interest in implementing it at this point, however, especially since a potential (likely?) future direction for CSP is a split into Scripting Policy / Confinement Policy. |
Yes, Mozilla Firefox v52.9.0 ESR (release Jun 2018, WinXP) did supported Currently only the |
I'm running into a weird situation in practice in both FF and Chrome where if I send
frame-src 'nonce-...';, the browsers still don't allow a nonce-tagged iframe to load. Chrome even explicitly returns:Reading the spec, it seems that nonces are allowed on
frame-src. Am I mistaken in how it works?Or is it that the current implementations don't support it?
The text was updated successfully, but these errors were encountered: