Hi Jeremy, i guessed (hoped?) that might be what you were working on ! :)
i'm not aware of any implementations of script-nonce yet - there's been quite a bit of discussion on it (especially the syntax has been discussed recently) within the W3C WebAppSec WG. also, i filed https://bugzilla.mozilla.org/show_bug.cgi?id=855326 - feel free to use it to track your work and especially get feedback on patches there script-hash has also been discussed - as I understand it, there's use cases that favor script-nonce and use cases that favor script-nonce. Maybe Tanvi can chime in here with more details :) also see these threads if you haven't : http://lists.w3.org/Archives/Public/public-webappsec/2013Mar/0009.html http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0003.html http://lists.w3.org/Archives/Public/public-webappsec/2013Mar/0058.html which have a lot of the previous discussion. Thanks for working on this ! cheers, ian ----- Original Message ----- From: "jeremy ralegh" <jeremy.ral...@gmx.ch> To: dev-security@lists.mozilla.org Sent: Wednesday, March 27, 2013 4:32:39 AM Subject: Re: shouldLoad( ) and shouldProcess( ) Thanks for your feedback. You comments have helped. @Ian: I'm following the nonce idea. Do you know, how far work has already gone in this direction? Has anyone published implementation details or is this just an idea at the moment? Regards, Jeremy _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security