Open viraptor opened 4 years ago
Speaking as an outside observer, my understanding is that such nonces are allowed in the sense of matching the grammar, but they don't actually do anything. frame-src
has two associated checks, and both of them only use Does response to request match source list?, which does not care about nonces.
(See also https://github.com/w3c/webappsec-csp/issues/431, which points out a similar discrepancies.)
Nonces are only checked for script or style. These are called out in the pre- and post- check algorithms for those types, but also the global "match element to source list" algorithm only checks nonces if the element is style or script.
Interesting. I don't think anyone has brought up the possibility of it being a generic whitelisting mechanism. I suppose it could be useful for "infinite scroll" type pages where you don't know what the content is going to be when you're setting up the page's CSP, but you know you want embedding of various user content.
FTR, my use case was a bit different. Application so large that keeping a list, getting everyone trained, etc is challenging. Banning <iframe
and allowing <%= nonced_iframe ...
(or whatever implementation may be) though is much simpler.
I generally like the idea of nonces as a generic mechanism to allow the loading of arbitrary elements, not just script
or style
. I think the Firefox implementation even allowed this at some point for a number of other elements.
This has been proposed as a "web ASLR" a long time ago, see:
I'm not entirely sure there's interest in implementing it at this point, however, especially since a potential (likely?) future direction for CSP is a split into Scripting Policy / Confinement Policy.
I think the Firefox implementation even allowed this at some point for a number of other elements.
Yes, Mozilla Firefox v52.9.0 ESR (release Jun 2018, WinXP) did supported 'nonce-value'
in any elements.
Situation has changed in Firefox v69 browser (release September 2019). It looks like they looked at how this is implemented in Chrome and unified the behavior of their browser.
Currently only the <script>
and <style>
elements are "nonceable".
I'm running into a weird situation in practice in both FF and Chrome where if I send
frame-src 'nonce-...';
, the browsers still don't allow a nonce-tagged iframe to load. Chrome even explicitly returns:Reading the spec, it seems that nonces are allowed on
frame-src
. Am I mistaken in how it works? Or is it that the current implementations don't support it?