Bug 134926

Summary: CSP: Drop 'script-nonce' directive.
Product: WebKit Reporter: Mike West <mkwst>
Component: WebCore Misc.Assignee: Mike West <mkwst>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, commit-queue, esprehn+autocc, kangil.han, rniwa
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116508    
Attachments:
Description Flags
Patch none

Description Mike West 2014-07-15 10:03:23 PDT 
This directive was dropped from the CSP2 draft, and replaced with different syntax as part of the 'script-src' directive[1]. I'd recommend removing the implementation to ensure no one ends up relying on it.

[1]: https://w3c.github.io/webappsec/specs/content-security-policy/#directive-script-src
Comment 1 Mike West 2014-07-15 10:11:07 PDT 
Created attachment 234933 [details]
Patch
Comment 2 Mike West 2014-07-15 21:08:45 PDT 
Alexey, would you mind taking a look at this patch? I'd like to start getting rid of some of the old, old CSP 1.1 implementation in WebKit now that CSP2 has hit Last Call[1]. I'm not sure I'll have time to implement the new bits, but I certainly want to make sure the old bits don't get in the way.

CCing Ryosuke as well, as he filed the bug this blocks.

[1]: http://www.w3.org/TR/CSP2/
Comment 3 Mike West 2014-07-16 12:59:40 PDT 
Comment on attachment 234933 [details]
Patch

Thanks, Darin.
Comment 4 WebKit Commit Bot 2014-07-16 13:31:33 PDT 
Comment on attachment 234933 [details]
Patch

Clearing flags on attachment: 234933

Committed r171150: <http://trac.webkit.org/changeset/171150>
Comment 5 WebKit Commit Bot 2014-07-16 13:31:37 PDT 
All reviewed patches have been landed.  Closing bug.