Bug 134926 - CSP: Drop 'script-nonce' directive.
Summary: CSP: Drop 'script-nonce' directive.
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mike West
Depends on:
Blocks: 116508
  Show dependency treegraph
Reported: 2014-07-15 10:03 PDT by Mike West
Modified: 2014-07-16 13:31 PDT (History)
5 users (show)

See Also:

Patch (30.25 KB, patch)
2014-07-15 10:11 PDT, Mike West
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mike West 2014-07-15 10:03:23 PDT
This directive was dropped from the CSP2 draft, and replaced with different syntax as part of the 'script-src' directive[1]. I'd recommend removing the implementation to ensure no one ends up relying on it.

[1]: https://w3c.github.io/webappsec/specs/content-security-policy/#directive-script-src
Comment 1 Mike West 2014-07-15 10:11:07 PDT
Created attachment 234933 [details]
Comment 2 Mike West 2014-07-15 21:08:45 PDT
Alexey, would you mind taking a look at this patch? I'd like to start getting rid of some of the old, old CSP 1.1 implementation in WebKit now that CSP2 has hit Last Call[1]. I'm not sure I'll have time to implement the new bits, but I certainly want to make sure the old bits don't get in the way.

CCing Ryosuke as well, as he filed the bug this blocks.

[1]: http://www.w3.org/TR/CSP2/
Comment 3 Mike West 2014-07-16 12:59:40 PDT
Comment on attachment 234933 [details]

Thanks, Darin.
Comment 4 WebKit Commit Bot 2014-07-16 13:31:33 PDT
Comment on attachment 234933 [details]

Clearing flags on attachment: 234933

Committed r171150: <http://trac.webkit.org/changeset/171150>
Comment 5 WebKit Commit Bot 2014-07-16 13:31:37 PDT
All reviewed patches have been landed.  Closing bug.