Nonces for Embedding-CSP

[dhausknecht]

Demanding a CSP based on whitelists and hashes is straight forward. It gets more complicated when demanding nonces. One can hardly tell which nonces to use, nor can one check the strength of used nonces. For example what prevents an embedee from constantly using 'nonce-RANDOM'?

At least for the problem demanding nonces in general, Mike proposed the idea of using placeholders in the Embedding-CSP header.

[mikewest]

Right. I think what we'd probably want to do is support something like <iframe csp="script-src 'nonce'">, which could be satisfied by Content-Security-Policy: script-src 'nonce-whatever'. That wouldn't work with Allow-CSP-From, however. It might be that that simple mechanism would be incompatible with nonces (as the server has to understand what it's doing).

That said, I see the EE mechanism as being more about confinement than XSS protection, so... @arturjanc will probably be interested regardless.

[dhausknecht]

But a server needs to understand any Embedding-CSP header in any case, don't they? I think it is then important to communicate that Embedding-CSP != Content-Security-Policy (though they certainly are similar). Which problem do you exactly see with script-src 'nonce'?

hm, what is "confinement" for you? Do you mean whitelisting and hashing here? Which is the reason to leave out XSS protection?