CSP: Add an experimental 'unsafe-dynamic' source expression.
Developers at Google have raised concerns about deploying CSP for some products that
use libraries which live on unsafe origins. One proposal that came up yesterday was
the notion of dropping whitelists entirely, in favor of nonces which propagate down
from a library to the scripts which that library loads. That is, something like
`script-src 'nonce-abcd' 'unsafe-dynamic'` could allow `<script src=library
nonce=abcd>` to load, and if it injects scripts via `appendElement`, we'd allow
those to load.
In the presence of nonces, this isn't actually an increase in risk, as those scripts
can already read the nonce from the DOM and use it during injection (e.g.
`document.querySelector('[nonce]').getAttribute('nonce')`), but this
expression might allow folks to deploy CSP without convincing X libraries to roll
new versions. It's a convenience, and one which might be worth running with.
There's no spec for this feature yet; this patch lands a prototype behind the
experimental flag in order to allow folks to play with it on real sites. If it
turns out to be a good solution, I'll proposal it to public-webappsec@.
Review URL: https://codereview.chromium.org/1641533006
Cr-Commit-Position: refs/heads/master@{#372317}
12 files changed
