> There's no way to whitelist inline code That's not completely true - the nonce... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jacobparker on Aug 30, 2015 \| parent \| context \| favorite \| on: How widely used are security-based HTTP response h... > There's no way to whitelist inline code That's not completely true - the nonce attribute (specify a nonce in the CSP header, have nonce=that on every script tag) or by sending the hashes of the inline scripts upfront in the CSP header. It doesn't give you inline code in attributes (e.g. onclick) but it's a big help for migrating.

JoshTriplett on Aug 30, 2015 [–]

Ah. I hadn't found that in Mozilla's CSP documentation. Thanks.

Scott_Helme_ on Aug 30, 2015 | [–]

I'm going to be doing some blogs in the coming weeks on how to use hashes and nonces to whitelist inline script. Hopefully, this will make introducing CSP a little easier. I also have some tools in the making that will help in this regard too.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact