Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That’s a good point, though can’t this instance be whitelisted with a nonce?


You could, but in the real world not every frontend dev has control over the CSP on the server allowing nonces to even be an option.

Even when they do they might be subject to a security audit forbidding it. There's two reasons nonces can suck: first is that nonces may be passed around for 3rd party script usage and that blows a hole in your security policy, and the other is that many implementations to generate nonces are not implemented correctly, so the security team might have less trust in devs.

It really depends on the organization and project. Once you start getting near the security fence you may find it's more trouble than it's worth.

I would try to find less complicated solutions for small details like this. Obvious question might be why your CSS can't be a separate file that is small enough to not cause a performance issue.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: