Support ContentSourceRestriction hash and nonce

[Austen Holmes]

We have a client who requires us to put in the following framebusting code to pass their security review.

<style>

  html {

    display: none;

  }

  </style>

  <script>

  if (self == top) {

    document.documentElement.style.display = 'block';

  } else {

    top.location = self.location;

  }

</script>

Right now, the only way I can find to support this is by using ContentSourceRestriction.UnsafeInline.

This is pretty open and I'd prefer to lock down as much as possible.  Instead, It seems to make more sense to support Nonce and Hash so we can only allow the specific code inline.  Otherwise, I have to build the list of headers manually, which is a big pain since lift gets me 90% of the way there with everything else in SecurityRules.

What do you think?

-Austen

[Antonio Salazar Cardozo]

Nonce and Hash are part of CSP Level 2, which I don't believe enjoys wide

cross-browser support. My original implementation of CSP for Lift 3 is therefore

targeted 100% at CSP 1.0.

I don't necessarily mind supporting CSP Level 2 directives in 3.1, we just need

to think about how this interacts with browsers and whether we want to bake in

something that isn't yet widely supported (in particular, I believe Level 2 has

unclear support in IE Edge and Safari).

Also worth noting, I haven't double-checked this in the last 6 months or so, so

it's possible that's all changed.

Thanks,

Antonio