W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > February 2013

[Bug 20789] "digest" (cryptographic hash) attribute for <script>

From: <bugzilla@jessica.w3.org>
Date: Wed, 06 Feb 2013 21:53:56 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-20789-2486-4xPylamR3p@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20789

--- Comment #12 from estark@mit.edu ---
I agree with Victor's comments and also wanted to emphasize that neither of the
two controversies in bug 11402 seem to apply here:

1.) The cache poisoning attack doesn't seem to be relevant even to bug 11402,
since the attack can only be carried out successfully if the browser fails to
verify the hash before caching the script, which would be a major
implementation error in the browser.

2.) In this proposal, the digest attribute does not affect the browser's
caching behavior, so the bitrot problem mentioned in bug 11402 would not apply
to the proposed digest hash. If a developer updates a library and forgets to
update some script tag's digest attribute, then the bug will show up for all
users, and its manifestation won't depend on the state of a user's cache as in
bug 11402. In practice, libraries hosted on CDNs often include version numbers
in the filenames anyway (e.g. http://code.jquery.com/jquery-1.9.1.min.js) so
script tags already have to be updated when new versions are pushed.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Wednesday, 6 February 2013 21:54:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 6 February 2013 21:54:02 GMT