W3C home > Mailing lists > Public > public-sysapps@w3.org > November 2012

RE: how to protect javascript codes

From: Hill, Brad <bhill@paypal-inc.com>
Date: Sat, 17 Nov 2012 02:06:13 +0000
To: Mountie Lee <mountie.lee@mw2.or.kr>, "webcrypto-comments@w3.org" <webcrypto-comments@w3.org>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, "public-sysapps@w3.org" <public-sysapps@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2EEB0F@DEN-EXDDA-S12.corp.ebay.com>
Loading over HTTPS is the typical way to ensure the authenticity of origin and integrity in transport of Web applications and JavaScript.

I think we could better answer your question if you can help us understand why HTTPS isn't adequate.

-Brad Hill

From: mountie@paygate.net [mailto:mountie@paygate.net] On Behalf Of Mountie Lee
Sent: Friday, November 16, 2012 5:07 PM
To: webcrypto-comments@w3.org
Cc: public-webappsec@w3.org; public-sysapps@w3.org
Subject: how to protect javascript codes

Hi.

I have a question.

how to protect javascript codes loaded from remote server or installed webapps?

I were trying to find protecting mechanism. but fail to find exact description from documents of webcrypto WG, WebAppSecWG and SysApp WG.

the reason why we need to protect javascript codes are as following
- javascript codes are easily changed on client side.
- service provider want to make sure the business logic implemented with javascript is exactly same to server's

I think hosted JS model and installable webapp model has no different.

for installable webapp model,
before installing webapp, it have to be verified the integrity of webapp.

these requirements are mentioned in many email threads or usecases on webcrypto WG
at "security of a client-side JS API" (http://lists.w3.org/Archives/Public/public-webcrypto-comments/2012Nov/subject.html)
at http://www.w3.org/2012/webcrypto/wiki/Use_Cases#Signed_web_applications

JOSE is focusing to json returned data itself. it can not cover js code itself.

I have discussed with a member of SysApp WG.
and even by the joint session at TPAC with webappsec WG

I can not get proper answer.

do we need to consider protecting mechanism for loaded or installed javascript codes?


--
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net<mailto:mountie@paygate.net>


=======================================

PayGate Inc.

THE STANDARD FOR ONLINE PAYMENT

for Korea, Japan, China, and the World
Received on Saturday, 17 November 2012 02:06:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 17 November 2012 02:06:43 GMT