W3C home > Mailing lists > Public > public-sysapps@w3.org > November 2012

Re: how to protect javascript codes

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Mon, 19 Nov 2012 09:49:09 +0900
Message-ID: <CAE-+aYLEGf9idbrvP9od+cm9+0Do7iy=qLYEZzXcqOGRaLfUGw@mail.gmail.com>
To: Dan Veditz <dveditz@mozilla.com>
Cc: webcrypto-comments@w3.org, public-webappsec@w3.org, public-sysapps@w3.org
Hi.
thanks for your reply.

what do you mean "script nonce"?

I have read CSP in WebAppsec WG.

it is mainly focusing to XSS attacks by remote attacker.
and I feel it does not cover my issue

could you guide me the discussion thread for script nonce or
fingerprint/hash ?

On Sat, Nov 17, 2012 at 4:13 PM, Dan Veditz <dveditz@mozilla.com> wrote:

> On 11/16/12 6:25 PM, Mountie Lee wrote:
>
>> I know it can not be guaranteed 100%.
>> but I found similar approach in mozilla site.
>>
>> http://www.mozilla.org/**projects/security/components/**
>> signed-scripts.html<http://www.mozilla.org/projects/security/components/signed-scripts.html>
>>
>> the aim of Signed Script in Mozilla is actually same to my concerns.
>> is there any discussions for mozilla signed script project?
>>
>
> That has been deprecated for a long time (possibly the entire lifetime of
> Firefox?) and the last of the underlying support for it has recently been
> removed. The main point was to enable enhanced privileges but there are all
> sorts of edge-case gotchas and it was a terrible non-standard idea.
>
> Apart from the enhanced privileges, though, integrity checks on loaded
> content is interesting and the WebAppSecurity WG has talked about a couple
> of ideas. One is a script nonce that could be part of CSP perhaps (script
> tags would have to have an attribute containing the nonce from the policy
> in order to be processed). The other is some type of fingerprinting or hash
> checking for included resources (an idea that has bounced around various
> forums for a long time).
>
> -Dan Veditz
>



-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World
Received on Monday, 19 November 2012 00:49:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 November 2012 00:49:55 GMT