W3C home > Mailing lists > Public > public-sysapps@w3.org > November 2012

Re: how to protect javascript codes

From: Dan Veditz <dveditz@mozilla.com>
Date: Sun, 18 Nov 2012 17:19:43 -0800
Message-ID: <50A9892F.4020201@mozilla.com>
To: Mountie Lee <mountie.lee@mw2.or.kr>
CC: webcrypto-comments@w3.org, public-webappsec@w3.org, public-sysapps@w3.org
On 11/18/12 4:49 PM, Mountie Lee wrote:
> could you guide me the discussion thread for script nonce or
> fingerprint/hash ?

https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental

May or may not be adopted as part of CSP 1.1 (CSP 1.0 isn't final yet!) 
but discussion was favorable enough to include as a discussion point. It 
does not directly address your issue -- it attempts to ensure that each 
<script> tag was created by the page author and wasn't injected, but 
does nothing to ensure the received content was the intended content.

-Dan Veditz
Received on Monday, 19 November 2012 01:20:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 November 2012 01:20:13 GMT