W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 31 Jan 2011 10:24:15 +0000
Message-ID: <AANLkTimaYS7-7wpnJwZpnOOfM-XyXLHVonW0WXOvRMhr@mail.gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 31 January 2011 09:30, Gervase Markham <gerv@mozilla.org> wrote:

> Question is: is a script-key-based approach therefore infeasible because
> no-one will adopt it because it makes caching impossible?
>

Unless the key is actually a hash of the code itself therefore doesn't need
to be randomize each. You'd still have the problem of injections inside
whitelisted scripts (DOM injections etc) and the developer actually
generating a hash each time but IDE's could automate that.
Received on Monday, 31 January 2011 10:24:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 31 January 2011 10:24:48 GMT