W3C home > Mailing lists > Public > public-web-security@w3.org > December 2013

Signed Javascript

From: Harry Halpin <hhalpin@w3.org>
Date: Tue, 17 Dec 2013 22:17:09 +0100
Message-ID: <52B0BF55.1090809@w3.org>
To: public-web-security@w3.org
I think some sort of signed Javascript solution could be very useful. 
Currently, on the Web we have a pretty straightforward same origin 
policy that assumes complete trust in the server. yet with the 
proliferation of third-party JS apps and the possibility of server being 
compromised, how do you know if the server has served the right JS?

I think some approach involving signatures and repos of JS libraries 
(similar to repos in *nix) would help, along with some sort of network 
perspectives or trust anchor in the browser to double-check and verify 
the JS served by the server.

I believe WebAppSec WG is working on something in this space. I'm 
personally a fan of the TUF/Thandy approach of Tor, and wonder if such 
an approach could be adopted to JS. Installing trusted code is a hard 
problem, and applies just as equally in JS as it does in any other 
language. Despite all the harm of XSS, the advantage of downloading the 
JS code (and forcing new code into the cache when necessary), JS does 
allow easy upgrade to avoid 0 days, but I'd like to see if we can 
increase the trust in JS even more.

Received on Tuesday, 17 December 2013 21:17:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:20 UTC