W3C home > Mailing lists > Public > public-web-security@w3.org > December 2013

Re: Signed Javascript

From: Gervase Markham <gerv@mozilla.org>
Date: Wed, 18 Dec 2013 11:03:11 +0000
Message-ID: <52B180EF.2000108@mozilla.org>
To: Harry Halpin <hhalpin@w3.org>, public-web-security@w3.org
On 17/12/13 21:17, Harry Halpin wrote:
> I think some sort of signed Javascript solution could be very useful.
> Currently, on the Web we have a pretty straightforward same origin
> policy that assumes complete trust in the server. yet with the
> proliferation of third-party JS apps and the possibility of server being
> compromised, how do you know if the server has served the right JS?

By deploying this kind of thing?
http://www.gerv.net/security/link-fingerprints/

(Either in URL syntax form or HTML form.) Every little while I hear
noises from people who want to revive this idea. I'm happy to put you in
touch with the latest group.

The page is the trust root; the included scripts can then be verified.
If you can't trust the top level page, I think you've probably lost already.

Gerv
Received on Wednesday, 18 December 2013 11:03:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:20 UTC