Hi. thanks for your reply. what do you mean "script nonce"? I have read CSP in WebAppsec WG. it is mainly focusing to XSS attacks by remote attacker. and I feel it does not cover my issue could you guide me the discussion thread for script nonce or fingerprint/hash ? On Sat, Nov 17, 2012 at 4:13 PM, Dan Veditz <dveditz@mozilla.com> wrote: > On 11/16/12 6:25 PM, Mountie Lee wrote: > >> I know it can not be guaranteed 100%. >> but I found similar approach in mozilla site. >> >> http://www.mozilla.org/**projects/security/components/** >> signed-scripts.html<http://www.mozilla.org/projects/security/components/signed-scripts.html> >> >> the aim of Signed Script in Mozilla is actually same to my concerns. >> is there any discussions for mozilla signed script project? >> > > That has been deprecated for a long time (possibly the entire lifetime of > Firefox?) and the last of the underlying support for it has recently been > removed. The main point was to enable enhanced privileges but there are all > sorts of edge-case gotchas and it was a terrible non-standard idea. > > Apart from the enhanced privileges, though, integrity checks on loaded > content is interesting and the WebAppSecurity WG has talked about a couple > of ideas. One is a script nonce that could be part of CSP perhaps (script > tags would have to have an attribute containing the nonce from the policy > in order to be processed). The other is some type of fingerprinting or hash > checking for included resources (an idea that has bounced around various > forums for a long time). > > -Dan Veditz > -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : mountie@paygate.net ======================================= PayGate Inc. THE STANDARD FOR ONLINE PAYMENT for Korea, Japan, China, and the WorldReceived on Monday, 19 November 2012 00:49:55 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 November 2012 00:49:56 GMT