W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: CSP script hashes

From: Yoav Weiss <yoav@yoav.ws>
Date: Tue, 12 Feb 2013 10:17:14 +0100
Message-ID: <CACj=BEijQ6Fu_7Op71+Lpm5siFcbefszh=sRo9CsXehJaLag8g@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@twitter.com>
Cc: Bryan McQuade <bmcquade@google.com>, Eric Chen <eric.chen@sv.cmu.edu>, Nicholas Green <ngreen@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I support moving forward with hashes to allow inline styles and scripts. I
believe they'd be much easier to deploy than nonces in many scenarios,
which will eventually mean increased security.

What about having a single inline-hash that is a digest of all allowed
> inline content in the document, including both styles and scripts? The
> browser would maintain a running digest as it encounters each style or
> script tag. Once the digest matches the allowed inline-hash the browser
> would execute the content immediately, or would report a violation upon
> reaching the end of the document without ever matching the hash.
>
> This makes it harder to deploy pages that dynamically include from
> multiple sources, but keeps things simple and saves bytes.
>
>
That would mean the browser cannot start executing inline scripts & styles
until the entire HTML has been downloaded (or at the very least, the last
inlined resource). Even for static HTMLs with multiple inlined resources,
this can result in a significant slowdown of the page load without any
benefit. (saving 30 bytes on the response headers doesn't seem like a
significant benefit)

Yoav
Received on Tuesday, 12 February 2013 09:17:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 12 February 2013 09:17:43 GMT