Re: CSP script hashes from Jacob Hoffman-Andrews on 2013-02-12 (public-webappsec@w3.org from February 2013)

From: Jacob Hoffman-Andrews <jsha@twitter.com>
Date: Tue, 12 Feb 2013 10:27:58 -0800
To: Yoav Weiss <yoav@yoav.ws>
Cc: Bryan McQuade <bmcquade@google.com>, Eric Chen <eric.chen@sv.cmu.edu>, Nicholas Green <ngreen@twitter.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADzQPXvgxqfYr3UVgkbVWYhYC3QnpkTYPj0OHxTKrvvKk0nJCA@mail.gmail.com>

>  What about having a single inline-hash that is a digest of all allowed
>> inline content in the document, including both styles and scripts? The
>> browser would maintain a running digest as it encounters each style or
>> script tag. Once the digest matches the allowed inline-hash the browser
>> would execute the content immediately, or would report a violation upon
>> reaching the end of the document without ever matching the hash.
>>
>
> That would mean the browser cannot start executing inline scripts & styles
> until the entire HTML has been downloaded (or at the very least, the last
> inlined resource). Even for static HTMLs with multiple inlined resources,
> this can result in a significant slowdown of the page load without any
> benefit. (saving 30 bytes on the response headers doesn't seem like a
> significant benefit)
>

That's why I said the browser should execute immediately once the digest
matches the inline-hash. I believe that all uses for which inline script is
important involve script at the top of the document. Also I believe that a
browser won't start executing any script in a given tag until it reaches
the end of the tag. So even if the chunk of JS that you include at the top
of your page is very large, it won't execute any later than it normally
would.

Received on Tuesday, 12 February 2013 18:29:09 UTC