W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: Nonce for CSS, Signature of script, link, img?

From: Yoav Weiss <yoav@yoav.ws>
Date: Thu, 31 Jan 2013 10:55:18 +0100
Message-ID: <CACj=BEhxfasn7Wi8nC_jKe7uqAtJt0ifYrhD7QOi2NmZL9mfQQ@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: Mountie Lee <mountie.lee@mw2.or.kr>, Hendrik Brummermann <nhb_web@nexgo.de>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I'd just like to point out a previous thread on stylesheet nonces
http://lists.w3.org/Archives/Public/public-webappsec/2012Dec/0047.html
Inline stylesheets are essential for Web performance in some applications.
I support stylesheet nonces, since otherwise Web developers would have to
choose between security & performance.

Yoav


On Thu, Jan 31, 2013 at 2:55 AM, Hill, Brad <bhill@paypal-inc.com> wrote:

>  Mountie,****
>
> ** **
>
> The use cases are network-focused: that it would allow an application to
> protect itself from modifications to content loaded over insecure
> transports (like http) or from unauthorized server-side modifications to
> content loaded over secure transports.****
>
> ** **
>
> -Brad****
>
> ** **
>
> *From:* mountie@paygate.net [mailto:mountie@paygate.net] *On Behalf Of *Mountie
> Lee
> *Sent:* Wednesday, January 30, 2013 4:44 PM
> *To:* Hill, Brad
> *Cc:* Hendrik Brummermann; public-webappsec@w3.org
> *Subject:* Re: Nonce for CSS, Signature of script, link, img?****
>
> ** **
>
> Hi.****
>
> thanks for your information.****
>
> ** **
>
> one question I have is****
>
> is this suggestion give protection for stored JS code or installable
> webapp?****
>
> ** **
>
> regards****
>
> mountie.****
>
> On Thu, Jan 31, 2013 at 9:33 AM, Hill, Brad <bhill@paypal-inc.com> wrote:*
> ***
>
>  ****
>
> please share the link for "Sub-Resource Integrity" and related information.
> ****
>
>  ****
>
>  ****
>
>  *[Hill, Brad] http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/0129.html*****
>
>
>
> ****
>
> ** **
>
> --
> Mountie Lee
>
> PayGate****
>
> CTO, CISSP
> Tel : +82 2 2140 2700
> E-Mail : mountie@paygate.net****
>
> =======================================****
>
> PayGate Inc.****
>
> THE STANDARD FOR ONLINE PAYMENT****
>
> for Korea, Japan, China, and the World****
>
> ** **
>
>
Received on Thursday, 31 January 2013 09:55:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 31 January 2013 09:55:46 GMT