- From: Joel Weinberger <jww@chromium.org>
- Date: Fri, 18 Oct 2013 16:45:21 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAHQV2KnZZgym-y2JEkGZDMdxu=bEuHgSACBJDAj3Lwvns7Eotw@mail.gmail.com>
I'm currently working on the Chromium implementation of script hashes, and I came across a point needing clarification: should script hashes apply to src'd scripts as well as inlined ones? One of Neil's comments implies only inlined, which is my preference, but I want to make sure we're explicit about this. The problem is if they apply to src'd scripts as well, we (Chromium) have a chicken and egg problem. We check CSP to see if a resource URL is acceptable according to the policy. If not, we do not make the request. However, that means that if the URL is not acceptable *but* the hash of the script *is* acceptable, we never see the script, and thus can't override the URL decision. This isn't a fundamental limitation of Chromium, but I'm not sure of the true value of applying script hash to src'd content, and it would mean requesting extra resources that CSP otherwise would block. Additionally, on a practical level, it would require a heck of a lot of refactoring on our end. Whatever our decision, I'm working on a more formal spec write to clarify some of the ins and outs and what-have-yous that I've come across during implementation. Obviously, whatever the consensus here is will be a part of that. --Joel
Received on Friday, 18 October 2013 23:45:48 UTC