W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: Origin confusion attacks.

From: Mike West <mkwst@google.com>
Date: Thu, 16 Jan 2014 15:23:10 +0100
Message-ID: <CAKXHy=ebAtU7bP8PQPQOO8NpH-LxsT=dWj3XupRhsCB0GsWSFg@mail.gmail.com>
To: Pete Freitag <pete@foundeo.com>
Cc: Ben Toews <btoews@github.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
1. In [1], I've explicitly made caching an optional bit of the spec, by
using the magic word "OPTIONAL". Hooray for RFC 2119.

2. Also in [1], I've added the nonce bit discussed here for `script` and
`style`. The attribute isn't defined in CSP for any other elements.
Personally, I'm not sure it needs to be, but we can certainly add it if
there's demand.


On Fri, Jan 10, 2014 at 6:46 PM, Pete Freitag <pete@foundeo.com> wrote:

> On Fri, Jan 10, 2014 at 12:30 PM, Ben Toews <btoews@github.com> wrote:
>> It doesn’t seem like you would need to provide the nonce in style.css
>> because the integrity hash of cat.gif is already incorporated into the
>> integrity hash of style.css.
> I agree it is probably not a problem for CSS because all of the resources
> it will load are explicitly defined and hashed. I'm just not sure about
> resources loaded dynamically from a script - what do you guys think?

As Ben suggests, I think that validating the CSS file transitively
validates the resources it contains (assuming that we have agreed-upon
syntax for integrity metadata contained in CSS (see the other thread)).

Received on Thursday, 16 January 2014 14:24:02 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 13:26:35 UTC