W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [integrity]: Origin confusion attacks.

From: Mike West <mkwst@google.com>
Date: Thu, 16 Jan 2014 15:23:10 +0100
Message-ID: <CAKXHy=ebAtU7bP8PQPQOO8NpH-LxsT=dWj3XupRhsCB0GsWSFg@mail.gmail.com>
To: Pete Freitag <pete@foundeo.com>
Cc: Ben Toews <btoews@github.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
1. In [1], I've explicitly made caching an optional bit of the spec, by
using the magic word "OPTIONAL". Hooray for RFC 2119.

2. Also in [1], I've added the nonce bit discussed here for `script` and
`style`. The attribute isn't defined in CSP for any other elements.
Personally, I'm not sure it needs to be, but we can certainly add it if
there's demand.

[1]:
https://github.com/w3c/webappsec/commit/b0213618fc8cadd773f1f89b743451d6b743295a

On Fri, Jan 10, 2014 at 6:46 PM, Pete Freitag <pete@foundeo.com> wrote:

> On Fri, Jan 10, 2014 at 12:30 PM, Ben Toews <btoews@github.com> wrote:
>
>> It doesn’t seem like you would need to provide the nonce in style.css
>> because the integrity hash of cat.gif is already incorporated into the
>> integrity hash of style.css.
>>
>
> I agree it is probably not a problem for CSS because all of the resources
> it will load are explicitly defined and hashed. I'm just not sure about
> resources loaded dynamically from a script - what do you guys think?
>

As Ben suggests, I think that validating the CSS file transitively
validates the resources it contains (assuming that we have agreed-upon
syntax for integrity metadata contained in CSS (see the other thread)).

-mike
Received on Thursday, 16 January 2014 14:24:02 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 16 January 2014 14:24:02 UTC