- From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Date: Fri, 30 Jan 2015 12:09:20 -0500
- To: Yan Zhu <yzhu@yahoo-inc.com>, Ilya Grigorik <igrigorik@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Chris Palmer <palmer@google.com>, "public-webapps\@w3.org" <public-webapps@w3.org>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
On Fri 2015-01-30 01:50:43 -0500, Yan Zhu wrote:
> Say that resource Y is a javascript file that listens for users typing
> in password fields and shows them a warning if the password is
> weak. The user verifies and loads the HTML page that includes Y but an
> attacker then blocks the request to fetch Y, so the user picks a weak
> password.
>
> My intuition is that most developers think about the security of their
> app as a whole, not the security of their app minus
> any-given-subset-of-resources.
I see what you're saying -- and javascript that is directly embedded in
the app would all definitely need to be loaded first (since we don't
know how it would affect the rest of the application). I was thinking
of other resources that might be invoked or loaded later, via XHR or
dynamic script load other requests.
I suppose the question then arises of what to do if the app triggers an
XHR or dynamic script load for a piece of signed content, and that
signed content can't be fetched, the entire application would have to
block or something to avoid the scenario you describe. That kind of UX
doesn't sound very web-like :/
--dkg
Received on Friday, 30 January 2015 17:09:47 UTC