[whatwg] Proposal: Specify SHA512 hash of JavaScript files in <script> tag

Currently most people store their JavaScript code on a CDN of some sort.
This often involves uploading their JavaScript files to a server hosted and
run by a third party which means the control and security of the server is
out of the hands of the website owner. If the CDN is hacked or a rogue
employee decides to edit your JavaScript you might end up serving malicious
JavaScript to your users without even knowing it.

In order to overcome this problem I propose that a new attribute is added
to the <script> tag which allows the website owner to specify a SHA512 hash
of the JavaScript file ahead of time. If when the file is downloaded from
the CDN by the browser it does not match the SHA512 hash in the HTML the
browser should discard the JavaScript file and display a warning to the
user that the file has been modified and that it should be considered as
malicious.

Thoughts?

Received on Saturday, 14 December 2013 14:30:11 UTC