- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sat, 14 Dec 2013 15:41:40 +0100
- To: Some Developer <someukdeveloper@gmail.com>
- Cc: whatwg@whatwg.org
* Some Developer wrote: >Currently most people store their JavaScript code on a CDN of some sort. >This often involves uploading their JavaScript files to a server hosted and >run by a third party which means the control and security of the server is >out of the hands of the website owner. If the CDN is hacked or a rogue >employee decides to edit your JavaScript you might end up serving malicious >JavaScript to your users without even knowing it. > >In order to overcome this problem I propose that a new attribute is added >to the <script> tag which allows the website owner to specify a SHA512 hash >of the JavaScript file ahead of time. If when the file is downloaded from >the CDN by the browser it does not match the SHA512 hash in the HTML the >browser should discard the JavaScript file and display a warning to the >user that the file has been modified and that it should be considered as >malicious. You probably want to talk to <http://www.w3.org/2011/webappsec/>. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Saturday, 14 December 2013 14:42:09 UTC