Re: [whatwg] Proposal: Specify SHA512 hash of JavaScript files in <script> tag from Brendan Long on 2014-06-26 (public-whatwg-archive@w3.org from June 2014)

From: Brendan Long <self@brendanlong.com>
Date: Thu, 26 Jun 2014 13:00:36 -0500
To: Mikko Rantalainen <mikko.rantalainen@peda.net>, whatwg@lists.whatwg.org
Message-ID: <53AC5FC4.4000000@brendanlong.com>

On 06/26/2014 01:18 AM, Mikko Rantalainen wrote:
> However, the suggested hash signature is far from enough. Most popular
> libraries have means to load additional files and plugins and the
> suggested hash is able to "sign" only the main file. If you cannot
> trust the CDN provider, you cannot trust that the rest of the files
> have not been modified. An attacker could use *any* file in the CDN
> network for an attack. If your signature cannot cover *all* files,
> adding the signature is wasted effort. There's no need to provide any
> additional tools for false sense of security.
Couldn't the main file check any additional files it downloads, either
by loading them via script tag with hash or by manually hashing them as
they're downloaded (presumably easier once WebCrypto is adopted)?

Received on Thursday, 26 June 2014 18:01:39 UTC