- From: <bugzilla@jessica.w3.org>
- Date: Mon, 28 Jan 2013 02:19:08 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20789 Bug ID: 20789 Summary: Signature (cryptographic hash) attribute for <script> Classification: Unclassified Product: HTML WG Version: unspecified Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: HTML5: The Markup Language (editor: Michael(tm) Smith) Assignee: mike@w3.org Reporter: costan@gmail.com QA Contact: public-html-bugzilla@w3.org CC: public-html-admin@w3.org, public-html-wg-issue-tracking@w3.org Please add a "signature" attribute to the <script> tag, which can be used to ensure that the script that will be executed matches the script that the page author believes will be executed. * Example The following example shows a <script> with a signature attribute that matches this proposal. <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.0/jquery.min.js" signature="sha256:f6DVw/U4x2+HjgEqw5BZf67Kq/5vudRZuRkljnbF344="> </script> * Motivation Many Web sites import popular scripts from CDNs (content distribution networks) to improve the user experience by increasing cache hit ratios. Unfortunately, this requires full trusting CDNs, which receive the power to execute arbitrary JavaScript with the credentials of the sites that use them. If <script> supports signature checking, the CDNs can at most perform a denial of service attack by returning the wrong data. Note that using the https: scheme does not solve this problem, because it only protects the JavaScript while it is in transit between the server and the client. * Proposed Syntax This proposal introduces an optional 'signature' attribute to the <script> tag. 'signature' is silently ignored if the script does not have a 'src' attribute. The proposed syntax of 'signature' is as follows: signature-value := algorithm-id : hash-value algorithm-id := one or more of the following characters: A-Z, a-z, 0-9, _ hash-value := one or more of the characters in RFC 2045 Section 6.8 (base64) [1] * Hashing Algorithms All the hashing algorithms considered by this specification operate on binary data, which is called "script material" in this proposal. The script material is the exact binary representation of the script as it is in the body of the HTTP request used to obtain the script. This is purposefully dependent on the script's character encoding. This proposal introduces one algorithm with algorithm-id sha256. According to this algorithm, a script's hash value is obtained by first computing the SHA-256 hash of the script material according to FIPS 180-4, and then base64-encoding it according to Section 6.8 of RFC 2045. On a system that has the curl and openssl command-line tools installed, the hash value for a script can be computed using the following command: curl -s http://cdn.com/script.js | openssl dgst -sha256 -binary | openssl enc -base64 * Fallback No fallback is required. User agents that do not understand the 'signature' attribute will silently ignore it. * References [1] https://tools.ietf.org/html/rfc2045#section-6.8 [2] http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Monday, 28 January 2013 02:19:11 UTC