[Bug 20789] Signature (cryptographic hash) attribute for <script> from bugzilla@jessica.w3.org on 2013-01-28 (public-html-bugzilla@w3.org from January 2013)

From: <bugzilla@jessica.w3.org>
Date: Mon, 28 Jan 2013 03:33:59 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-20789-2486-riL7HBzWZe@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=20789

nickolai <nickolai@csail.mit.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nickolai@csail.mit.edu

--- Comment #5 from nickolai <nickolai@csail.mit.edu> ---
I think it would be better to call this attribute hash=, since it is a hash and
not a signature.

It might be worthwhile to propose such an attribute for other elements that can
be loaded from a specified URL.  I'm primarily thinking of <style src=..> tags,
which can be used to attack a page, but also <img src=..>, where I might want
to ensure that the displayed contents of my page are not affected by a
compromised server.

One security consideration is that such a tag may allow the parent page to
learn something about the content of the specified resource -- namely, whether
its content hashes to the specified value -- by observing whether the resource
loads correctly or not.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Monday, 28 January 2013 03:34:00 UTC