- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Sat, 17 Nov 2012 02:06:13 +0000
- To: Mountie Lee <mountie.lee@mw2.or.kr>, "webcrypto-comments@w3.org" <webcrypto-comments@w3.org>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, "public-sysapps@w3.org" <public-sysapps@w3.org>
- Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2EEB0F@DEN-EXDDA-S12.corp.ebay.com>
Loading over HTTPS is the typical way to ensure the authenticity of origin and integrity in transport of Web applications and JavaScript. I think we could better answer your question if you can help us understand why HTTPS isn't adequate. -Brad Hill From: mountie@paygate.net [mailto:mountie@paygate.net] On Behalf Of Mountie Lee Sent: Friday, November 16, 2012 5:07 PM To: webcrypto-comments@w3.org Cc: public-webappsec@w3.org; public-sysapps@w3.org Subject: how to protect javascript codes Hi. I have a question. how to protect javascript codes loaded from remote server or installed webapps? I were trying to find protecting mechanism. but fail to find exact description from documents of webcrypto WG, WebAppSecWG and SysApp WG. the reason why we need to protect javascript codes are as following - javascript codes are easily changed on client side. - service provider want to make sure the business logic implemented with javascript is exactly same to server's I think hosted JS model and installable webapp model has no different. for installable webapp model, before installing webapp, it have to be verified the integrity of webapp. these requirements are mentioned in many email threads or usecases on webcrypto WG at "security of a client-side JS API" (http://lists.w3.org/Archives/Public/public-webcrypto-comments/2012Nov/subject.html) at http://www.w3.org/2012/webcrypto/wiki/Use_Cases#Signed_web_applications JOSE is focusing to json returned data itself. it can not cover js code itself. I have discussed with a member of SysApp WG. and even by the joint session at TPAC with webappsec WG I can not get proper answer. do we need to consider protecting mechanism for loaded or installed javascript codes? -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : mountie@paygate.net<mailto:mountie@paygate.net> ======================================= PayGate Inc. THE STANDARD FOR ONLINE PAYMENT for Korea, Japan, China, and the World
Received on Saturday, 17 November 2012 02:06:42 UTC