Re: how to protect javascript codes

On 11/16/12 6:25 PM, Mountie Lee wrote:
> I know it can not be guaranteed 100%.
> but I found similar approach in mozilla site.
>
> http://www.mozilla.org/projects/security/components/signed-scripts.html
>
> the aim of Signed Script in Mozilla is actually same to my concerns.
> is there any discussions for mozilla signed script project?

That has been deprecated for a long time (possibly the entire lifetime 
of Firefox?) and the last of the underlying support for it has recently 
been removed. The main point was to enable enhanced privileges but there 
are all sorts of edge-case gotchas and it was a terrible non-standard idea.

Apart from the enhanced privileges, though, integrity checks on loaded 
content is interesting and the WebAppSecurity WG has talked about a 
couple of ideas. One is a script nonce that could be part of CSP perhaps 
(script tags would have to have an attribute containing the nonce from 
the policy in order to be processed). The other is some type of 
fingerprinting or hash checking for included resources (an idea that has 
bounced around various forums for a long time).

-Dan Veditz

Received on Saturday, 17 November 2012 07:13:42 UTC