Re: [Content Security Policy] Proposal to move the debate forward from gaz Heyes on 2011-01-31 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 31 Jan 2011 10:24:15 +0000
To: Gervase Markham <gerv@mozilla.org>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Message-ID: <AANLkTimaYS7-7wpnJwZpnOOfM-XyXLHVonW0WXOvRMhr@mail.gmail.com>

On 31 January 2011 09:30, Gervase Markham <gerv@mozilla.org> wrote:

> Question is: is a script-key-based approach therefore infeasible because
> no-one will adopt it because it makes caching impossible?
>

Unless the key is actually a hash of the code itself therefore doesn't need
to be randomize each. You'd still have the problem of injections inside
whitelisted scripts (DOM injections etc) and the developer actually
generating a hash each time but IDE's could automate that.

Received on Monday, 31 January 2011 10:24:48 UTC