Re: Signed Javascript

On 17/12/13 21:17, Harry Halpin wrote:
> I think some sort of signed Javascript solution could be very useful.
> Currently, on the Web we have a pretty straightforward same origin
> policy that assumes complete trust in the server. yet with the
> proliferation of third-party JS apps and the possibility of server being
> compromised, how do you know if the server has served the right JS?

By deploying this kind of thing?

(Either in URL syntax form or HTML form.) Every little while I hear
noises from people who want to revive this idea. I'm happy to put you in
touch with the latest group.

The page is the trust root; the included scripts can then be verified.
If you can't trust the top level page, I think you've probably lost already.


Received on Wednesday, 18 December 2013 11:03:48 UTC