- From: Gervase Markham <gerv@mozilla.org>
- Date: Wed, 18 Dec 2013 11:03:11 +0000
- To: Harry Halpin <hhalpin@w3.org>, public-web-security@w3.org
On 17/12/13 21:17, Harry Halpin wrote: > I think some sort of signed Javascript solution could be very useful. > Currently, on the Web we have a pretty straightforward same origin > policy that assumes complete trust in the server. yet with the > proliferation of third-party JS apps and the possibility of server being > compromised, how do you know if the server has served the right JS? By deploying this kind of thing? http://www.gerv.net/security/link-fingerprints/ (Either in URL syntax form or HTML form.) Every little while I hear noises from people who want to revive this idea. I'm happy to put you in touch with the latest group. The page is the trust root; the included scripts can then be verified. If you can't trust the top level page, I think you've probably lost already. Gerv
Received on Wednesday, 18 December 2013 11:03:48 UTC