W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: Security use cases for packaging

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 30 Jan 2015 12:09:20 -0500
To: Yan Zhu <yzhu@yahoo-inc.com>, Ilya Grigorik <igrigorik@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Chris Palmer <palmer@google.com>, "public-webapps\@w3.org" <public-webapps@w3.org>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
Message-ID: <878ugkry9r.fsf@alice.fifthhorseman.net>
On Fri 2015-01-30 01:50:43 -0500, Yan Zhu wrote:
> Say that resource Y is a javascript file that listens for users typing
> in password fields and shows them a warning if the password is
> weak. The user verifies and loads the HTML page that includes Y but an
> attacker then blocks the request to fetch Y, so the user picks a weak
> password.
>
> My intuition is that most developers think about the security of their
> app as a whole, not the security of their app minus
> any-given-subset-of-resources.

I see what you're saying -- and javascript that is directly embedded in
the app would all definitely need to be loaded first (since we don't
know how it would affect the rest of the application).  I was thinking
of other resources that might be invoked or loaded later, via XHR or
dynamic script load other requests.

I suppose the question then arises of what to do if the app triggers an
XHR or dynamic script load for a piece of signed content, and that
signed content can't be fetched, the entire application would have to
block or something to avoid the scenario you describe.  That kind of UX
doesn't sound very web-like :/

        --dkg
Received on Friday, 30 January 2015 17:09:51 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC