- From: Dan Veditz <dveditz@mozilla.com>
- Date: Fri, 16 Nov 2012 23:13:13 -0800
- To: Mountie Lee <mountie.lee@mw2.or.kr>
- CC: webcrypto-comments@w3.org, public-webappsec@w3.org, public-sysapps@w3.org
On 11/16/12 6:25 PM, Mountie Lee wrote: > I know it can not be guaranteed 100%. > but I found similar approach in mozilla site. > > http://www.mozilla.org/projects/security/components/signed-scripts.html > > the aim of Signed Script in Mozilla is actually same to my concerns. > is there any discussions for mozilla signed script project? That has been deprecated for a long time (possibly the entire lifetime of Firefox?) and the last of the underlying support for it has recently been removed. The main point was to enable enhanced privileges but there are all sorts of edge-case gotchas and it was a terrible non-standard idea. Apart from the enhanced privileges, though, integrity checks on loaded content is interesting and the WebAppSecurity WG has talked about a couple of ideas. One is a script nonce that could be part of CSP perhaps (script tags would have to have an attribute containing the nonce from the policy in order to be processed). The other is some type of fingerprinting or hash checking for included resources (an idea that has bounced around various forums for a long time). -Dan Veditz
Received on Saturday, 17 November 2012 07:13:40 UTC