- From: Mountie Lee <mountie.lee@mw2.or.kr>
- Date: Mon, 19 Nov 2012 09:49:09 +0900
- To: Dan Veditz <dveditz@mozilla.com>
- Cc: webcrypto-comments@w3.org, public-webappsec@w3.org, public-sysapps@w3.org
- Message-ID: <CAE-+aYLEGf9idbrvP9od+cm9+0Do7iy=qLYEZzXcqOGRaLfUGw@mail.gmail.com>
Hi. thanks for your reply. what do you mean "script nonce"? I have read CSP in WebAppsec WG. it is mainly focusing to XSS attacks by remote attacker. and I feel it does not cover my issue could you guide me the discussion thread for script nonce or fingerprint/hash ? On Sat, Nov 17, 2012 at 4:13 PM, Dan Veditz <dveditz@mozilla.com> wrote: > On 11/16/12 6:25 PM, Mountie Lee wrote: > >> I know it can not be guaranteed 100%. >> but I found similar approach in mozilla site. >> >> http://www.mozilla.org/**projects/security/components/** >> signed-scripts.html<http://www.mozilla.org/projects/security/components/signed-scripts.html> >> >> the aim of Signed Script in Mozilla is actually same to my concerns. >> is there any discussions for mozilla signed script project? >> > > That has been deprecated for a long time (possibly the entire lifetime of > Firefox?) and the last of the underlying support for it has recently been > removed. The main point was to enable enhanced privileges but there are all > sorts of edge-case gotchas and it was a terrible non-standard idea. > > Apart from the enhanced privileges, though, integrity checks on loaded > content is interesting and the WebAppSecurity WG has talked about a couple > of ideas. One is a script nonce that could be part of CSP perhaps (script > tags would have to have an attribute containing the nonce from the policy > in order to be processed). The other is some type of fingerprinting or hash > checking for included resources (an idea that has bounced around various > forums for a long time). > > -Dan Veditz > -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : mountie@paygate.net ======================================= PayGate Inc. THE STANDARD FOR ONLINE PAYMENT for Korea, Japan, China, and the World
Received on Monday, 19 November 2012 00:49:55 UTC