Re: how to protect javascript codes

thanks for your reply.

what do you mean "script nonce"?

I have read CSP in WebAppsec WG.

it is mainly focusing to XSS attacks by remote attacker.
and I feel it does not cover my issue

could you guide me the discussion thread for script nonce or
fingerprint/hash ?

On Sat, Nov 17, 2012 at 4:13 PM, Dan Veditz <> wrote:

> On 11/16/12 6:25 PM, Mountie Lee wrote:
>> I know it can not be guaranteed 100%.
>> but I found similar approach in mozilla site.
>> signed-scripts.html<>
>> the aim of Signed Script in Mozilla is actually same to my concerns.
>> is there any discussions for mozilla signed script project?
> That has been deprecated for a long time (possibly the entire lifetime of
> Firefox?) and the last of the underlying support for it has recently been
> removed. The main point was to enable enhanced privileges but there are all
> sorts of edge-case gotchas and it was a terrible non-standard idea.
> Apart from the enhanced privileges, though, integrity checks on loaded
> content is interesting and the WebAppSecurity WG has talked about a couple
> of ideas. One is a script nonce that could be part of CSP perhaps (script
> tags would have to have an attribute containing the nonce from the policy
> in order to be processed). The other is some type of fingerprinting or hash
> checking for included resources (an idea that has bounced around various
> forums for a long time).
> -Dan Veditz

Mountie Lee

Tel : +82 2 2140 2700
E-Mail :

PayGate Inc.
for Korea, Japan, China, and the World

Received on Monday, 19 November 2012 00:49:55 UTC