Re: how to protect javascript codes

On 11/18/12 4:49 PM, Mountie Lee wrote:
> could you guide me the discussion thread for script nonce or
> fingerprint/hash ?

https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental

May or may not be adopted as part of CSP 1.1 (CSP 1.0 isn't final yet!) 
but discussion was favorable enough to include as a discussion point. It 
does not directly address your issue -- it attempts to ensure that each 
<script> tag was created by the page author and wasn't injected, but 
does nothing to ensure the received content was the intended content.

-Dan Veditz

Received on Monday, 19 November 2012 01:20:11 UTC