W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: Hashes.

From: Garrett Robinson <grobinson@mozilla.com>
Date: Thu, 12 Dec 2013 15:42:53 -0800
Message-ID: <52AA49FD.5000804@mozilla.com>
To: Dionysis Zindros <dionyziz@gmail.com>, Joel Weinberger <jww@chromium.org>
CC: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Neil Matatall <neilm@twitter.com>, Adam Barth <w3c@adambarth.com>, Brad Hill <bhill@paypal-inc.com>, Dan Veditz <dveditz@mozilla.com>
On 12/12/2013 02:11 PM, Dionysis Zindros wrote:
> Thanks for your feedback. I'm incorporating the requested changes in
> the attached patch.

The only other problem I see with this patch is requesting we print the 
"correct" hash value if a hash values to validate. There's no way to 
determine which inline script an incorrect hash was intended to 
whitelist, so they only solution here is to print the hash of every 
inline script (for every incorrect hash-source in the policy, unless you 
wanted to add some special-case logic to only print them out for the 
first hash-source that failed to validate).

This could create quite a mess in the Developer console (especially if 
there are lots of inline scripts and/or broken hash-sources). I am not 
sure if this would actually be helpful for developers either, and they 
could just as easily copy-paste a one-liner into the Developer Console 
to do this for them (or use a bookmarklet, add-on, etc.)

-Garrett
Received on Thursday, 12 December 2013 23:43:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC