- From: Garrett Robinson <grobinson@mozilla.com>
- Date: Thu, 12 Dec 2013 15:42:53 -0800
- To: Dionysis Zindros <dionyziz@gmail.com>, Joel Weinberger <jww@chromium.org>
- CC: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Neil Matatall <neilm@twitter.com>, Adam Barth <w3c@adambarth.com>, Brad Hill <bhill@paypal-inc.com>, Dan Veditz <dveditz@mozilla.com>
On 12/12/2013 02:11 PM, Dionysis Zindros wrote: > Thanks for your feedback. I'm incorporating the requested changes in > the attached patch. The only other problem I see with this patch is requesting we print the "correct" hash value if a hash values to validate. There's no way to determine which inline script an incorrect hash was intended to whitelist, so they only solution here is to print the hash of every inline script (for every incorrect hash-source in the policy, unless you wanted to add some special-case logic to only print them out for the first hash-source that failed to validate). This could create quite a mess in the Developer console (especially if there are lots of inline scripts and/or broken hash-sources). I am not sure if this would actually be helpful for developers either, and they could just as easily copy-paste a one-liner into the Developer Console to do this for them (or use a bookmarklet, add-on, etc.) -Garrett
Received on Thursday, 12 December 2013 23:43:24 UTC