- From: Hendrik Brummermann <nhb_web@nexgo.de>
- Date: Thu, 31 Jan 2013 01:03:36 +0100
- To: public-webappsec@w3.org
The proposal for script-nonce made we wonder two things: First: Should we extend the concept to style definitions? If the style sheet is rather small, inlining will save a significant amount of time on the initial page load. For this reason many mobile providers already use Deep Packet Manipulation to embed external stylesheets. Second: Should we use a hash of the content? Static content such as JavaScript, CSS and images is often hosted on content delivery networks. With a hash in the <script>, <link>, and <img> elements, it can be ensured that these files have not been tampered with. Taking this one step further, this could be used to ensure that downloadable files, linked via an <a> tag, have not been manipulated. One of SourceForge's mirrors was recently compromised and served executables with a backdoor. For the use-cases listed above, an attribute in the elements will do. But we still want to ensure that injected content cannot do any harm. So we need to prevent an attacker from injecting an element with the correct hash. One idea to solve this, is to include the nonce value, which is transmitted in the CSP-header, into the hash function. Hendrik
Received on Thursday, 31 January 2013 00:04:04 UTC