- From: Garrett Robinson <grobinson@mozilla.com>
- Date: Fri, 18 Oct 2013 19:39:35 -0700
- To: public-webappsec@w3.org
On 10/18/2013 04:45 PM, Joel Weinberger wrote: > I'm currently working on the Chromium implementation of script hashes, > and I came across a point needing clarification: should script hashes > apply to src'd scripts as well as inlined ones? One of Neil's comments > implies only inlined, which is my preference, but I want to make sure > we're explicit about this. That would be my preference as well. Since CSP 1.1 has paths, you can fully specify any external resource and so AFAICT there is no use case for script-hash on external/src'd scripts. However, I'd like script-nonce and script-hash to have the same behavior in this regard. Currently, script-nonce is applied to external scripts/styles as well, and IIRC Google has a use case for this, although I don't remember the specifics. > The problem is if they apply to src'd scripts as well, we (Chromium) > have a chicken and egg > problem. We check CSP to see if a resource URL is acceptable > according to the policy. If not, we do not make the request. However, > that means > that if the URL is not acceptable *but* the hash of the script *is* > acceptable, > we never see the script, and thus can't override the URL decision. > > This isn't a fundamental limitation of Chromium, but I'm not sure of the > true > value of applying script hash to src'd content, and it would mean > requesting extra resources that CSP otherwise would block. Additionally, > on a practical level, it would require a heck of a lot of refactoring on > our end. This would be nontrivial to implement in Gecko as well.
Received on Saturday, 19 October 2013 02:40:04 UTC