W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: Updated script hash proposal (non spec text)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sat, 19 Oct 2013 20:00:47 -0700
Message-ID: <CAPfop_2HYDFXeVaSG+DvqBc0e9W64Qdj3bjEdPaujsxpJhQR=g@mail.gmail.com>
To: Neil Matatall <neilm@twitter.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Any inline script whose computed hash value
> does not match a hash specified in the hash sources should not be
> executed

If the CSP policy specifies both nonce and hash sources, is the nonce
source ignored for inline scripts? That is, an inline script with the
right nonce value but wrong hash value will be ignored because a
hash-src was given? This is probably the right behavior but does seem
at odds with how the rest of the CSP src directives work.

> If multiple hashing algorithms are specified in the CSP header, the
> browser must compute all possible hashes for each inline script block.
> If the computed hash matches any computed hash in the header with a
> matching algorithm+digest length, the script should execute. There was
> talk of limiting this to one algorithm per header, but CDNs complicate
> things.

Can you elaborate on that? What was the complication? I am curious.

Received on Sunday, 20 October 2013 03:01:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC