W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: CSP script hashes, inline and src'd

From: Trevor Perrin <trevp@trevp.net>
Date: Sun, 20 Oct 2013 23:27:27 -0700
Message-ID: <CAGZ8ZG3MF+70eNB+xdfFZ+Afh0fr3A4F1dPy8ihHBM-4OYDBwA@mail.gmail.com>
To: Neil Matatall <neilm@twitter.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Oct 18, 2013 at 5:47 PM, Neil Matatall <neilm@twitter.com> wrote:
>> but I'm not sure of the true value of applying script hash to src'd content
> It's been discussed, especially when the code is hosted by a 3rd party
> (when self-hosting is not an option).

Hi Neil, all,

Is this getting into the "sub-resource integrity" use case? [1]

That seems like it needs a different mechanism than "script-hash", so
maybe this is a tangent, but:  Is this group still interested in /
working on "subresource integrity"?


[1] http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/att-0112/Web_Application_Security_Working_Group.htm
Received on Monday, 21 October 2013 06:27:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC