W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: CSP script hashes, inline and src'd

From: Mike West <mkwst@google.com>
Date: Mon, 21 Oct 2013 11:19:57 +0200
Message-ID: <CAKXHy=en7qvJXKdVWkxX+faxyN=KZE7Yn9iGg0U7rL_JsfJGFw@mail.gmail.com>
To: Yoav Weiss <yoav@yoav.ws>
Cc: Garrett Robinson <grobinson@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
It seems like there's consensus that hashes should only apply to inline
resources.

I do think there's a good deal of value in dealing with hashing external
resources, but I'd agree with Trevor's suggestion that that ought to be
dealt with in a separate specification.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores


On Sat, Oct 19, 2013 at 11:52 PM, Yoav Weiss <yoav@yoav.ws> wrote:

> As one of the supporters of script/style hashes, I have no use case for
> external script/style hashes, only for inline ones.
>
>
Received on Monday, 21 October 2013 09:20:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC