W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: CSP script hashes, inline and src'd

From: Neil Matatall <neilm@twitter.com>
Date: Mon, 21 Oct 2013 09:47:17 -0700
Message-ID: <CAOFLtbj9rWsioqax8-1dTT4COZwFmS8T9k8xnVBqymGbQUOUAw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Yoav Weiss <yoav@yoav.ws>, Garrett Robinson <grobinson@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> Is this getting into the "sub-resource integrity" use case? [1] ... Is this group still interested in/working on "subresource integrity"?

Yeah, I thought that's where this might be going. Agreed, separate concern.


On Mon, Oct 21, 2013 at 2:19 AM, Mike West <mkwst@google.com> wrote:
> It seems like there's consensus that hashes should only apply to inline
> resources.
>
> I do think there's a good deal of value in dealing with hashing external
> resources, but I'd agree with Trevor's suggestion that that ought to be
> dealt with in a separate specification.
>
> -mike
>
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>
>
> On Sat, Oct 19, 2013 at 11:52 PM, Yoav Weiss <yoav@yoav.ws> wrote:
>>
>> As one of the supporters of script/style hashes, I have no use case for
>> external script/style hashes, only for inline ones.
>>
>
Received on Monday, 21 October 2013 16:47:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC