W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Re: CSP script hashes, inline and src'd

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 21 Oct 2013 10:19:18 -0700
Message-ID: <CAEeYn8iOBWpdQ9btjER56CyKd2rZ3u3WrcWsj5ACYmR85AKwJg@mail.gmail.com>
To: Neil Matatall <neilm@twitter.com>
Cc: Mike West <mkwst@google.com>, Yoav Weiss <yoav@yoav.ws>, Garrett Robinson <grobinson@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
The discussion on sub-resource integrity is a good reminder to folks: Make
sure your AC rep indicates support for the new WebAppSec charter.  The
deadline for this is TODAY.

Once this is approved, we will have the IPR rules in place to begin working
on this deliverable as scoped in our new charter.

Any volunteers to serve as an Editor?

-Brad


On Mon, Oct 21, 2013 at 9:47 AM, Neil Matatall <neilm@twitter.com> wrote:

> > Is this getting into the "sub-resource integrity" use case? [1] ... Is
> this group still interested in/working on "subresource integrity"?
>
> Yeah, I thought that's where this might be going. Agreed, separate concern.
>
>
> On Mon, Oct 21, 2013 at 2:19 AM, Mike West <mkwst@google.com> wrote:
> > It seems like there's consensus that hashes should only apply to inline
> > resources.
> >
> > I do think there's a good deal of value in dealing with hashing external
> > resources, but I'd agree with Trevor's suggestion that that ought to be
> > dealt with in a separate specification.
> >
> > -mike
> >
> > --
> > Mike West <mkwst@google.com>
> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> >
> > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> > Registergericht und -nummer: Hamburg, HRB 86891
> > Sitz der Gesellschaft: Hamburg
> > Geschäftsführer: Graham Law, Christine Elizabeth Flores
> >
> >
> > On Sat, Oct 19, 2013 at 11:52 PM, Yoav Weiss <yoav@yoav.ws> wrote:
> >>
> >> As one of the supporters of script/style hashes, I have no use case for
> >> external script/style hashes, only for inline ones.
> >>
> >
>
>
Received on Monday, 21 October 2013 17:19:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC